Increase allowed BOM size for uploads #3182
Comments
|
Hit by the same bug here. As a workaround, we are now running the |
|
@nscuro running into the same issue in at least one project now which can't upload BOMs anymore. Can we put this in a bugfix release possibly? |
|
The problem here is that, when submitting the BOM in a single JSON request like this: {
"projectName": "acme-app",
"projectVersion": "1.0.0",
"bom": "<base64EncodedBom>"
}the protection mechanism of Jackson kicks in. Some BOMs are huge, so even if we raise the limit, it will not solve the issue completely. @rkg-mm Is it possible for you to adjust the upload request? There is another method that utilizes |
nscuro
added
p2
|
@nscuro for the moment I found a quick fix by filtering unnecessary html code contained in some licenses that were automatically loaded from URLs into the BOM file, so for now I should be below the limit in all projects from what I know. However, this will surely be an issue at some point again edit: but yes we could probably adjust our scripts to use the other endpoint, thanks for the hint |
|
I modified my code to use If I want to upload 2 SBOMs to the same D-T Project, using |
|
@esnible DT only supports 1 SBOM per project+version, you can merge them upfront and upload them as 1 SBOM. |
…n's character limit Also document the limitation in the OpenAPI spec of the respective `PUT` methods that accept JSON payloads. Fixes DependencyTrack#3182 Signed-off-by: nscuro <[email protected]>
|
Given there is already the At the stage where the exception is thrown, we're already in a place where parsing and base64 decoding the offending value is causing unnecessary overhead and memory pressure anyway. The base64 encoding bloats the original BOM size, which negatively affects both the client, as well as the server with such large values. So instead, I added an exception mapper that provides explicit hints when the condition is triggered for the |
…n's character limit Also document the limitation in the OpenAPI spec of the respective `PUT` methods that accept JSON payloads. Fixes DependencyTrack#3182 Signed-off-by: nscuro <[email protected]>
…n's character limit Also document the limitation in the OpenAPI spec of the respective `PUT` methods that accept JSON payloads. Fixes DependencyTrack#3182 Signed-off-by: nscuro <[email protected]>
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Current Behavior
When I upload a large sbom file using the PUT /v1/bom
I get a 400 error with a message like:
String length (20051112) exceeds the maximum length (20000000) (through reference chain: org.dependencytrack.resources.v1.vo.BomSubmitRequest[\"bom\"]) (status: 400)It appears this began in DependencyTrack 4.9.x
I have traced this to jackson-core's
com.fasterxml.jackson.core.StreamReadContraintsFasterXML/jackson-core#1014
They have a mechanism here to change the limit.
Please set it to a more reasonable default and/or provide a way to modify the limit via configuration.
Steps to Reproduce
Expected Behavior
BOM should upload
Dependency-Track Version
4.9.1
Dependency-Track Distribution
Executable WAR
Database Server
N/A
Database Server Version
N/A
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: