Merge pull request #3801 from nscuro/issue-3798

Fix `JDODataStoreException` for unresolved licenses during BOM upload processing

Author: nscuro

docs/_posts/2024-06-03-v4.11.3.md

@@ -0,0 +1,43 @@
+---
+title: v4.11.3
+type: patch
+---
+
+**Fixes:**
+
+* Fix `JDODataStoreException` for unresolved licenses during BOM upload processing - [apiserver/#3801]
+
+For a complete list of changes, refer to the respective GitHub milestones:
+
+* [API server milestone 4.11.3](https://github.com/DependencyTrack/dependency-track/milestone/40?closed=1)
+* [Frontend milestone 4.11.3](https://github.com/DependencyTrack/frontend/milestone/25?closed=1)
+
+We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
+
+###### dependency-track-apiserver.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     |          |
+| SHA-256   |          |
+
+###### dependency-track-bundled.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     |          |
+| SHA-256   |          |
+
+###### frontend-dist.zip
+
+| Algorithm | Checksum                                                         |
+|:----------|:-----------------------------------------------------------------|
+| SHA-1     | dc7859636f1bf7a3772dc0e8de27535031511a4c                         |
+| SHA-256   | 88684d3bbd0aa2ff300ae419653f85957deaf00d9ca615a747386997b3f0e154 |
+
+###### Software Bill of Materials (SBOM)
+
+* API Server: [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.11.3/bom.json)
+* Frontend: [bom.json](https://github.com/DependencyTrack/frontend/releases/download/4.11.3/bom.json)
+
+[apiserver/#3801]: https://github.com/DependencyTrack/dependency-track/pull/3801

pom.xml

@@ -81,7 +81,7 @@
 
     <properties>
         <!-- Dependency Versions -->
-        <frontend.version>4.11.2</frontend.version>
+        <frontend.version>4.11.3</frontend.version>
         <lib.alpine.version>${project.parent.version}</lib.alpine.version>
         <lib.awaitility.version>4.2.1</lib.awaitility.version>
         <lib.brotli-decoder.version>0.1.2</lib.brotli-decoder.version>

src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java

@@ -563,14 +563,14 @@ public static Component convert(final QueryManager qm, final org.cyclonedx.model
                 if (cycloneLicense != null) {
                     if (StringUtils.isNotBlank(cycloneLicense.getId())) {
                         final License license = qm.getLicenseByIdOrName(StringUtils.trimToNull(cycloneLicense.getId()));
-                        if (license != null) {
+                        if (license != License.UNRESOLVED) {
                             component.setResolvedLicense(license);
                         }
                     }
                     else if (StringUtils.isNotBlank(cycloneLicense.getName()))
                     {
                         final License license = qm.getLicenseByIdOrName(StringUtils.trimToNull(cycloneLicense.getName()));
-                        if (license != null) {
+                        if (license != License.UNRESOLVED) {
                             component.setResolvedLicense(license);
                         } else {
                             final License customLicense = qm.getCustomLicense(StringUtils.trimToNull(cycloneLicense.getName()));

src/test/java/org/dependencytrack/tasks/BomUploadProcessingTaskTest.java

@@ -1089,6 +1089,41 @@ public void informWithLicenseResolutionByNameTest() {
         });
     }
 
+    @Test
+    public void informWithUnresolvedLicenseByNameTest() {
+        final var project = new Project();
+        project.setName("acme-license-app");
+        qm.persist(project);
+
+        final byte[] bomBytes = """
+                {
+                  "bomFormat": "CycloneDX",
+                  "specVersion": "1.4",
+                  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b80",
+                  "version": 1,
+                  "components": [
+                    {
+                      "type": "library",
+                      "name": "acme-lib-x",
+                      "licenses": [
+                        {
+                          "license": {
+                            "name": "MIT License"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                }
+                """.getBytes(StandardCharsets.UTF_8);
+
+        final var bomUploadEvent = new BomUploadEvent(qm.detach(Project.class, project.getId()), bomBytes);
+        new BomUploadProcessingTaskV2().inform(bomUploadEvent);
+        awaitBomProcessedNotification(bomUploadEvent);
+
+        assertThat(qm.getAllComponents(project)).satisfiesExactly(component -> assertThat(component.getResolvedLicense()).isNull());
+    }
+
     @Test // https://github.com/DependencyTrack/dependency-track/issues/1905
     public void informIssue1905Test() throws Exception {
         // Known to now work with old task implementation.