8000 Dependency-Track hook ignores CycloneDX SBOM after secureCodeBox v5.0.0 upgrade · Issue #3272 · secureCodeBox/secureCodeBox · GitHub
[go: up one dir, main page]
Skip to content

Dependency-Track hook ignores CycloneDX SBOM after secureCodeBox v5.0.0 upgrade #3272

New issue
New issue
Closed
#3290
Closed
Dependency-Track hook ignores CycloneDX SBOM after secureCodeBox v5.0.0 upgrade#3272
#3290
Assignees
p4trickweiss
Labels
bugBugshelp wantedExtra attention is needed
@YuriiBudnyi

Description

@YuriiBudnyi
YuriiBudnyi
opened on Sep 11, 2025

🐞 Bug report

Describe the bug

After upgrading to secureCodeBox 5.0.0, the persistence-dependencytrack hook is skipping uploads with the message:

Only CycloneDX SBOMs can be sent to DependencyTrack, ignoring.

This occurs even though the Trivy SBOM scan produced a valid CycloneDX 1.6 SBOM, was uploaded to file storage, and the parser completed successfully. As a result, the Dependency-Track project’s Last BOM Import timestamp is not updated.

Expected behavior

The DT hook should detect the CycloneDX SBOM and POST it to Dependency-Track.

The project’s Last BOM Import should update to the current run.

System (please complete the following information):

  • secureCodeBox 5.0.0
  • Kubernetes Version 1.32
  • dependency-track/dependency-track Chart 0.36.0 Version 4.13.4

Screenshots / Logs

Trivy SBOM scan & parser:

2025-09-09 10:04:35.081 | 2025-09-09T08:04:35Z	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report. |  
-- | -- | --
  |   | 2025-09-09 10:04:35.274 | 2025/09/09 08:04:35 Starting lurker |  
  |   | 2025-09-09 10:04:35.274 | 2025/09/09 08:04:35 Waiting for main container 'trivy-sbom' to complete |  
  |   | 2025-09-09 10:04:35.274 | 2025/09/09 08:04:35 After scan is completed file '/home/securecodebox/sbom-cyclonedx.json' will be uploaded to '...s3.amazonaws.com' |  
  |   | 2025-09-09 10:04:35.275 | 2025/09/09 08:04:35 Waiting for maincontainer to exit. |  
  |   | 2025-09-09 10:04:39.869 | 2025-09-09T08:04:39Z	INFO	[javadb] Downloading Java DB... |  
  |   | 2025-09-09 10:04:39.870 | 2025-09-09T08:04:39Z	INFO	[javadb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-java-db:1" |  
  |   | 2025-09-09 10:05:32.887 | 2025-09-09T08:05:32Z	INFO	[javadb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-java-db:1" |  
  |   | 2025-09-09 10:05:32.906 | 2025-09-09T08:05:32Z	INFO	[javadb] Java DB is cached for 3 days. If you want to update the database more frequently, "trivy clean --java-db" command clears the DB cache. |  
  |   | 2025-09-09 10:05:33.099 | 2025-09-09T08:05:33Z	INFO	Detected OS	family="alpine" version="3.22.1" |  
  |   | 2025-09-09 10:05:33.099 | 2025-09-09T08:05:33Z	INFO	Number of language-specific files	num=3 |  
  |   | 2025-09-09 10:05:33.121 |   |  
  |   | 2025-09-09 10:05:33.121 | 📣 Notices: |  
  |   | 2025-09-09 10:05:33.121 | - Version 0.66.0 of Trivy is now available, current version is 0.65.0 |  
  |   | 2025-09-09 10:05:33.121 |   |  
  |   | 2025-09-09 10:05:33.121 | To suppress version checks, run Trivy scans with the --skip-version-check flag |  
  |   | 2025-09-09 10:05:33.121 |   |  
  |   | 2025-09-09 10:05:38.016 | 2025/09/09 08:05:38 Main Container exited. Lurker will end as well. |  
  |   | 2025-09-09 10:05:38.016 | 2025/09/09 08:05:38 Uploading result files. |  
  |   | 2025-09-09 10:05:38.016 | 2025/09/09 08:05:38 Uploading /home/securecodebox/sbom-cyclonedx.json |  
  |   | 2025-09-09 10:05:38.016 | 2025/09/09 08:05:38 Scan result file has a size of 299188 bytes |  
  |   | 2025-09-09 10:05:38.242 | 2025/09/09 08:05:38 Uploaded file successfully |  
  |   | 2025-09-09 10:05:44.173 | Starting Parser |  
  |   | 2025-09-09 10:05:44.396 | (node:1) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead. |  
  |   | 2025-09-09 10:05:44.396 | (Use `node --trace-deprecation ...` to show where the warning was created) |  
  |   | 2025-09-09 10:05:44.493 | Fetching result file |  
  |   | 2025-09-09 10:05:44.674 | Fetched result file |  
  |   | 2025-09-09 10:05:44.675 | Transformed raw result file into 1 findings |  
  |   | 2025-09-09 10:05:44.675 | Adding UUIDs and Dates to the findings |  
  |   | 2025-09-09 10:05:44.676 | Adding scan metadata to the findings |  
  |   | 2025-09-09 10:05:44.677 | Validating Findings. Environment variable CRASH_ON_FAILED_VALIDATION is set to false |  
  |   | 2025-09-09 10:05:44.882 | The Findings were successfully validated |  
  |   | 2025-09-09 10:05:44.917 | Updated status successfully |  
  |   | 2025-09-09 10:05:44.917 | Uploading results to the file storage service |  
  |   | 2025-09-09 10:05:44.963 | Completed parser

Dependency-Track hook

2025-09-09 10:05:49.175 | Starting hook for Scan "service-example-sbom" |  
-- | -- | --
  |   | 2025-09-09 10:05:49.380 | (node:1) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead. |  
  |   | 2025-09-09 10:05:49.380 | (Use `node --trace-deprecation ...` to show where the warning was created) |  
  |   | 2025-09-09 10:05:49.569 | Fetched raw result file contents from the file storage |  
  |   | 2025-09-09 10:05:49.583 | Only CycloneDX SBOMs can be sent to DependencyTrack, ignoring. |  
  |   | 2025-09-09 10:05:49.583 | Hook completed

Additional context

Metadata

Metadata

Assignees

Labels

bugBugshelp wantedExtra attention is needed

Type

No type

Projects

secureCodeBox

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0