Affected project in mail-notification doesn't show name

[malice00]

Current Behavior

When DT sends a mail about vulnerable dependencies or new vulnerabilities, all references to this project use the purl of the root component instead of the actual project name. This is especially frustrating when this component is not unique -- in our react native apps, the gradle configuration is generated and does not contain a version, so every upload uses the 'same' component even if in DT they are configured as different projects.
The annoying thing is that the list of other affected projects actually do show the project name!

Steps to Reproduce

1. Create a project
2. Setup a mail notifcation
3. Upload an SBOM
4. Wait for the mail

Expected Behavior

We expect the mail to contain the actual name configured in DT to show in both the subject and the mail body.

Dependency-Track Version

4.11.5

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.9

Browser

Mozilla Firefox

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[malice00]

Update: it seems this does not happen to all projects... It seems like it happens on projects where a new BOM is uploaded -- older projects seem to work correctly. Might be a regression in 4.11.4/5? The older projects where created with at least 4.11.3, not sure if we were already on 4.11.4 though...

[malice00]

Found it! It's caused by the BOM Processing V2! When I turn it off, the mails correctly contain the actual name of the project again. All projects imported with V2 on however, are still broken -- I guess something is saved differently in the database? Unfortunately I currently have no direct access to the db to verify.

[msymons]

@malice00, thanks for reporting the problem and then digging deeper to identify the culprit.

I have assigned this to the 4.12 milestone because it is important that such defects be addressed before BOM Processing V2 makes the switch from being "Experimental"

As an FYI, #3880 was another notification issue that only occurred when BOM Processing V2 was enabled... a defect now fixed in v4.11.5

[nscuro]

The issue seems to be that BOM Processing V2 populates the purl field of a project during BOM import, based on metadata.component.purl in the BOM. Which is something that should have been done since forever, but the legacy BOM processing implementation didn't do it.

Now, with that in mind, looking at the toString implementation of the Project class:

dependency-track/src/main/java/org/dependencytrack/model/Project.java

Lines 573 to 588 in caaeb53

	@Override
	public String toString() {
	if (getPurl() != null) {
	return getPurl().canonicalize();
	} else {
	StringBuilder sb = new StringBuilder();
	if (getGroup() != null) {
	sb.append(getGroup()).append(" : ");
	}
	sb.append(getName());
	if (getVersion() != null) {
	sb.append(" : ").append(getVersion());
	}
	return sb.toString();
	}
	}

... shows that it will be shown as its PURL, if purl is set. Which in your case it is.

Following this trail, the affected projects in the email template end up calling the above toString implementation:

dependency-track/src/main/resources/templates/notification/publisher/email.peb

Line 23 in caaeb53

Project: {{ subject.component.project.toString }}

So, this is not really a bug, since it would have happened (I assume intentionally) before, if your projects had the purl field populated.

That said, this should be an easy fix. And I agree, showing a PURL here makes no sense.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.