Use cpe and/or purl from cyclonedx metadata.component to set project cpe and/or purl.

[savek-cc]

Current Behavior

When importing an SBOM that defines a CPE and/or PURL for the metadata.component, these fields are not populated for the project created.
Other properties of the metadata.component have been fixed in the past, see e.g. #3179

Steps to Reproduce

1. Import an SBOM with a metadata.component.cpe entry
2. Review the project information - it's missing the data for the CPE field.

Expected Behavior

Imported project also populates CPE and PURL fields if present in the metadata.component.cpe/purl

Dependency-Track Version

4.10.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Already addressed in BomUploadProcessingTaskV2 which ships with DT v4.11:

dependency-track/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTaskV2.java

Lines 339 to 355 in 3efdd24

	if (project != null) {
	persistentProject.setBomRef(project.getBomRef()); // Transient
	hasChanged |= applyIfChanged(persistentProject, project, Project::getAuthor, persistentProject::setAuthor);
	hasChanged |= applyIfChanged(persistentProject, project, Project::getPublisher, persistentProject::setPublisher);
	hasChanged |= applyIfChanged(persistentProject, project, Project::getManufacturer, persistentProject::setManufacturer);
	hasChanged |= applyIfChanged(persistentProject, project, Project::getSupplier, persistentProject::setSupplier);
	hasChanged |= applyIfChanged(persistentProject, project, Project::getClassifier, persistentProject::setClassifier);
	// TODO: Currently these properties are "decoupled" from the BOM and managed directly by DT users.
	// Perhaps there could be a flag for BOM uploads saying "use BOM properties" or something?
	// changed |= applyIfChanged(project, metadataComponent, Project::getGroup, project::setGroup);
	// changed |= applyIfChanged(project, metadataComponent, Project::getName, project::setName);
	// changed |= applyIfChanged(project, metadataComponent, Project::getVersion, project::setVersion);
	// changed |= applyIfChanged(project, metadataComponent, Project::getDescription, project::setDescription);
	hasChanged |= applyIfChanged(persistentProject, project, Project::getExternalReferences, persistentProject::setExternalReferences);
	hasChanged |= applyIfChanged(persistentProject, project, Project::getPurl, persistentProject::setPurl);
	hasChanged |= applyIfChanged(persistentProject, project, Project::getSwidTagId, persistentProject::setSwidTagId);
	}

But not in the legacy BomUploadProcessingTask:

dependency-track/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java

Lines 115 to 155 in 3efdd24

	if (cycloneDxBom.getMetadata() != null) {
	project.setManufacturer(ModelConverter.convert(cycloneDxBom.getMetadata().getManufacture()));
	final var projectMetadata = new ProjectMetadata();
	projectMetadata.setSupplier(ModelConverter.convert(cycloneDxBom.getMetadata().getSupplier()));
	projectMetadata.setAuthors(cycloneDxBom.getMetadata().getAuthors() != null
	? new ArrayList<>(ModelConverter.convertCdxContacts(cycloneDxBom.getMetadata().getAuthors()))
	: null);
	if (project.getMetadata() != null) {
	qm.runInTransaction(() -> {
	project.getMetadata().setSupplier(projectMetadata.getSupplier());
	project.getMetadata().setAuthors(projectMetadata.getAuthors());
	});
	} else {
	qm.runInTransaction(() -> {
	projectMetadata.setProject(project);
	qm.getPersistenceManager().makePersistent(projectMetadata);
	});
	}
	if (cycloneDxBom.getMetadata().getComponent() != null) {
	final org.cyclonedx.model.Component cdxMetadataComponent = cycloneDxBom.getMetadata().getComponent();
	if (cdxMetadataComponent.getType() != null && project.getClassifier() == null) {
	try {
	project.setClassifier(Classifier.valueOf(cdxMetadataComponent.getType().name()));
	} catch (IllegalArgumentException ex) {
	LOGGER.warn("""
	The metadata.component element of the BOM is of unknown type %s. \
	Known types are %s.""".formatted(cdxMetadataComponent.getType(),
	Arrays.stream(Classifier.values()).map(Enum::name).collect(Collectors.joining(", "))));
	}
	}
	if (cdxMetadataComponent.getSupplier() != null) {
	project.setSupplier(ModelConverter.convert(cdxMetadataComponent.getSupplier()));
	}
	}
	}
	if (project.getClassifier() == null) {
	project.setClassifier(Classifier.APPLICATION);
	}
	project.setExternalReferences(ModelConverter.convertBomMetadataExternalReferences(cycloneDxBom));