René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Dependency-Track hook ignores CycloneDX SBOM after secureCodeBox v5.0.0 upgrade","articleBody":"## 🐞 Bug report\n\u003c!--\nThank you for reporting an issue in our project 🙌\n\nBefore opening a new issue, please make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.\n--\u003e\n\n### Describe the bug\n\nAfter upgrading to secureCodeBox 5.0.0, the persistence-dependencytrack hook is skipping uploads with the message:\n\n```\nOnly CycloneDX SBOMs can be sent to DependencyTrack, ignoring.\n```\n\nThis occurs even though the Trivy SBOM scan produced a valid CycloneDX 1.6 SBOM, was uploaded to file storage, and the parser completed successfully. As a result, the Dependency-Track project’s Last BOM Import timestamp is not updated.\n\n### Expected behavior\n\nThe DT hook should detect the CycloneDX SBOM and POST it to Dependency-Track.\n\nThe project’s Last BOM Import should update to the current run.\n\n### System (please complete the following information):\n\n - secureCodeBox 5.0.0\n - Kubernetes Version 1.32\n - dependency-track/dependency-track      Chart 0.36.0        Version  4.13.4\n\n### Screenshots / Logs\n\nTrivy SBOM scan \u0026 parser:\n```txt\n\n2025-09-09 10:04:35.081 | 2025-09-09T08:04:35Z\tINFO\t\"--format cyclonedx\" disables security scanning. Specify \"--scanners vuln\" explicitly if you want to include vulnerabilities in the \"cyclonedx\" report. |  \n-- | -- | --\n  |   | 2025-09-09 10:04:35.274 | 2025/09/09 08:04:35 Starting lurker |  \n  |   | 2025-09-09 10:04:35.274 | 2025/09/09 08:04:35 Waiting for main container 'trivy-sbom' to complete |  \n  |   | 2025-09-09 10:04:35.274 | 2025/09/09 08:04:35 After scan is completed file '/home/securecodebox/sbom-cyclonedx.json' will be uploaded to '...s3.amazonaws.com' |  \n  |   | 2025-09-09 10:04:35.275 | 2025/09/09 08:04:35 Waiting for maincontainer to exit. |  \n  |   | 2025-09-09 10:04:39.869 | 2025-09-09T08:04:39Z\tINFO\t[javadb] Downloading Java DB... |  \n  |   | 2025-09-09 10:04:39.870 | 2025-09-09T08:04:39Z\tINFO\t[javadb] Downloading artifact...\trepo=\"mirror.gcr.io/aquasec/trivy-java-db:1\" |  \n  |   | 2025-09-09 10:05:32.887 | 2025-09-09T08:05:32Z\tINFO\t[javadb] Artifact successfully downloaded\trepo=\"mirror.gcr.io/aquasec/trivy-java-db:1\" |  \n  |   | 2025-09-09 10:05:32.906 | 2025-09-09T08:05:32Z\tINFO\t[javadb] Java DB is cached for 3 days. If you want to update the database more frequently, \"trivy clean --java-db\" command clears the DB cache. |  \n  |   | 2025-09-09 10:05:33.099 | 2025-09-09T08:05:33Z\tINFO\tDetected OS\tfamily=\"alpine\" version=\"3.22.1\" |  \n  |   | 2025-09-09 10:05:33.099 | 2025-09-09T08:05:33Z\tINFO\tNumber of language-specific files\tnum=3 |  \n  |   | 2025-09-09 10:05:33.121 |   |  \n  |   | 2025-09-09 10:05:33.121 | 📣 Notices: |  \n  |   | 2025-09-09 10:05:33.121 | - Version 0.66.0 of Trivy is now available, current version is 0.65.0 |  \n  |   | 2025-09-09 10:05:33.121 |   |  \n  |   | 2025-09-09 10:05:33.121 | To suppress version checks, run Trivy scans with the --skip-version-check flag |  \n  |   | 2025-09-09 10:05:33.121 |   |  \n  |   | 2025-09-09 10:05:38.016 | 2025/09/09 08:05:38 Main Container exited. Lurker will end as well. |  \n  |   | 2025-09-09 10:05:38.016 | 2025/09/09 08:05:38 Uploading result files. |  \n  |   | 2025-09-09 10:05:38.016 | 2025/09/09 08:05:38 Uploading /home/securecodebox/sbom-cyclonedx.json |  \n  |   | 2025-09-09 10:05:38.016 | 2025/09/09 08:05:38 Scan result file has a size of 299188 bytes |  \n  |   | 2025-09-09 10:05:38.242 | 2025/09/09 08:05:38 Uploaded file successfully |  \n  |   | 2025-09-09 10:05:44.173 | Starting Parser |  \n  |   | 2025-09-09 10:05:44.396 | (node:1) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead. |  \n  |   | 2025-09-09 10:05:44.396 | (Use `node --trace-deprecation ...` to show where the warning was created) |  \n  |   | 2025-09-09 10:05:44.493 | Fetching result file |  \n  |   | 2025-09-09 10:05:44.674 | Fetched result file |  \n  |   | 2025-09-09 10:05:44.675 | Transformed raw result file into 1 findings |  \n  |   | 2025-09-09 10:05:44.675 | Adding UUIDs and Dates to the findings |  \n  |   | 2025-09-09 10:05:44.676 | Adding scan metadata to the findings |  \n  |   | 2025-09-09 10:05:44.677 | Validating Findings. Environment variable CRASH_ON_FAILED_VALIDATION is set to false |  \n  |   | 2025-09-09 10:05:44.882 | The Findings were successfully validated |  \n  |   | 2025-09-09 10:05:44.917 | Updated status successfully |  \n  |   | 2025-09-09 10:05:44.917 | Uploading results to the file storage service |  \n  |   | 2025-09-09 10:05:44.963 | Completed parser\n\n\n```\n\nDependency-Track hook\n\n```txt\n\n2025-09-09 10:05:49.175 | Starting hook for Scan \"service-example-sbom\" |  \n-- | -- | --\n  |   | 2025-09-09 10:05:49.380 | (node:1) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead. |  \n  |   | 2025-09-09 10:05:49.380 | (Use `node --trace-deprecation ...` to show where the warning was created) |  \n  |   | 2025-09-09 10:05:49.569 | Fetched raw result file contents from the file storage |  \n  |   | 2025-09-09 10:05:49.583 | Only CycloneDX SBOMs can be sent to DependencyTrack, ignoring. |  \n  |   | 2025-09-09 10:05:49.583 | Hook completed\n\n\n```\n### Additional context\n\u003c!-- Add any other context about the problem here. --\u003e\n","author":{"url":"https://github.com/YuriiBudnyi","@type":"Person","name":"YuriiBudnyi"},"datePublished":"2025-09-11T12:44:47.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/3272/secureCodeBox/issues/3272"}