Project autocreation leads to multiple projects

[deubert-it]

Current Behavior

In our gitlab pipelines we provide a template that sends via trivy generated sboms to our DependencyTrack instance. In our REST request to /api/v1/bom we provide the parameters:

autoCreate=true
projectName=myProjectName
projectVersion=1.0.0

This will successfully upload the bom and create the project and version.

Now from a subsequent pipeline with a new bom and parameters like these:

autoCreate=true
projectName=myProjectName
projectVersion=1.0.1

We would expect to add this sbom to the same project.

However, we currently land in a state where it seems only partially linked.

• Projects will be visible multiple times in the project list, and have unique project UUIDs, at least in visible URL like https://dependencytrack/projects/UUID will differ
• However when clicking on one of the projects, the version dropdown correctly shows all available versions

I checked the REST endpoint if there could be more things supplied to give DependencyTrack more "hints", as gitlab would offer more things to match projects, but besides an actual project UUID (which I don't have when relying on autocreation if it doesn't exist) and tags, I can't seem to set things that I could set via UI.

From gitlab perspective, we could easily supply:

• namespace/group/vendor in DT could be the gitlab project part like groupname/subgroup/projectname
• packageurl could be the gitlab project url
• SWID Tag ID could be the gitlab project id

Steps to Reproduce

1. without an existing project, upload sbom via /api/v1/bom with these parameters (new project + new version)

autoCreate=true
projectName=myProjectName
projectVersion=1.0.0

2. with the existing project, upload sbom via /api/v1/bom with these parameters (existing project + new version)

autoCreate=true
projectName=myProjectName
projectVersion=1.0.1

Expected Behavior

Subsequent sbom uploads with autoCreate=on should only create a new project if it is actually a new project.

Dependency-Track Version

4.13.4

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[stohrendorf]

Maybe I'm missing something here, but a DT project is basically a tuple of the project name and version. Since you upload an SBOM with the same name but a different version, this is technically a new project. If that wasn't the case, you'd lose information about 1.0.0 when you upload 1.0.1. A "project" in this case is basically a "distinct version of the software". Please correct me if I'm misundertanding stuff here.

[christien-lomax]

It would be nice then to allow a "FLATTENED" view where you see unique projects (project name and just latest build version?). you see this when you click on the project name when you click into a project after all, so there is an existing relationship.