Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect Latest Version for Some Bouncy Castle Components #4601

Closed
2 tasks done
msymons opened this issue Jan 29, 2025 · 3 comments · Fixed by #4602
Closed
2 tasks done

Incorrect Latest Version for Some Bouncy Castle Components #4601

msymons opened this issue Jan 29, 2025 · 3 comments · Fixed by #4602
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone

Comments

@msymons
Copy link
Member

msymons commented Jan 29, 2025

Current Behavior

The Bouncy Castle project (ie, multiple components) released 1.80 on 14th January 2025. Two weeks ago at time of writing.

Dependency-Track is still reporting that the latest release is 1.79 for some (but not all) components....

Image

@nscuro observed on 28th January that Maven Central reports 1.80 (well, if it did not then I would have failed in my upgrade to 1.80 that is shown in the above screenshot):

https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk15to18/maven-metadata.xml

...and, for an example pkg:maven/org.bouncycastle/bcprov-jdk15to18@1.77?type=jar, DT unit tests (no caching) see:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<metadata>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15to18</artifactId>
    <versioning>
        <latest>1.79</latest>
        <release>1.79</release>
        <versions>
            <version>1.63</version>
            <version>1.64</version>
            (snip)                  
            <version>1.78.1</version>
            <version>1.79</version>
        </versions>
        <lastUpdated>20241030032911</lastUpdated>
    </versioning>
</metadata>

...with this response header from Central:

Last-Modified: Wed, 30 Oct 2024 03:29:11 GMT

Steps to Reproduce

  1. Upload component pkg:maven/org.bouncycastle/bcprov-jdk15to18@1.77?type=jar to a project
  2. Check what version DT reports for latest version.

Expected Behavior

Latest version for components should be correct, updating to new values within a couple of hours of (say) Maven Central making a new version available.

Dependency-Track Version

4.12.3

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.12

Browser

Mozilla Firefox

Checklist

@msymons msymons added defect Something isn't working in triage labels Jan 29, 2025
@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort and removed in triage labels Jan 29, 2025
@nscuro
Copy link
Member

nscuro commented Jan 29, 2025

Majority of this work is to figure out why we're being served outdated data, specifically when requesting it via DT. The fact that it's reproducible in a unit test suggests that it's not related to caching or similar.

@nscuro
Copy link
Member

nscuro commented Jan 31, 2025

Found the issue.

We erroneously URL-encoded a slash in the package’s namespace. We currently request:

https://repo1.maven.org/maven2/org%2Fbouncycastle/bcprov-jdk15to18/maven-metadata.xml

whereas it should be:

https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk15to18/maven-metadata.xml

What’s odd is that the encoded variant still yields a result, it’s just outdated…

@nscuro nscuro added this to the 4.12.4 milestone Jan 31, 2025
@nscuro nscuro closed this as completed in 0cf231e Jan 31, 2025
nscuro added a commit to nscuro/dependency-track that referenced this issue Feb 9, 2025
Fixes DependencyTrack#4601

Signed-off-by: nscuro <nscuro@protonmail.com>
@reubenbubu
Copy link

Just wanted to say thanks for this fix. Been chasing workarounds for a number of days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants