don't add all components when uploading a new BOM

[ellipse2v]

Current Behavior

when I have a SBOM with some duplicate component (name-version) but a différent code CPE.

I think there is an issue in ComponentQueryManager
matchSingleIdentity return the first match but buildComponentIdentityQuery
final String filter = "project == :project && (%s)".formatted(String.join(" || ", filterParts));

https://github.com/DependencyTrack/dependency-[track/blob/8e732b6c1177001da0d4975ba703041f6ee7a7e6/src/main/java/org/dependencytrack/persistence/ComponentQueryManager.java#L54
](url)
the join have a "or" instead a "and" so if you have two same COTS/VERSION the first one is return each time.

when you look after https://github.com/DependencyTrack/hyades-apiserver/pull/218/files

you can see :
final var filter = "project == :project && (" + String.join(" && ", filterParts) + ")";

I try with the && instead of the || it works fine.

this delta come from https://github.com/DependencyTrack/dependency-track/pull/3126

Regards

Steps to Reproduce

1.load a SBOM with duplicate COTS OS like
PowerEdge 1.1.1 cpe:2.3:o:dell:poweredge_r640_firmware:2.9.4:::::::*
and
PowerEdge 1.1.1 cpe:2.3:h:dell:poweredge_r640:2.9.4:::::::*

in order to don't loose any CVE (for example, with deprecated CPE)

load the SBOM I have 447 components
i reload the SBOM, all the COTS/OSS duplicated are removed, and only 1 is still on DT.
i have now 337 COTS

Expected Behavior

I expect to have all the COTS OSS of the SBOM in DT even I load many time the BOM.

Dependency-Track Version

4.11.0-SNAPSHOT

Dependency-Track Distribution

Container Image, Executable WAR

Database Server

PostgreSQL

Database Server Version

14

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

See #2519 (comment) for more details on this.

Note though that this behavior was not introduced in #3126, it always worked like this.

You already found DependencyTrack/hyades-apiserver#218, which we intend to backport. Among fixing this particular issue, it also comes with loads of performance improvements.

[dioxygene]

hello ok I thought there had been an attempt to correct with the commit as the code looks a lot like and there had been a small error.
Thanks for your answers
I must reject the defect?
Thanks

[nscuro]

I'm leaving it open for now. It will be closed once #3357 is merged. :)

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.