Can Dep Track link between Components and their SBOMs if uploaded separately?

[adamvanaken]

Let's say we have Application Foo that depends on Component Bar which, in turn, has it's own set of dependencies. I understand how to build a hierarchical SBOM using dependencies.dependsOn, but is there a way to upload the individual (flat) SBOMs for Foo AND Bar separately, as part of their own individual build processes, such that they are linked within Dep Track? I've tried matching bom-refs and purls, and even defining SWID Tags, etc., but to no avail.

Ideally, I'd like to see an automatic Dependency Graph on the Foo Application that expands and includes Bar, which itself is expandable to show its dependencies.

Is there a way to achieve any sort of linking like this?

Edit: I am using v4.9.1

[riteshnoronha]

@adamvanaken I believe there is no linking approach currently, but if the end goal is to have a single view of all the vulns, then one approach could be merging the sboms into a third project, using scripts and DT api. There are multiple sbom merge tools. We internally use sbomasm as we have built that tool, to handle cases like these, but there are multiple others as documented here CycloneDX/specification#320. There are some quirks about merging SBOMs though - such as choice of flattening vs retaining graphs and single final SBOM vs bom-links.. If you can share a bit more about the usability of final project, I can help you narrow some options

[adamvanaken]

Thank you for the reply, @riteshnoronha. My end-goal is not vulnerability, but rather about tighter integration between components. For example, let's say we have 3 Applications all referencing the same exact build/version of library Bar. If I search in the Components area for Bar, it shows up 3 times -- each time links to a different page with a different Object Identifier, but these should really be the same object. (Ideally, one that displays Bars Components, so we can easily walk the dependency trees.

Edit: All 3 Bar component pages/objects have the same PURL

[riteshnoronha]

Got it. i think i understand what u want. Unfortunately i think that is not supported currently. I am speculating but i think implementing project linking brings in other considerations as to how will vulns be managed and disposed, accurate vuln counts, policy management around this. One place to probably have this discussion would be in dependency track slack https://dependencytrack.org/slack/invite.

[riteshnoronha]

if you do find a good soln, do share, would love to hear about it.