Make dependency track consumer work with large boms and with proper flags

components/consumers/dependency-track/main.go

@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"crypto/tls"
-	"encoding/base64"
 	"flag"
 	"fmt"
 	"log"
@@ -12,6 +11,7 @@ import (
 	"strings"
 
 	dtrack "github.com/DependencyTrack/client-go"
+	"github.com/go-errors/errors"
 	"github.com/google/uuid"
 
 	v1 "github.com/ocurity/dracon/api/proto/v1"
@@ -28,7 +28,7 @@ var (
 	client          *dtrack.Client
 	ownerAnnotation string
 	// used for debugging, turns off certificate and enables debug
-	debug bool
+	debugDT bool
 )
 
 func main() {
@@ -37,7 +37,7 @@ func main() {
 	flag.StringVar(&projectName, "projectName", "", "dependency track project name")
 	flag.StringVar(&projectUUID, "projectUUID", "", "dependency track project name")
 	flag.StringVar(&projectVersion, "projectVersion", "", "dependency track project version")
-	flag.BoolVar(&debug, "debug", false, "setup client with no tls and enable debug")
+	flag.BoolVar(&debugDT, "debugDependencyTrackConnection", false, "setup client with no tls and enable debug")
 	flag.StringVar(
 		&ownerAnnotation,
 		"ownerAnnotation",
@@ -66,27 +66,27 @@ func main() {
 		log.Fatal("project version is mandatory for dependency track")
 	}
 
-	client, err := dtrack.NewClient(
+	c, err := dtrack.NewClient(
 		authURL,
 		dtrack.WithHttpClient(
 			&http.Client{Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{
-					InsecureSkipVerify: debug,
+					InsecureSkipVerify: debugDT,
 				},
 			},
 			}),
-		dtrack.WithDebug(debug),
+		dtrack.WithDebug(debugDT),
 		dtrack.WithAPIKey(apiKey),
 	)
 	if err != nil {
-		log.Panicf("could not instantiate client err: %#v\n", err)
+		log.Fatalf("could not instantiate client err: %#v\n", err)
 	}
-
+	client = c
 	abt, err := client.Metrics.LatestPortfolioMetrics(context.Background())
 	if err != nil {
 		log.Fatalf("cannot connect to Dependency Track at %s, err:'%v'", authURL, err)
 	}
-	slog.Info("connection to DT successful listed projects in instance", "projects", abt.Projects)
+	slog.Info("Connection to DT successful, projects in instance:", "instance", abt.Projects)
 	if consumers.Raw {
 		responses, err := consumers.LoadToolResponse()
 		if err != nil {
@@ -115,8 +115,7 @@ func uploadBOMSFromEnriched(responses []*v1.EnrichedLaunchToolResponse) ([]strin
 			if issue.GetRawIssue().GetCycloneDXSBOM() != "" && bomIssue == nil {
 				bomIssue = issue
 			} else if bomIssue != nil && bomIssue.GetRawIssue().GetCycloneDXSBOM() != "" {
-				log.Printf("Tool response for tool %s is malformed, we expected a single issue with an SBOM as part of the tool, got something else instead",
-					res.GetOriginalResults().GetToolName())
+				slog.Error("tool:", res.GetOriginalResults().GetToolName(), "response is malformed, we expected a single issue with an SBOM as part of the tool, got something else instead")
 				continue
 			}
 		}
@@ -126,20 +125,19 @@ func uploadBOMSFromEnriched(responses []*v1.EnrichedLaunchToolResponse) ([]strin
 		}
 		token, err := uploadBOM(bomIssue.GetRawIssue().GetCycloneDXSBOM(), cdxbom.Metadata.Component.Version)
 		if err != nil {
-			log.Fatal("could not upload bom to dependency track, err:", err)
+			return tokens, errors.Errorf("could not upload bom to dependency track, err:%w", err)
 		}
-		log.Println("upload token is", token)
+		slog.Debug("upload", "token", token)
 		tokens = append(tokens, token)
 		if ownerAnnotation != "" {
-			log.Println("tagging owners")
 			owners := []string{}
 			for key, value := range bomIssue.Annotations {
 				if strings.Contains(key, ownerAnnotation) {
 					owners = append(owners, value)
 				}
 			}
 			if err := addOwnersTags(owners); err != nil {
-				log.Println("could not tag owners, err:", err)
+				slog.Error("could not tag owners", "err", err)
 			}
 		}
 	}
@@ -154,8 +152,7 @@ func uploadBOMsFromRaw(responses []*v1.LaunchToolResponse) ([]string, error) {
 			if *issue.CycloneDXSBOM != "" && bomIssue == nil {
 				bomIssue = issue
 			} else if bomIssue != nil && *bomIssue.CycloneDXSBOM != "" {
-				log.Printf("Tool response for tool %s is malformed, we expected a single issue with an SBOM as part of the tool, got multiple issues with sboms instead",
-					res.GetToolName())
+				slog.Error("tool:", res.GetToolName(), "response is malformed, we expected a single issue with an SBOM as part of the tool, got something else instead")
 				continue
 			}
 		}
@@ -165,9 +162,9 @@ func uploadBOMsFromRaw(responses []*v1.LaunchToolResponse) ([]string, error) {
 		}
 		token, err := uploadBOM(*bomIssue.CycloneDXSBOM, cdxbom.Metadata.Component.Version)
 		if err != nil {
-			log.Fatal("could not upload bod to dependency track, err:", err)
+			return tokens, errors.Errorf("could not upload bod to dependency track, err:%w", err)
 		}
-		log.Println("upload token is", token)
+		slog.Info("upload", "token", token)
 		tokens = append(tokens, token)
 	}
 	return tokens, nil
@@ -179,7 +176,7 @@ func addOwnersTags(owners []string) error {
 	uuid := uuid.MustParse(projectUUID)
 	project, err := client.Project.Get(context.Background(), uuid)
 	if err != nil {
-		log.Println("could not add project tags error getting project by uuid, err:", err)
+		slog.Error("could not add project tags error getting project by uuid", "err", err)
 		return err
 	}
 	for _, owner := range owners {
@@ -203,13 +200,16 @@ func uploadBOM(bom string, projectVersion string) (string, error) {
 	if projectVersion == "" {
 		projectVersion = "Unknown"
 	}
-	uuid := uuid.MustParse(projectUUID)
-	token, err := client.BOM.Upload(context.TODO(), dtrack.BOMUploadRequest{
+	projUUID, err := uuid.Parse(projectUUID)
+	if err != nil {
+		return "", err
+	}
+	token, err := client.BOM.PostBom(context.TODO(), dtrack.BOMUploadRequest{
 		ProjectName:    projectName,
 		ProjectVersion: projectVersion,
-		ProjectUUID:    &uuid,
+		ProjectUUID:    &projUUID,
 		AutoCreate:     true,
-		BOM:            base64.StdEncoding.EncodeToString([]byte(bom)),
+		BOM:            bom,
 	})
 	return string(token), err
 }