The CSO asked me to check why the Dependency Graph feature for Dependency Track doesn't work—it doesn't show any dependency tree.

Briefing

SBOMs are generated using Syft in CycloneDX format (officialy supported by Dependency Track).

Dependency-Track consumes and analyzes CycloneDX BOMs at high-velocity and is ideal for use in modern build pipelines. The generation of CycloneDX BOMs often occur during CI or when the final application assembly is being generated.

~ Dependency Track documentation

Syft was selected in the first place as it is a tool officialy designed to generate SBOMs (and do nothing else).

Operation Recreate Issue

I have an app - Smasher (it doesn't smash anything, I promise) - I have generated an SBOM from this application and uploaded it to Dependency Track.

syft scan dir:app --output cyclonedx-json=syft-sbom.json
curl -X POST \
-H 'X-API-Key: {{ .DEPENDENCY_TRACK_API_KEY }}' \
-H "Content-Type: multipart/form-data" \
-F 'projectName=smasher' \
-F 'projectVersion=trivy' \
-F 'autoCreate=true' \
-F "bom=@trivy-sbom.json" \
https://dependency-track.hahahihi.com/api/v1/bom

It looks like this:

Operation Fixing Stuff

I have found following issue on Syft repository - https://github.com/anchore/syft/issues/3071

TLDR: Syft doesn't include dependency relationships in CycloneDX SBOM file.

I recall that Trivy allows to generate SBOMs as well:

  -f, --format string (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")

Let's try that:

trivy:sbom: trivy fs --format cyclonedx --output trivy-sbom.json app
curl -X POST \
-H 'X-API-Key: {{ .DEPENDENCY_TRACK_API_KEY }}' \
-H "Content-Type: multipart/form-data" \
-F 'projectName=smasher' \
-F 'projectVersion=trivy' \
-F 'autoCreate=true' \
-F "bom=@trivy-sbom.json" \
https://dependency-track.hahahihi.com/api/v1/bom

Let's check results:

And it can be expanded like this: