DefectDojo
Components without vulnerabilities are not imported from SBOM or scan results
Bug description After I import trivy dependency scan with all pkgs, in Dojo Components tab I can see only packages that have at least 1 vulnerability (with Info severity or higher).
To my mind it may be useful to have all packages and their version in the vulnerability management tool to fastly mitigate new vulns. (E.g in case of zero day vulnerability in some package, that previously does not have knows vulns)
I suppose this behaviour may be caused by obligatory field Minimum severity*
To reproduce this behaviour create trivy report for some test application and import results into dojo.
trivy fs ./dvja-master -f json --list-all-pkgs -o ./dvja-list-all.json
Deployment method (select with an X)
- [X] Docker Compose
- [ ] Kubernetes
- [ ] GoDojo
DefectDojo doesn't store components. The component information (name and version) are fields of the finding. This is the reason, why DefectDojo can only report components with findings.
@StefanFl we can create Info severity finding for detected components then. It will bring us a new feature (dependency-tracking) with only modification of the scan results parser. As @damiencarol mentioned in Slack: "People can filter 'info' Finding if they don't want these data."
It should be useful for those who want just collect and store at one place info about their dependencies, but such simple way would be enough for them, instead of supporting and usage of dependency-track solution.