dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Dependency Track ignores dependsOn tag in CycloneDX format

Open mrtnbm opened this issue 3 years ago • 6 comments

Current Behavior: Security Vulnerabilities do not include the dependsOn tag of the CycloneDX file. For example, suppose that we have the following reference and dependsOn field, where component-a has no security vulnerability but b and c have vulnerabilities:

{
      "ref" : "pkg:maven/component/[email protected]?type=jar",
      "dependsOn" : [
        "pkg:maven/component/[email protected]?type=jar",
        "pkg:maven/component/[email protected]?type=jar"
      ]
},

Dependency Track will not show these relationships to component-a in the vulnerabilities tab. You will only see the component-b/c with a vulnerability risk and component-a will not yield any information that it depends on this software module with the given vulnerability.

Proposed Behavior: Given the above CycloneDX file and scenario, Dependency Track should log the vulneribility inside component-a too or reference the vulnerability of component-b/c in component-a.

mrtnbm avatar May 10 '22 08:05 mrtnbm

I think what may be necessary is to include a view for affected components. The current view is "vulnerable components" and in this case component-a is not vulnerable, but it is affected.

We also need to consider the scope of the components. If component-b is a test component and the scope is excluded, component-a is potentially not affected.

stevespringett avatar May 10 '22 16:05 stevespringett

Yeah, that would be a good option. This would help in indicating where the vulnerability is actually coming from. In my case, I never included component-b or c in the pom of the maven project, so I manually needed to search the bom.json file for "dependsOn"-fields to find out that I indirectly added the (sub-)dependency component-b and c, because component-a depends on it.

mrtnbm avatar May 10 '22 16:05 mrtnbm

Another possibility is to include a new dependency graph view (a few visual representations are planned) which shows the exploded dependency tree and highlights the nodes that are vulnerable. Snyk has a similar view which is very useful.

stevespringett avatar May 10 '22 17:05 stevespringett

Sure, that would help in indicating the actual cause of the vulnerability too.

mrtnbm avatar May 10 '22 18:05 mrtnbm

I logged https://github.com/DependencyTrack/frontend/issues/87 a while back to suggest that the ability to filter the dependency graph would be useful... including the ability to filter by vulnerabilities.

msymons avatar Jun 04 '22 23:06 msymons

@msymons Thanks for the reference. Didn't know this was already indirectly mentioned in your issue.

mrtnbm avatar Jun 14 '22 06:06 mrtnbm

Didn't know this was already indirectly mentioned in your issue.

Just another point of view at indirect dependencies :)

jimklimov avatar Nov 28 '22 14:11 jimklimov

Is this the same (or releated to) #1513?

roadSurfer avatar Jan 26 '23 10:01 roadSurfer