dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

different evaluation for the same vulnerability

Open redaabdellah21 opened this issue 2 years ago • 2 comments

Current Behavior:

Dependency track is giving 2 different severity results for the same vulnérability.

image

image

the first one is on H2, the second is on PostgreSQL. i have noticed that working with postgresql is difficult, Dependency track does not fetch all the vulnerabilities; i have 140853 vulnerability in postgresql against 190232 in H2 (i have run it on docker so many times with postgresql and it never gets as much vulnerabilities as h2) now it is not giving the same evaluation

Steps to Reproduce:

-run 2 containers on docker. one with h2, the other with PostgreSQL.

  • add this component to your project on both containers and see the difference purl: pkg:npm/[email protected]

Expected Behavior:

vulnerabilities' evaluation should be the same regardless of the DB used.

Environment:

  • Dependency-Track Version: 4.5.0 for both containers
  • Distribution: [ Docker | Executable WAR | Traditional WAR ] docker
  • BOM Format & Version: CycloneDX 1.3
  • Database Server: [ H2 | MSSQL | MySQL | PostgreSQL ] one on H2, one on Postgresql
  • Browser: edge

Additional Details:

both evaluations are correct, but the h2 container is basing his on CVSSv3 which is the expected behavior, the one with postgresql is giving the CVSSv2 results.

(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)

redaabdellah21 avatar Jul 07 '22 11:07 redaabdellah21

I'm getting the same vulnerability details with both of your mentioned databases.

What you see in your Postgres setup are the vulnerability details from OSS Index: https://ossindex.sonatype.org/vulnerability/sonatype-2021-0449?component-type=npm&component-name=handlebars

image

If a vulnerability doesn't yet exist in DT's local vulnerability database, and that vulnerability is reported by OSS Index, DT will create it ad-hoc using OSSI's details. Those details will be overwritten by whatever is recorded in the NVD the next time the NistMirrorTask is executed.

It's possible that mirroring the NVD takes longer with Postgres than with H2 in your case.

nscuro avatar Jul 12 '22 21:07 nscuro

i would like to thank you for your answer. my H2 instance is able to mirror all nvd vulnerabilities up to the 2002 file. and it is the one giving me the critical severity as shown in the picture below image

does this mean that nvd and oss index may give different analysis?

the problem with the posqtgresql instance is that it never mirrors all the vulnerabilities, it always stops parsing at the 2020 file or 2019 at max. which leaves me with less vulnerabilities compared with the h2 instance. i have read that it could be because my docker is under ressourced, i gave it 7Go RAM and 4 CPU but nothing changed. Do you have any idea about this?

redaabdellah21 avatar Jul 13 '22 08:07 redaabdellah21