dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Same vulnerability is reported several times

Open lsoumille opened this issue 3 years ago • 3 comments

Current Behavior

In our DependencyTrack instance for some components, we have duplicates vulnerability reports. See associated screenshots.

image

After digging in DependencyTrack databases we can several entries in the table COMPONENTS_VULNERABILITIES but we don't understand how that's possible.

This is issue as we are using these thresholds in build gates.

Steps to Reproduce

  1. We were not able to reproduce it for distinct components, it seems to appear in a non deterministic way.

Expected Behavior

I want to have only one entry per vulnerability in DependencyTrack report

Dependency-Track Version

4.5.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

10.18

Browser

N/A

Checklist

lsoumille avatar Nov 14 '22 16:11 lsoumille

After digging in DependencyTrack databases we can several entries in the table COMPONENTS_VULNERABILITIES but we don't understand how that's possible.

Would it be possible to share what exactly you saw there?

Technically the same vulnerability being reported for the "same" component can happen when there are duplicate components in the projects being analyzed. But if the same vulnerability is assigned multiple times to the same component (as in, same database ID), that should definitely not happen.

nscuro avatar Nov 21 '22 17:11 nscuro

Hi @nscuro

Thanks for your answer. I have double checked and for case we have:

  • For a vulnerability a unique entry in vulnerability table
  • For the corresponding project, we have a unique component in the table and in the BOM
  • We have 2 entries in COMPONENT_VULNERABILITIES
  • We see 4 times the vulnerability reported in DependencyTrack UI

We might have consistency issue in our database issue. Do you know how we can return in normal state ?

lsoumille avatar Nov 22 '22 08:11 lsoumille

We will want a similar treatment as https://github.com/DependencyTrack/dependency-track/pull/4837 for the COMPONENT_VULNERABILITIES table:

  • Clean up duplicates prior to upgrade.
  • After / during upgrade, create a primary key to prevent future dupes on the database level.
  • Use Sets rather than Lists in Java code to enforce uniqueness in the application as well.

nscuro avatar Jun 02 '25 13:06 nscuro