dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

Same vulnerability different databases reported twice

Open BlythMeister opened this issue 2 years ago • 10 comments

Current Behavior

A vulnerability which exists in multiple databases are not linked so report as 2 issues (therefore doubling risk score)

Steps to Reproduce

1.import BOM with vulnerability present that reported in NVD, GitHub and Sonatype

Expected Behavior

Vulnerability are linked and only report once

Dependency-Track Version

4.6.2

Dependency-Track Distribution

Container Image

Database Server

MySQL

Database Server Version

No response

Browser

Google Chrome

Checklist

BlythMeister avatar Nov 23 '22 07:11 BlythMeister

Hi, I can see the same problem. In GUI I see 10 vulnerabilities from 2 different DB sources and in API I see only 5, so somehow API is removing duplicates and GUI is not. I use api/v1/metrics/project/ for checking the statistics.

agnieszka-docplanner avatar Feb 12 '23 15:02 agnieszka-docplanner

Confirming too. Image taken from audit tab showing the same vulnerability showing once per vuln repository. We can also see the matching Vulnerability/aliases values. image

DT version : 4.7.1

sebastienDelcoigne avatar Apr 05 '23 12:04 sebastienDelcoigne

Confirming duplication and cross-aliasing of the vuln sources/analyzers between NVD and GITHUB vuln, with the additional weirdness that:

  • the NVD vuln's direct Analyzer link in the Audit tab says "OSS Index" and points to https://ossindex.sonatype.org/vulnerability/CVE-... despite it being a NVD sourced vuln
  • the OSS Index' own vuln directly links to "OSS Index" too, but the link points to the always-404-ing https://ossindex.sonatype.org/vulnerability/sonatype-... (see https://github.com/DependencyTrack/dependency-track/issues/1141)

See: image

SaberStrat avatar May 05 '23 13:05 SaberStrat

Hello @here, the same thing happens to me. So? How can we fix it? Thanks in advance. 🔥

germanparadisibfa avatar Jun 08 '23 15:06 germanparadisibfa

It's been some time since the issue was reported so is there any update? I would love to have this one fixed.

KamilMigdal avatar Jan 22 '24 15:01 KamilMigdal

Note:

... (therefore doubling risk score)

The risk score is not doubled.

valentijnscholten avatar Jan 22 '24 17:01 valentijnscholten

Please pay attention to the problem, it is still relevant

WantDead avatar Mar 18 '24 12:03 WantDead

@nscuro I believe, at least for now, this duplication is by design. Would it be helpful to document this somewhere, maybe in the design decisions docs that I believe is being created for Hyades?

valentijnscholten avatar Mar 18 '24 13:03 valentijnscholten

@valentijnscholten I guess the main problem for us is not the view but notifications. We are creating 2 jira tickets for every finding. And then I need to manually remove them. It looks like you have the way to deduplicate those findings, because API shows the right number, so why not use this algorithm when creating notifications?

agnieszka-docplanner avatar Mar 18 '24 14:03 agnieszka-docplanner

I just tried this out using the latest DT Version and can confim it is still a problem. It makes maintaining VEX Data pretty tiring tbh.

pkunze avatar May 17 '24 05:05 pkunze