dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

Improve DT API to return Running on/With information

Open jonathangull opened this issue 2 years ago • 5 comments

Current Behavior

DT is NOT showing Running on/with (hardware affected) against a vulnerability under affected components section nor in its APIs. NIST API show this against a vulnerability.

e.g CVE-2020-3479

https://nvd.nist.gov/vuln/detail/CVE-2020-3479

please see screenshot DT vs NIST API.

Proposed Behavior

DT to return Running On/With information as NIST API.

e.g CVE-2020-3479

https://nvd.nist.gov/vuln/detail/CVE-2020-3479

raising this after a suggestion from @stevespringett

Screen Shot 2022-11-28 at 8 09 12 PM (1) Screen Shot 2022-11-28 at 8 11 53 PM (1)

Checklist

jonathangull avatar Dec 08 '22 03:12 jonathangull

Hi team, can this be prioritised ?

jonathangull avatar Jan 11 '23 04:01 jonathangull

Technically speaking, the hardware is not vulnerable in this case. The "Affected Components" in DT refer to things that are "directly" affected. The Cisco hardware in this case, is not. If we were to add the hardware to the current affected components, then any cisco 1100 series router defined in a BOM would be flagged as vulnerable, which its not.

Hardware vulnerabilities are quite rare, but do happen.

In the proposed behavior above, you state that you only want "DT to return Running On/With information as NIST API". So you only want to SEE the information? If so, I think we can do that without falsely identifying non-vulnerable hardware as vulnerable.

stevespringett avatar Jan 11 '23 05:01 stevespringett

@stevespringett yes Steve, I am aware Hardware shown under Running On/with is not affected. We just need to see the information so using DT API we can get this out to do our own OS + Hardware analysis to report only vulnerabilities affecting both Hardware + OS combination.

jonathangull avatar Mar 01 '23 05:03 jonathangull

@stevespringett is it possible to approve and prioritize please

jonathangull avatar Mar 05 '23 05:03 jonathangull

hi maybe it's possible to add a field, runningWith in a description of a component

if we haven't, the matching is the same as now if we have the information, if the CVE from the NVD doesn't provide any "runnning" information the matching is done with the CPE information as now, but if the NVD provide "running with" we perform a second triage on the previous matching done by the CPE of the software.

if we only have the hardware information, no matching is perform.

with this we haven't false positif with the hardware and we have less false positif with the software CPE only.

what do you think ? regards

ellipse2v avatar Jan 10 '24 06:01 ellipse2v