dependency-track After Component update, only CVEs related to updated CPE should be available

After Component update, only CVEs related to updated CPE should be available

Open JN-CSIRT opened this issue 2 years ago • 4 comments

Current Behavior

If we update the version and CPE of an existing component, all old CVEs not related to the new CPE and their audit histories are still available in Vulnerability Audit.

Steps to Reproduce

Edit any exist component with outdated version and CPE > Note available CVEs
Change version number and CPE to new one
After some time check for new CVEs > Old and new CVEs are observed

Expected Behavior

After updating the version and CPE of an existing component, only new CVEs and previously found CVEs related to the new CPE and their audit histories should be available in Vulnerability Audit.

Dependency-Track Version

4.6.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

[X] I have read and understand the contributing guidelines
[X] I have checked the existing issues for whether this defect was already reported

Dec 14 '22 16:12 JN-CSIRT

dependency-track dependency-track copied to clipboard

After Component update, only CVEs related to updated CPE should be available

Current Behavior

Steps to Reproduce

Expected Behavior

Dependency-Track Version

Dependency-Track Distribution

Database Server

Database Server Version

Browser

Checklist

dependency-track
dependency-track copied to clipboard