DependencyTrack
Attributed on date of vulnerability shows a date after suppression/comment date
Current Behavior
Steps to Reproduce
- One of the ways this can be caused is through an SBOM update. The Attributed date is updated but the vulnerability stays the same. I also noticed that new vulnerabilities that are discovered 2 weeks after the SBOM is uploaded will retain the date of the SBOM upload.
Expected Behavior
The expected behavior would be for the Attributed On field to update when a vulnerability is matched to a component.
Dependency-Track Version
4.10.x
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this defect was already reported
Yes we are.
On Tue, Jul 2, 2024 at 2:59 AM Niklas @.***> wrote:
Are you using project cloning by chance?
This bug was fixed in 4.11: #3464 https://github.com/DependencyTrack/dependency-track/issues/3464
— Reply to this email directly, view it on GitHub https://github.com/DependencyTrack/dependency-track/issues/3909#issuecomment-2202607700, or unsubscribe https://github.com/notifications/unsubscribe-auth/BJDMSOTSH7AXNM2SF2MTVALZKJ2WXAVCNFSM6AAAAABKGXRKUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBSGYYDONZQGA . You are receiving this because you authored the thread.Message ID: @.***>
Mirroring. Not cloning. Sorry. How would I know if we were cloning.
On Tue, Jul 2, 2024 at 2:59 AM Niklas @.***> wrote:
Are you using project cloning by chance?
This bug was fixed in 4.11: #3464 https://github.com/DependencyTrack/dependency-track/issues/3464
— Reply to this email directly, view it on GitHub https://github.com/DependencyTrack/dependency-track/issues/3909#issuecomment-2202607700, or unsubscribe https://github.com/notifications/unsubscribe-auth/BJDMSOTSH7AXNM2SF2MTVALZKJ2WXAVCNFSM6AAAAABKGXRKUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBSGYYDONZQGA . You are receiving this because you authored the thread.Message ID: @.***>
@Sp33dy42 Cloning happens either via /api/v1/project/clone REST API endpoint, or when using the Add Version functionality in the frontend.
DT versions prior to v4.11 had a bug where the attribution date for findings would not be retained when cloning. Instead they were assigned the current date.
You don't need to stop cloning projects, but you should update your DT installation to benefit from the bugfix.
Thank you so much Niklas!
On Wed, Jul 3, 2024 at 8:37 AM Niklas @.***> wrote:
@Sp33dy42 https://github.com/Sp33dy42 Cloning happens either via /api/v1/project/clone REST API endpoint, or when using the Add Version functionality in the frontend.
DT versions prior to v4.11 had a bug where the attribution date for findings would not be retained when cloning. Instead they were assigned the current date.
You don't need to stop cloning projects, but you should update your DT installation to benefit from the bugfix.
— Reply to this email directly, view it on GitHub https://github.com/DependencyTrack/dependency-track/issues/3909#issuecomment-2206594479, or unsubscribe https://github.com/notifications/unsubscribe-auth/BJDMSOXSP3PPP6P6BIT7MZLZKQLFNAVCNFSM6AAAAABKGXRKUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBWGU4TINBXHE . You are receiving this because you were mentioned.Message ID: @.***>