dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Vulnerability Not Detected

Open ayedo opened this issue 1 year ago • 5 comments

Current Behavior

The vulnerability GHSA-qj66-m88j-hmgj:

Image

Is not detected for the following component:

Image

Steps to Reproduce

  1. Add the component shown in the image to a project
  2. Enable GitHub advisories
  3. Run analyser on the project with that component

Expected Behavior

I expect the vulnerability to be detected, since the component version lies within the version range described by the GitHub advisory.

I saw that the versions are a bit special, thez contain "preview" and other punctuation - could it be related to that?

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

16.4

Browser

Mozilla Firefox

Checklist

ayedo avatar Oct 16 '24 17:10 ayedo

I saw that the versions are a bit special, thez contain "preview" and other punctuation - could it be related to that?

Yeah it seems DT can't work out that 8.0.0-preview.1.23110.8 is lower than 8.0.0. #2826 could help to deal with NuGet-specific versioning like this.

nscuro avatar Oct 16 '24 17:10 nscuro

@nscuro thanks for your quick reply. I'm trying to figure out a work around to add the vulnerability manually. Do you have an idea how this could be achieved with reasonable work?

I've tried adding an entry like this, but it did not work:

WITH VulnerabilityID AS (
    SELECT "ID" FROM "VULNERABILITY" WHERE "UUID" = 'some uuid'
), ComponentID AS (
    SELECT "ID" FROM "COMPONENT" WHERE "UUID" = 'some uuid'
)
INSERT INTO "COMPONENTS_VULNERABILITIES" ("COMPONENT_ID", "VULNERABILITY_ID")
SELECT (SELECT "ID" FROM ComponentID), (SELECT "ID" FROM VulnerabilityID);

ayedo avatar Oct 18 '24 15:10 ayedo

Hi @ayedo, have you found a workaround to detect those vulnerabilities?

antoinbo avatar Nov 13 '24 18:11 antoinbo

I tried to reproduce the issue, but creating a component with the same PURL correctly found the vulnerability. I just found that I miss multiple GHSA for another component, and I wonder if this is due to GitHub API rate limitations?

antoinbo avatar May 28 '25 18:05 antoinbo

@antoinbo As of version 4.12.x (not sure which bugfix release it was, please check the changelog) we properly handle primary and secondary rate limiting for GitHub requests. If you're running an older version then that might indeed be the issue.

nscuro avatar May 29 '25 08:05 nscuro

I have the same issue Missing some vulnerabilities GHSA-jvhh-2m83-6w29 for example

SA-KIRA avatar Sep 19 '25 13:09 SA-KIRA