dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Identical component listed with different vulnerability info

Open savek-cc opened this issue 10 months ago • 3 comments

Current Behavior

We track multiple branches of our software in DT. Most versions of the components are identical. We now have two branches ("A", created via SBOM upload 2 weeks ago, "B", created via SBOM upload 3 days ago - and "C" - created by exporting SBOM from "A" and importing it in new "C" Version. Some components are the same/identical name, version and PURL across all three projects - but in each project, a different number of vulnerabilities is reported. "A" is taking the lead with 10 assigned vulnerabilities, "B" is listing 2, and "C" as a copy of "A" ends up with the same 2 vulnerabilities from "A".

If I re-upload "A"'s SBOM to "A", the vulnerability count (and the vulnerabilities for that component) just stays the same. If I delete the component in question from "A" and then upload the same SBOM again, the component re-appears with the correct (2) vulnerabilities.

So vulnerabilities that have been assigned to a component apparently never vanish - even if the same component comes up with way less assigned vulnerabilities in a new project/component/scan. How can I get those vulnerabilities to "un-stick"? (My guess is that they got there due to a mis-assignement by the analyser (trivy server) in the first place - but obviously, current scans with trivy don't show those 8 mis-assigned vulnerabilities any more.

Steps to Reproduce

  1. have old project with components that got vulns assigned
  2. have said vulns be fixed in the database (maybe matching pattern was too broad in first instance as "*", maybe it was the wrong component)
  3. re-scan the old project - wrong vulns stay
  4. export sbom, import as new project - does not list wrong vulns

Expected Behavior

Mis-assigned vulnerabilities do not stick to components. They are removed from the component when the vulnerability data is updated and it doesn't actually match the component any more.

Dependency-Track Version

4.12.3

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

don't know

Browser

Google Chrome

Checklist

savek-cc avatar Feb 20 '25 19:02 savek-cc

Component was libc-bin: pkg:deb/ubuntu/[email protected]?arch=amd64&distro=ubuntu-24.04 Vulnerabilities that were assigned in "A": CVE-2023-6246, CVE-2023-6779, CVE-2016-20013, CVE-2023-6780, CVE-2025-0395, CVE-2024-33600, CVE-2024-33602, CVE-2024-2961, CVE-2024-33061, CVE-2024-33599 Assigned in "B" and "C": CVE-2016-20013, CVE-2025-0395

savek-cc avatar Feb 20 '25 20:02 savek-cc

Possibly related: #4613 #4611 #4468 #4345 - if that's the case, seems to be a regression since 4.12.0.

stohrendorf avatar Mar 04 '25 19:03 stohrendorf

I suspect this is a symptom of https://github.com/DependencyTrack/dependency-track/issues/5460. Likely one or more vulnerabilities were previously reported by an analyzer, but are not anymore.

nscuro avatar Nov 14 '25 12:11 nscuro