DependencyTrack
Same component has vulnerabilites in one project, but not in another
Current Behavior
One of my users reported that one of his dependencies is showing as having vulnerabilities in one of his projects. He does however use this dependency in multiple projects and in others it is not shown as having vulnerabilities. According to OSSIndex, the dependency should NOT have any vulnerabilities!
Steps to Reproduce
Not sure if this is reproducible, we've just been uploading SBOMs for projects and during the audit noticed this issue.
Expected Behavior
I expect a component that is used multiple times to have the same (or no) vulnerabilities between all projects.
Dependency-Track Version
4.13.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
16.8
Browser
Mozilla Firefox
Checklist
- [x] I have read and understand the contributing guidelines
- [x] I have checked the existing issues for whether this defect was already reported
If you open the "View details" link, are they still identical|? There could be a CPE vs PURL issue at play here. Also see: https://docs.dependencytrack.org/analysis-types/known-vulnerabilities/
This can happen if an analyzer reported a vulnerability once, but later stopped doing so, e.g. because they fixed a false positive on their end.
The "older" of your projects would then have the vulnerability reported, the younger wouldn't.
DT intentionally doesn't assign vulnerabilities globally since they can be contextual. Trivy for example may only report certain vulnerabilities if other specific components are also present in a project.
What definitely should happen is that findings that are no longer reported by any analyzer get suppressed automatically. This however requires a lot of coordination to ensure findings don't flip-flop between being suppressed and un-suppressed and is yet to be implemented.
