Update OssIndexAnalysisTask.java

[zer0uno]

Removed workaround for OssIndexAnalysis when component had "v" as version prefix

Description

I've noticed that calling the OSS Index API https://ossindex.sonatype.org/api/v3/component-report with pkg:composer/symfony/[email protected] correctly returns the vulnerability CVE-2024-50343, while calling the API with pkg:composer/symfony/[email protected] (note the absence of v) I get back no vulnerability. In the OssIndexAnalysisTask class I found that the minimizePurl() method removes the v just before calling the API, apparently because previously there was a bug (as explained in the comment block above the function definition) that now seems solved.

Addressed Issue

https://github.com/DependencyTrack/dependency-track/pull/1220

Additional Details

Checklist

• [X] I have read and understand the contributing guidelines
• [X] This PR fixes a defect, and I have provided tests to verify that the fix is effective
• [X] This PR implements an enhancement, and I have provided tests to verify that it works as intended
• [X] This PR introduces changes to the database model, and I have added corresponding update logic
• [X] This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[owasp-dt-bot]

:tada: Snyk checks have passed. No issues have been found so far.

:white_check_mark: security/snyk check is complete. No issues have been found. (View Details)

[agnieszka-docplanner]

Hi, any progress on this? There is a lot of components with "v" in version and they are currently not being properly analyzed.

[nscuro]

Here's a related Slack discussion: https://owasp.slack.com/archives/C6R3R32H4/p1754692145518059

I am not confident removing this logic for all ecosystems will yield the desired result, as in some cases adding the v will cause all vulnerabilities across all versions to be returned.