ThreatMapper icon indicating copy to clipboard operation
ThreatMapper copied to clipboard

Published 20 hours ago verified publisher icon deepfence

[v2] Link of top cves in Runtime Bom section is broken

Open saurabh2253 opened this issue 1 year ago • 2 comments

Describe the bug Click on any of the link of top cve's under runtime bom. The page navigates to an empty side panel on unique-vulnerabilities page.

https://github.com/deepfence/ThreatMapper/assets/3922581/2a8ac484-69dd-45c9-8440-149c0c06e8c9

saurabh2253 avatar Jul 17 '23 18:07 saurabh2253

We use lookup vulnerability api to show this side panel. The node_id this api expects is in the format <package_name+version><CVE_id> example linux-modules-5.4.0-139-generic:5.4.0-139.156CVE-2020-14304.

Now from the runtime bom response

 {
		"package_name": "commons-text",
		"version": "1.9",
		"locations": [
			"/home/webgoat/webgoat.jar"
		],
		"licenses": [
			"https://www.apache.org/licenses/LICENSE-2.0.txt"
		],
		"cve_id": "CVE-2022-42889",
		"severity": "critical"
}

I am not sure how to construct this id format that lookup api expects from this sbom response above.

It used to work earlier because the id format used to be just cve_id.

manV avatar Jul 18 '23 05:07 manV

Ok, it appears to be <package_name>:<version><cve_id>

manV avatar Jul 18 '23 06:07 manV