dependency-track

dependency-track copied to clipboard

The enhancement may already be reported! Please search for the enhancement before creating one.

Current Behavior:

When Dependency Track uses the GitHub external repository source to find additional vulnerabilities, Dependency Track will send a notification that a new vulnerability has been found even though the same CVE has already been reported for that component from another source. This results in duplicate CVE's reported, but from two different sources.

Proposed Behavior:

The number of duplicate vulnerabilities can be reduced by checking the CVE reported from GitHub and crosscheck for a CVE reported for the same component and not report the GitHub notification if the CVE exists. Some users may want to continue to receive notifications from both sources even if they are duplicates in the event one gives more information than the other, so it would be ideal to let the user enable this feature as wanted.

Related to #1642

Would be great if it could be configured, that aliased GHSA or other sources are not shown (or can be hidden) if there's a CVE available as well.

Maybe also a toggle "Suppress duplicates" (show CVE only) in the vulnerability list of components or projects?