dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

Track and handle changes in which versions are affected by a given vulnerability

Open nscuro opened this issue 3 years ago • 0 comments

Current Behavior:

When mirroring vulnerability databases, we map them to the following internal models:

  • Vulnerability: The vulnerability itself, including ID, source, references, severity, CVSS, etc.
  • VulnerableSoftware: Describes which components and component versions are affected by a given vulnerability

As it is now, VulnerableSoftware are treated as "append-only", meaning entries are never removed, even though the relationship they describe may not be reported by any source anymore (e.g. when the related advisory was corrected).

Proposed Behavior:

Track what sources reported a given VulnerableSoftware, and track when it isn't reported anymore. Consider a VulnerableSoftware entry to be outdated / removed once no source reports it anymore.

Additionally, expose this "reported by" information to the API and UI, similar to the existing FindingAttribution. Remember to consider that VulnerableSoftware can stem from manual creation as well since we introduced support for internal vulnerabilities.

nscuro avatar Jul 24 '22 18:07 nscuro