dependency-track

dependency-track copied to clipboard

Current Behavior

We noticed the vulnerabilities GHSA-cf56-g6w6-pqq2 and GHSA-c8m8-j448-xjx7 being reported for pkg:pypi/[email protected] in our dtrack instance. This seems to be because dependencytrack thinks 24.7.0 is smaller than 24.7.0rc1, the fixed pre-release version reported by github (see screenshot of 'Affected Versions' view in dtrack GUI).

The vulnerabilities disappear if manually changing the BOM to include version 24.7.0rc1, implying the version matching logic does not account for the release-candidate syntax (see for example https://peps.python.org/pep-0440/#pre-releases).

We understand it might be hard to implement everyone's different version syntax, please let me know if this just won't be fixed!

test-BOM with only the mentioned component: test-bom.json

screenshot of 'Affected Components':

Steps to Reproduce

1.create a project with component pkg:pypi/[email protected] (i.e. upload attached BOM) 2. vuln GHSA-c8m8-j448-xjx7 gets erroneously reported

Expected Behavior

no known vulnerabilities for that version of twisted

Dependency-Track Version

4.11.7

Dependency-Track Distribution

Executable WAR

Database Server

PostgreSQL

Database Server Version

N/A

Browser

Google Chrome

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported