syalioune

icon indicating an email [email protected]

Results 37 comments of syalioune

DependencyTrack hangs when uploading a large SBOM to a project a second time

Looking at the different logs and sbom provided, the common pattern that emerge is a nested duplicate component like in the SBOM below ```json { "bomFormat": "CycloneDX", "specVersion": "1.4", "version":...

DependencyTrack hangs when uploading a large SBOM to a project a second time

Hello @salfie Thanks for your thorough investigation. It match with my observations and based on that, I can provide the attached real life reproductible example [cyclonedx-gomod-issue-1905.zip](https://github.com/DependencyTrack/dependency-track/files/11602835/cyclonedx-gomod-issue-1905.zip). Given the example application...

DependencyTrack hangs when uploading a large SBOM to a project a second time

> Apologies for the delayed response, I only now got some time to look at BOM processing more closely. No pb. Same time issues here. I guess the fix you...

405 on login

They are two distinct components serving their own resources so you can't run them on the same port. You can however use the same domain so long as they can...

Change compareVersion behaviour

Following discussion https://github.com/DependencyTrack/dependency-track/discussions/2188, I think that an agreement should be reached @nscuro @stevespringett. In any case, there is indeed another bug as comparing `cpe:2.3:a:xiph:speex:1.2:-:*:*:*:*:*:*` to `cpe:2.3:a:xiph:speex:1.2:-:*:*:*:*:*:*` lead to a no...

Change compareVersion behaviour

My understanding as per https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7696.pdf is that `cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*` should not match `cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:*`

Change compareVersion behaviour

Hello @melba-lopez Sorry for the late answer. I think the _blocking_ point on this PR is not a technical one but a functional one. With : - Source (NVD) :...

Multiple relabeling rules on same source labels are mutually exclusive

> I'm going to close this now as nothing seems likely to move on the original complaint. Sorry for the silent treatment, I'll submit a PR to make the documentation...

False Positive: System.Data.SqlClient 4.8.5

Hello @cmenzi The difference lies with OSSIndex which report v4.8.5 as still vulnerable. ![dt_oss_index](https://user-images.githubusercontent.com/6144741/207850490-e8b955c4-9f37-46c6-9415-e5a67a337a9e.png) https://ossindex.sonatype.org/vulnerability/CVE-2022-41064 ![dt_oss_index2](https://user-images.githubusercontent.com/6144741/207850585-31120752-c9d3-406f-99ae-a671047b6f8e.png) You can create an issue in OSSIndex repo if need be : https://github.com/OSSIndex/vulns

False Positive: System.Data.SqlClient 4.8.5

That deviation notice is not machine readable & processable by DT which only reports what OSSIndex tell. Only possibility for you, if you don't use netstandard 1.3, is to audit...