Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identical component listed with different vulnerability info #4678

Open
2 tasks done
savek-cc opened this issue Feb 20, 2025 · 2 comments
Open
2 tasks done

Identical component listed with different vulnerability info #4678

savek-cc opened this issue Feb 20, 2025 · 2 comments
Labels
defect Something isn't working in triage

Comments

@savek-cc
Copy link

Current Behavior

We track multiple branches of our software in DT. Most versions of the components are identical.
We now have two branches ("A", created via SBOM upload 2 weeks ago, "B", created via SBOM upload 3 days ago - and "C" - created by exporting SBOM from "A" and importing it in new "C" Version.
Some components are the same/identical name, version and PURL across all three projects - but in each project, a different number of vulnerabilities is reported.
"A" is taking the lead with 10 assigned vulnerabilities,
"B" is listing 2, and
"C" as a copy of "A" ends up with the same 2 vulnerabilities from "A".

If I re-upload "A"'s SBOM to "A", the vulnerability count (and the vulnerabilities for that component) just stays the same.
If I delete the component in question from "A" and then upload the same SBOM again, the component re-appears with the correct (2) vulnerabilities.

So vulnerabilities that have been assigned to a component apparently never vanish - even if the same component comes up with way less assigned vulnerabilities in a new project/component/scan. How can I get those vulnerabilities to "un-stick"?
(My guess is that they got there due to a mis-assignement by the analyser (trivy server) in the first place - but obviously, current scans with trivy don't show those 8 mis-assigned vulnerabilities any more.

Steps to Reproduce

  1. have old project with components that got vulns assigned
  2. have said vulns be fixed in the database (maybe matching pattern was too broad in first instance as "*", maybe it was the wrong component)
  3. re-scan the old project - wrong vulns stay
  4. export sbom, import as new project - does not list wrong vulns

Expected Behavior

Mis-assigned vulnerabilities do not stick to components. They are removed from the component when the vulnerability data is updated and it doesn't actually match the component any more.

Dependency-Track Version

4.12.3

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

don't know

Browser

Google Chrome

Checklist
@savek-cc savek-cc added defect Something isn't working in triage labels Feb 20, 2025
@savek-cc
Copy link
Author

Component was libc-bin: pkg:deb/ubuntu/[email protected]?arch=amd64&distro=ubuntu-24.04
Vulnerabilities that were assigned in "A":
CVE-2023-6246, CVE-2023-6779, CVE-2016-20013, CVE-2023-6780, CVE-2025-0395, CVE-2024-33600, CVE-2024-33602, CVE-2024-2961, CVE-2024-33061, CVE-2024-33599
Assigned in "B" and "C":
CVE-2016-20013, CVE-2025-0395

@stohrendorf
Copy link
Contributor

Possibly related: #4613 #4611 #4468 #4345 - if that's the case, seems to be a regression since 4.12.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working in triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stohrendorf @savek-cc