Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk analyser fails for SBOMs with components that share vulnerabilities #4716

Open
2 tasks done
ad8-adriant opened this issue Mar 4, 2025 · 0 comments
Open
2 tasks done

Snyk analyser fails for SBOMs with components that share vulnerabilities #4716

ad8-adriant opened this issue Mar 4, 2025 · 0 comments
Labels
defect Something isn't working integration/snyk Related to the Snyk integration p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.13

Comments

@ad8-adriant
Copy link
Contributor

Current Behavior

I've run into a regression on master that causes the Snyk analyser to fail when processing vulnerabilities shared by multiple components (e.g. two similar versions of the same component.) The first instance of SnykAnalysisTask will succeed, and all subsequent instances that touch on a common vulnerability will fail with the following error:

2025-03-04 06:21:05,217 INFO [SnykAnalysisTask] Starting Snyk vulnerability analysis task [eventToken=1c88d85b-772d-40b3-a018-ad225a202682, projectName=foo, vulnAnalysisLevel=ON_DEMAND, projectUuid=d2dfb7b3-fb9d-48f8-ba38-2c4648cc745c, projectVersion=1.2.3]
2025-03-04 06:21:05,650 ERROR [SnykAnalysisTask] Request failure
javax.jdo.JDOObjectNotFoundException: Object with id "org.dependencytrack.model.Vulnerability:0" not found !
        at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:637)
        at org.datanucleus.api.jdo.JDOPersistenceManager.getObjectById(JDOPersistenceManager.java:1726)
        at alpine.persistence.AbstractAlpineQueryManager.getObjectById(AbstractAlpineQueryManager.java:441)
        at org.dependencytrack.persistence.VulnerabilityQueryManager.contains(VulnerabilityQueryManager.java:307)
        at org.dependencytrack.persistence.QueryManager.contains(QueryManager.java:905)
        at org.dependencytrack.util.NotificationUtil.analyzeNotificationCriteria(NotificationUtil.java:91)
        at org.dependencytrack.tasks.scanners.SnykAnalysisTask.handle(SnykAnalysisTask.java:372)
        at org.dependencytrack.tasks.scanners.SnykAnalysisTask.analyzeComponent(SnykAnalysisTask.java:332)
        at org.dependencytrack.tasks.scanners.SnykAnalysisTask.lambda$analyze$1(SnykAnalysisTask.java:254)
        at java.base/java.util.concurrent.CompletableFuture$AsyncRun.run(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.datanucleus.exceptions.NucleusObjectNotFoundException: Object with id "org.dependencytrack.model.Vulnerability:0" not found !
        at org.datanucleus.store.rdbms.request.FetchRequest.execute(FetchRequest.java:492)
        at org.datanucleus.store.rdbms.RDBMSPersistenceHandler.fetchObject(RDBMSPersistenceHandler.java:427)
        at org.datanucleus.state.StateManagerImpl.loadFieldsFromDatastore(StateManagerImpl.java:1632)
        at org.datanucleus.state.StateManagerImpl.validate(StateManagerImpl.java:5593)
        at org.datanucleus.ExecutionContextImpl.findObject(ExecutionContextImpl.java:3539)
        at org.datanucleus.ExecutionContextImpl.findObject(ExecutionContextImpl.java:3000)
        at org.datanucleus.api.jdo.JDOPersistenceManager.getObjectById(JDOPersistenceManager.java:1721)
        ... 11 common frames omitted

This issue only appears to exist on master, 4.12.6 is not affected. I believe the regression was introduced in #4359, and I've confirmed it does not affect the preceding commit ba4400e.

Steps to Reproduce

The issue can be reproduced by creating a new project and uploading the following SBOM:

demo_sbom.json

One of the components will complete its analysis, the other two will fail:

Image

Once the project is in this state it appears to remain there, e.g. triggering a new analysis will fail with the same error.

The issue can also be reproduced by manual actions in the UI, e.g. creating a copy of an already analysed component with a slightly different version, or modifying the existing component to have a different version.

Expected Behavior

DT should successfully analyse projects involving components that share vulnerabilities.

Dependency-Track Version

4.13.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

17.3

Browser

Google Chrome

Checklist
@ad8-adriant ad8-adriant added defect Something isn't working in triage labels Mar 4, 2025
@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort integration/snyk Related to the Snyk integration and removed in triage labels Mar 4, 2025
@nscuro nscuro added this to the 4.13 milestone Mar 4, 2025
@ad8-adriant ad8-adriant mentioned this issue Mar 6, 2025
Open
2 tasks
@Shadow-Templar Shadow-Templar mentioned this issue Mar 6, 2025
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working integration/snyk Related to the Snyk integration p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.13
Development

No branches or pull requests
2 participants
@nscuro @ad8-adriant