Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DependencyTrack does not honor the ecosystem-version/release-branch/distribution-name #4725

Open
2 tasks done
Andre-85 opened this issue Mar 6, 2025 · 0 comments
Open
2 tasks done

DependencyTrack does not honor the ecosystem-version/release-branch/distribution-name #4725

Andre-85 opened this issue Mar 6, 2025 · 0 comments
Labels
defect Something isn't working in triage

Comments

@Andre-85
Copy link

Andre-85 commented Mar 6, 2025

Current Behavior

PURLs in SBOMs contain often the information to which distribution they belonging to e.g. pkg:deb/debian/[email protected]+deb12u1?arch=amd64&distro=debian-12 means expat in version 2.5.0-1+deb12u1 from distribution debian-12 (which is bookworm).
For expat is a CVE called CVE-2024-4591 with following information which versions are affected:

  • debian-11: versions < 2.2.10-2+deb11u6
  • debian-12: versions < 2.5.0-1+deb12u1
  • debian-13: versions < 2.6.2-2

Without knowing the distribution we can not decide if expat version 2.5.0-1+deb12u1 is affected or not since the vulnerability is not fixed in debian-11, but its fixed in debian-12 and debian-13. So we would need to fallback to the save decision that is vulnerable since it is older than the latest affected version (2.6.2-2, debian-13), meaning that we will create false positives debian-11 and debian-12.

This refers to @mjaix on Jan 22 2025 on Bug #4445:

We recently stumbled over a bunch of false positives with Debian/purls/OSV, using DT 4.12.2.
N.B. I am by no means a Debian (versioning) expert.
My $0.02 on the problem:

A solid version comparison functionality is fundamental. However, be aware that ecosystems like Debian or Ubuntu with multiple delivery branches provide semantics (from my limited/simplistic point-of-view, Alpine has a similar but simpler system set up).
The problem is to a great extent mitigated by the fact that vulnerability sources like OSV usually provide one or more matching rules for each "delivery branch" (that is, a given base version with or without patches or backports). As a consequence, the matching algorithm must look for matching "branches" in the set of matching rules for a vulnerability, and if a match exist, simply the final numbers need to be compared. In case no "branch" matches, simply compare the base numbers. With equal base numbers and no branch specified in the rule, any "branch" or build on top should suffice.

For the test of your solution, to provide some kind of long-term stability, and to avoid creating some "golden code",
I would recommend to create test data and a simple test suite to run against your implementation.
One of the actual false positives we have (and some derived edge cases) could be verified with the YAML test data below.
I am pretty sure that test experts will provide better solutions :-).

test_cases:

  • vulnerability: CVE-2024-45491
    osv_rules:
    • pkg:deb/debian/expat?arch=source (<2.5.0-1+deb12u1)
    • pkg:deb/debian/expat?arch=source (<2.6.2-2)
    • pkg:deb/debian/expat?arch=source (<2.2.10-2+deb11u6)
      test_versions:
    • purl: pkg:deb/debian/[email protected]%2Bdeb12u1?arch=amd64&distro=debian-12
      rationale: matching rule 1 / equal # our actual problem
      expected_result: false # with DT 4.12.2 we get true
    • purl: pkg:deb/debian/[email protected]%2Bdeb12u1?arch=source&distro=debian-12
      rationale: matching rule 1 / equal # our actual problem, as it perhaps should look like
      expected_result: false
    • purl: pkg:deb/debian/[email protected]%2Bdeb12u2?arch=source&distro=debian-12
      rationale: matching rule 1 / higher patch
      expected_result: false
    • purl: pkg:deb/debian/[email protected]?arch=source&distro=debian-12
      rationale: matching rule 1 / lower, no patch
      expected_result: true

    some additional test cases

    • purl: pkg:deb/debian/[email protected]?arch=source
      rationale: matching rule 2 / equal
      expected_result: false
    • purl: pkg:deb/debian/[email protected]%2Bdeb13u1?arch=source
      rationale: matching rule 2 / higher patch
      expected_result: false
    • purl: pkg:deb/debian/[email protected]?arch=source
      rationale: matching rule 2 / lower build
      expected_result: true
    • purl: pkg:deb/debian/[email protected]%2Bdeb11u6?arch=source
      rationale: matching rule 3 / equal
      expected_result: false
    • purl: pkg:deb/debian/[email protected]%2Bdeb11u7?arch=source
      rationale: matching rule 3 / higher patch
      expected_result: false
    • purl: pkg:deb/debian/[email protected]%2Bdeb11u5?arch=source
      rationale: matching rule 3 / lower patch
      expected_result: true
    • purl: pkg:deb/debian/[email protected]?arch=source
      rationale: matching rule 2 / highest version
      expected_result: false
    • purl: pkg:deb/debian/[email protected]?arch=source
      rationale: matching rule 3 / lowest version
      expected_result: true

    some additional test cases, hypothetical stuff

    • purl: pkg:deb/debian/[email protected]?arch=source&distro=debian-12
      rationale: matching rule 1 / higher build
      expected_result: false

Steps to Reproduce

Expected Behavior

The distribution name given by purls show be used to lookup the correct affected version range of CVEs

Dependency-Track Version

4.13.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working in triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Andre-85