DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.69k stars 578 forks source link

Dependency Track- License Details and Vulnerability Details are not coming #1038

Closed apdst closed 3 years ago

apdst commented 3 years ago

Hi Steve,

I am using dependency track v3.8.0 and creating bom.xml using CycloneDX module for .NET. However, I am not able to get the details regarding the license of third party libraries.

Also for modernizr, the vulnerabilities are not coming, however when I checked it manually, I found the vulnerabilities related to modernizr as https://snyk.io/test/npm/modernizr/3.3.1.

Also as suggested by you on the previous tickets, I have already enabled Sonatype OSS Index, NPM Audit & Internal and following the best practices mentioned in the documentation.

so can you please help on the above issues ?

stevespringett commented 3 years ago

Dependency-Track relies on information in the BOM. If the BOM contains license information, it will be displayed in DT. If the BOM doesn't have license information, DT will not display it. So check the BOM and endure license information is present.

For vulnerabilities, refer to https://docs.dependencytrack.org/FAQ/

apdst commented 3 years ago

As per the FAQ, I have already enabled the Sonatype OSS Index Analyzer and other analyzers, but still not able to find the vulnerabilities related to modernizr.

msymons commented 3 years ago

@apdst , as a next step I recommend taking the purl for your modernizr (copy it from the compenent's "view details" dialog) and querying the oss-index website directly. This will show you something like this (using a juicy example for jackson-databind)

image

So, if there are no vulns reported for modernizr then you should report the problem using the link on the screen.

If there are vulns reported then you'll want to login (it's free!) to see what they are and whether they are what you expect to see.

Sonatype are pretty good at responding to reports of missing or incorrect data.

If the above helps, then let me know... I'll do a PR to update the FAQ.

apdst commented 3 years ago

Thanks Mark. I will try the above the mentioned steps and will see if it resolves the issue. I will let you know for the same.

apdst commented 3 years ago

Thanks @msymons Mark. Using the purl, the details are coming correct.

@stevespringett- Can you please help me how the cyclone dx creates the bom file and how it fetched the license details.

are License details based on purl ?

stevespringett commented 3 years ago

As stated previously, "if the BOM doesn't have license information, DT will not display it".

Please refer to https://cyclonedx.org/use-cases/#license-compliance

apdst commented 3 years ago

@stevespringett - Yes Licensing part is working now. However can you please help me is DT supports the license type MS-EULA or not, as I am not able to see the license name in the DT ?

is there any way to mention the license type as MS-EULA ?

stevespringett commented 3 years ago

@apdst MS-EULA is not a valid SPDX license ID. So you won't be able to create policies around it. But DT does support unresolved license names. As long as the name of the license is included in the SBOM, DT will display it.

apdst commented 3 years ago

Thanks @stevespringett. However, I am mentioning the license names like MS-EULA, MICROSOFT .NET LIBRARY etc. in bom file , but still these license details are not visible in the DT.

Please see the attached screenshot of BOM File and DT for Aspose.CAD.

DT BOM File

Can you please help me for the same

stevespringett commented 3 years ago

As stated previously, the license id in the BoM is not a valid spdx license id. The BoM will fail validation.

Please use the name element rather than id.

Refer to https://cyclonedx.org/use-cases/#license-compliance

apdst commented 3 years ago

@stevespringett Yes it is working now for the license as well. Hence closing this ticket as well.

github-actions[bot] commented 3 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.