search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.71k stars 580 forks source link

DepTrack not able to inspect CVE-2020-28483 in GO gin-gonic/gin 1.6.3 #1489

Open ultramaxim opened 2 years ago

ultramaxim commented 2 years ago

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

vulnerable go module github.com/gin-gonic/gin v1.6.3 isnt't vulnerable via DepTrack.

Steps to Reproduce:

i want to check GO project. i manully found vulnerable go module - github.com/gin-gonic/gin v1.6.3 in go.mod, then run cyclonedx-gomod and finally upload bom.xml to DepTrack. then i go to my project via WebUI, then found component github.com/gin-gonic/gin v1.6.3 and there is no any vulnerability in it

Expected Behavior:

DepTrack should alert this CVE - https://nvd.nist.gov/vuln/detail/CVE-2020-28483 on github.com/gin-gonic/gin v1.6.3

Environment:

Additional Details:

oss sonotype index - https://ossindex.sonatype.org/component/pkg:golang/github.com/gin-gonic/gin@v1.6.3 nvd - https://nvd.nist.gov/vuln/detail/CVE-2020-28483 snyk - https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736 (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)

nscuro commented 2 years ago

Hi @ultramaxim, as you already noticed the vulnerability is not indexed in Sonatype OSS Index, which is DT's primary data source. You can report this to them via their vulns repository: https://github.com/OSSIndex/vulns#what-is-an-advisory-and-how-do-i-submit-one

ultramaxim commented 2 years ago

@nscuro i am already found related issue - https://github.com/OSSIndex/vulns/issues/155

but that about NVD ? why DT don't show info accroding to https://nvd.nist.gov/vuln/detail/CVE-2020-28483 ?

nscuro commented 2 years ago

That's because the SBOM generated with cyclonedx-gomod (and most other tools) only contains a package URL for every component, but not a CPE. The NVD's data is based on CPEs, so there's no way for DT to reliably match your packages to vulnerabilities in the NVD.

ultramaxim commented 2 years ago

oh, thanx. is there any tool that collect both package URL and CPE ?

ultramaxim commented 2 years ago

@nscuro and dependency check succesfully find CPE from this artifact

stevespringett commented 2 years ago

At a minimum, DT should have discovered https://github.com/advisories/GHSA-h395-qcrw-5vmq, however, it doesn't appear to be the case. I'll need to investigate to see why its not being discovered.

Try not to equate DT and DC. They are two different tools with completely different ways of analyzing components. Refer to https://docs.dependencytrack.org/odt-odc-comparison/

ultramaxim commented 2 years ago

@stevespringett ok. I added GitHub Advisory token to Vulnerability Sources after deploy DT, there is no internet limit or any block rules to gain access from DT to GitHub.

interesting thing - I found https://github.com/advisories/GHSA-h395-qcrw-5vmq vulnerability in section DT calles Vulnerabilities. image

In my project gin-gonic/gin@v1.6.3 i see correctly parsed (in my opinion) gin-gonic/gin lib: image

but i think something goes wrong :)

ultramaxim commented 2 years ago

also added Components detail: image

ultramaxim commented 2 years ago

I continue research problem: try to search on Github Advisories pURL - pkg:golang/github.com/gin-gonic/gin@v1.6.3 and there is no result: image but if i try this patternt - "gin-gonic/gin" - i found 1 advisory: image

msymons commented 2 years ago

@ultramaxim, the last I heard GHSA does not yet support PURL... but that Beta support for it should appear at the beginning of 2nd Quarter 2022 (ie, very soon).