CVE-2022-22965 : DT not able to found affected projects

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

https://dependencytrack.org/

Apache License 2.0

2.64k stars 559 forks source link

Closed Whisper40 closed 2 years ago

Whisper40 commented 2 years ago

Add thousands of spring projects, with many spring's version

We should be able to see what project is affected by this vulnerability, as fast as possible. For sure, we have affected projects.

valentijnscholten commented 2 years ago

Any example sbom that gives false negatives?

Whisper40 commented 2 years ago

We are not able to identify affected projects, next time that this type of issue occured i will add sbom of false negative project.

msymons commented 2 years ago

@Whisper40, I think that you will find that the vuln is being picked up in Dependency-Track... but in a non-obvious way.

It may be identified as OSSI 6795ec44-f810-47aa-a22e-5d817e52cbdc. The reason for the OSSI internal ID is that it was added by OSSI before the CVE was fully analysed. ie, the attribution date in my Dependency-Track is 6th April but the CVE itself only got a formal CVSS and CWE (etc) on 8th April (see CVE-2022-22965). We are now just 2-3 weeks away from OSSI launching an overhaul of their data and when this happens it will hopefully be possible to avoid this sort of problem.
If GitHub Advisories are enabled in Dependency-Track, then the vuln should be identified as GHSA-36p3-wjmg-h94x

github-actions[bot] commented 2 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.