Open ajendrosch2 opened 2 years ago
Hi @ajendrosch2, have you enabled GitHub Advisories support in the settings?
I tested with the SBOM you provided and DT correctly detected the vulnerability:
OSS Index does not discover the vulnerability, but GitHub Advisories do. Support for GitHub Advisories was introduced in Dependency-Track v4.4. So the options are to either 1) report the issue to OSS Index and wait for them to correct, or 2) update to v4.4 and enable GHSA.
The NVD covers the CVE, but DT doesn't seem to match that. Is it because there's no CPE in the BOM? Still trying to understand the matching model of DT. Is this documented somewhere? The code seems to show an attempt to do "fuzzy cpe matching", depending on some config flags?
EDIT: Didn't look deep enough, fuzzy matching is not implemented yet. I think there's a PR where it's being worked on.
Fuzzy matching will likely be an optional capability in DT 4.5 or 4.6. It is not implemented now.
Refer to:
I just reread the docs and the info is already there :-) It's a miracle how much more you can read when you're not on a mobile phone.
https://docs.dependencytrack.org/analysis-types/known-vulnerabilities/ https://docs.dependencytrack.org/FAQ/
Let's hope the upgrade to the OSS Index will reduce the number of vulnerabilities "missed" when having only a PURL.
The defect may already be reported! Please search for the defect before creating one.
Current Behavior:
Analysis of a project's SBOM does not show any vulnerabilities although project is affected. The project includes spring-core v5.3.18 which is affected by the following vulnerability https://tanzu.vmware.com/security/cve-2022-22968.
Steps to Reproduce:
(Extract of the created SBOM)
Expected Behavior:
something like produced by grype:
grype sbom:/Users/user/Downloads/spring-core-sbom.json -o table ✔ Vulnerability DB [updated] ✔ Scanned image [1 vulnerabilities] [0005] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY spring-core 5.3.18 5.3.19 java-archive GHSA-g5mm-vmx4-3rg7 Low
Environment:
Additional Details:
(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)