nscuro
commented
2 years ago I'm getting the same vulnerability details with both of your mentioned databases.
What you see in your Postgres setup are the vulnerability details from OSS Index: https://ossindex.sonatype.org/vulnerability/sonatype-2021-0449?component-type=npm&component-name=handlebars
If a vulnerability doesn't yet exist in DT's local vulnerability database, and that vulnerability is reported by OSS Index, DT will create it ad-hoc using OSSI's details. Those details will be overwritten by whatever is recorded in the NVD the next time the NistMirrorTask is executed.
It's possible that mirroring the NVD takes longer with Postgres than with H2 in your case.
redaabdellah21
Current Behavior:
Dependency track is giving 2 different severity results for the same vulnérability.
the first one is on H2, the second is on PostgreSQL. i have noticed that working with postgresql is difficult, Dependency track does not fetch all the vulnerabilities; i have 140853 vulnerability in postgresql against 190232 in H2 (i have run it on docker so many times with postgresql and it never gets as much vulnerabilities as h2) now it is not giving the same evaluation
Steps to Reproduce:
-run 2 containers on docker. one with h2, the other with PostgreSQL.
Expected Behavior:
vulnerabilities' evaluation should be the same regardless of the DB used.
Environment:
Additional Details:
both evaluations are correct, but the h2 container is basing his on CVSSv3 which is the expected behavior, the one with postgresql is giving the CVSSv2 results.
(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)