Open redaabdellah21 opened 2 years ago
I'm getting the same vulnerability details with both of your mentioned databases.
What you see in your Postgres setup are the vulnerability details from OSS Index: https://ossindex.sonatype.org/vulnerability/sonatype-2021-0449?component-type=npm&component-name=handlebars
If a vulnerability doesn't yet exist in DT's local vulnerability database, and that vulnerability is reported by OSS Index, DT will create it ad-hoc using OSSI's details. Those details will be overwritten by whatever is recorded in the NVD the next time the NistMirrorTask
is executed.
It's possible that mirroring the NVD takes longer with Postgres than with H2 in your case.
i would like to thank you for your answer. my H2 instance is able to mirror all nvd vulnerabilities up to the 2002 file. and it is the one giving me the critical severity as shown in the picture below
does this mean that nvd and oss index may give different analysis?
the problem with the posqtgresql instance is that it never mirrors all the vulnerabilities, it always stops parsing at the 2020 file or 2019 at max. which leaves me with less vulnerabilities compared with the h2 instance. i have read that it could be because my docker is under ressourced, i gave it 7Go RAM and 4 CPU but nothing changed. Do you have any idea about this?
Current Behavior:
Dependency track is giving 2 different severity results for the same vulnérability.
the first one is on H2, the second is on PostgreSQL. i have noticed that working with postgresql is difficult, Dependency track does not fetch all the vulnerabilities; i have 140853 vulnerability in postgresql against 190232 in H2 (i have run it on docker so many times with postgresql and it never gets as much vulnerabilities as h2) now it is not giving the same evaluation
Steps to Reproduce:
-run 2 containers on docker. one with h2, the other with PostgreSQL.
Expected Behavior:
vulnerabilities' evaluation should be the same regardless of the DB used.
Environment:
Additional Details:
both evaluations are correct, but the h2 container is basing his on CVSSv3 which is the expected behavior, the one with postgresql is giving the CVSSv2 results.
(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)