Gradle components does not report vulnerabilities

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

https://dependencytrack.org/

Apache License 2.0

2.6k stars 549 forks source link

Gradle components does not report vulnerabilities #1876

Open jrevillard opened 2 years ago

jrevillard commented 2 years ago

Current Behavior:

I have 2 projects with some common components: one managed by maven and another one managed by gradle. The project manage by maven report vulnerabilities and the one managed by gradle not.

Steps to Reproduce:

Build the same project with maven and gradle and generate the sbom (I'm using Gitlab-ci gemnasium-maven)

Expected Behavior:

The two projects must report the same vulnerabilities for the same component

Environment:

Dependency-Track Version: 4.5.0
Distribution: Docker
BOM Format & Version: CycloneDX 1.4

Additional Details:

Here is a snapshot which shows the difference:

jrevillard commented 2 years ago

Ok I know why. The library that is used to interpret the purls does not take into account gradle as stated here: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst

I replace gradle by maven befor uploading and it works.

Best, Jerome

syalioune commented 2 years ago

Hello, The specs does indeed only reference maven as a known purl type but the lib packageurl-java sucessfully parse purl with gradle type. Since, Gradle and Maven target the same repositories, I think that it would be interesting if the translation between package urls type (gradle -> maven) could be automatically performed by Dependency Track when requesting vulnerability databases like OSS Index or GHSA