search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.57k stars 540 forks source link

operational risk not identified #2254

Open trigomanju opened 1 year ago

trigomanju commented 1 year ago

Current Behavior

DT is not recognizing operational risks for certain components such as Openssl Screenshot 2022-12-08 130703

Steps to Reproduce

1.By importing the SBOM to DT 245c6435-8ebb-42b9-a7fb-4635673ee51d-withVulnerabilities.cdx.zip

Expected Behavior

Ideally it should show the operational risk for Openssl component by comparing the version

Dependency-Track Version

4.6.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

10.1

Browser

Google Chrome

Checklist

nscuro commented 1 year ago

Hey @trigomanju, thanks for reporting!

Can you specify what exactly you mean with "operational risk"? Your screenshot highlights a table row with many vulnerabilities identified, what did you expect to see instead?

valentijnscholten commented 1 year ago

Might that an indicator is expected to be shown that 1.0.2h is not the latest version.

trigomanju commented 1 year ago

Hi Team,

indicator is expected to show that 1.0.2h is not the latest version..

Regards, Manjunath

From: valentijnscholten @.> Sent: Thursday, December 8, 2022 9:56 PM To: DependencyTrack/dependency-track @.> Cc: Manjunath S @.>; Mention @.> Subject: Re: [DependencyTrack/dependency-track] operational risk not identified (Issue #2254)

BeSecure! This email comes from outside of ABB. Make sure you verify the sender before clicking any links or downloading/opening attachments. If this email looks suspicious, report it by clicking 'Report Phishing' button in Outlook or raising a ticket on MyIS.

Might that an indicator is expected to be shown that 1.0.2h is not the latest version.

— Reply to this email directly, view it on GitHubhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FDependencyTrack%2Fdependency-track%2Fissues%2F2254%23issuecomment-1342979699&data=05%7C01%7Cmanjunath.s2%40in.abb.com%7C138dbe1863954948529408dad938f95a%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C638061135978315349%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=v1ZaYP9p2iXN%2B7xJafN1WLIJNSXfCF4Lfu1tATo1UqA%3D&reserved=0, or unsubscribehttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FA2IOVMY7PVYXX7XGAVXIV6LWMID3TANCNFSM6AAAAAASXZPXD4&data=05%7C01%7Cmanjunath.s2%40in.abb.com%7C138dbe1863954948529408dad938f95a%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C638061135978315349%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JDpXdSn3zt%2F8eNb5R0cr8J4C9ob26OcopktUAtMtTyA%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>

trigomanju commented 1 year ago

Hi Team,

Do we have the solution for this.

Regards Manju

stevespringett commented 1 year ago

@trigomanju DT is not able to identify every outdated component. It is only able to identify outdated components that have been published to public repositories such as Maven, NPM, Pypi, etc.

See https://docs.dependencytrack.org/analysis-types/outdated-components/