search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.53k stars 542 forks source link

Immediately uploading VEX has no effect #2596

Closed svenschwermer closed 1 year ago

svenschwermer commented 1 year ago

Current Behavior

I'm trying to automatically generate and upload a CycloneDX SBOM from Yocto builds to Dependency Track. The Yocto project has a concept of patching components' vulnerabilities through patches. I want to mark those vulnerabilities as resolved via a VEX file. However, uploading SBOM and VEX right after each other does not apply the VEX. The fixed vulnerabilities remain non-resolved. Only when I wait a few seconds can I upload the VEX and it actually has an effect.

Steps to Reproduce

SBOM:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:c353fcce-defe-4367-8bb9-8fde039fc639",
  "version": 1,
  "metadata": {
    "timestamp": "2023-03-10T21:40:25.805444"
  },
  "components": [
    {
      "name": "expat",
      "version": "2.5.0",
      "cpe": "cpe:2.3:a:*:expat:2.5.0:*:*:*:*:*:*:*",
      "bom-ref": "6e044c74-e3fc-4027-9507-c41d6b17ae13"
    },
    {
      "name": "libexpat",
      "version": "2.5.0",
      "cpe": "cpe:2.3:a:*:libexpat:2.5.0:*:*:*:*:*:*:*",
      "bom-ref": "7c3347d5-ec3d-4cb1-98a7-c5ee776b444b"
    },
    {
      "name": "d-bus_project:d-bus",
      "version": "1.14.4",
      "cpe": "cpe:2.3:a:d-bus_project:d-bus:1.14.4:*:*:*:*:*:*:*",
      "bom-ref": "eb0f0c74-8e1d-46eb-bae0-6870772c3905"
    },
    {
      "name": "libpcap",
      "version": "1.10.1",
      "cpe": "cpe:2.3:a:*:libpcap:1.10.1:*:*:*:*:*:*:*",
      "bom-ref": "ea70d5de-beaa-4eca-aced-765da69eee54"
    },
    {
      "name": "glib",
      "version": "2.72.3",
      "cpe": "cpe:2.3:a:*:glib:2.72.3:*:*:*:*:*:*:*",
      "bom-ref": "3bd8d7b3-20c8-410a-a718-f2a8c1e579fe"
    },
    {
      "name": "ca-certificates",
      "version": "20211016",
      "cpe": "cpe:2.3:a:*:ca-certificates:20211016:*:*:*:*:*:*:*",
      "bom-ref": "156687a4-544c-4e2c-8c2f-e093d5e4a78b"
    },
    {
      "name": "glibc",
      "version": "2.35",
      "cpe": "cpe:2.3:a:*:glibc:2.35:*:*:*:*:*:*:*",
      "bom-ref": "d33aa33f-9b7f-4156-bf6c-08e26b518951"
    },
    {
      "name": "libcap",
      "version": "2.66",
      "cpe": "cpe:2.3:a:*:libcap:2.66:*:*:*:*:*:*:*",
      "bom-ref": "1617fe86-4c9c-4626-ac68-869f4d8c5ff7"
    },
    {
      "name": "openssl:openssl",
      "version": "3.0.7",
      "cpe": "cpe:2.3:a:openssl:openssl:3.0.7:*:*:*:*:*:*:*",
      "bom-ref": "013325a7-027a-49f4-bb7d-8f1de4020c28"
    },
    {
      "name": "libffi",
      "version": "3.4.4",
      "cpe": "cpe:2.3:a:*:libffi:3.4.4:*:*:*:*:*:*:*",
      "bom-ref": "945180da-f645-4008-b031-6ba91fa7cb1d"
    },
    {
      "name": "zlib",
      "version": "1.2.11",
      "cpe": "cpe:2.3:a:*:zlib:1.2.11:*:*:*:*:*:*:*",
      "bom-ref": "516d3162-59a7-4578-b3d7-38e3a9ae9f59"
    },
    {
      "name": "boost:boost",
      "version": "1.78.0",
      "cpe": "cpe:2.3:a:boost:boost:1.78.0:*:*:*:*:*:*:*",
      "bom-ref": "6748fc9e-b349-470d-a8ea-0a50687e7aaa"
    },
    {
      "name": "e2fsprogs",
      "version": "1.46.5",
      "cpe": "cpe:2.3:a:*:e2fsprogs:1.46.5:*:*:*:*:*:*:*",
      "bom-ref": "bb184736-c304-4153-af64-49fb9e338cc3"
    },
    {
      "name": "haxx:curl",
      "version": "7.82.0",
      "cpe": "cpe:2.3:a:haxx:curl:7.82.0:*:*:*:*:*:*:*",
      "bom-ref": "9a19a983-255d-4584-b23a-fe87a11363ea"
    },
    {
      "name": "haxx:libcurl",
      "version": "7.82.0",
      "cpe": "cpe:2.3:a:haxx:libcurl:7.82.0:*:*:*:*:*:*:*",
      "bom-ref": "2a6602f2-d4f1-48c7-8038-9152ae7166bc"
    },
    {
      "name": "curl:curl",
      "version": "7.82.0",
      "cpe": "cpe:2.3:a:curl:curl:7.82.0:*:*:*:*:*:*:*",
      "bom-ref": "e7cb5aee-2c7d-4964-be67-47271297c032"
    },
    {
      "name": "curl:libcurl",
      "version": "7.82.0",
      "cpe": "cpe:2.3:a:curl:libcurl:7.82.0:*:*:*:*:*:*:*",
      "bom-ref": "d173d174-836c-46a2-9524-da293c5f42f7"
    },
    {
      "name": "libcurl:libcurl",
      "version": "7.82.0",
      "cpe": "cpe:2.3:a:libcurl:libcurl:7.82.0:*:*:*:*:*:*:*",
      "bom-ref": "62a02a70-6735-4ccc-8156-cc0fe03d605d"
    },
    {
      "name": "daniel_stenberg:curl",
      "version": "7.82.0",
      "cpe": "cpe:2.3:a:daniel_stenberg:curl:7.82.0:*:*:*:*:*:*:*",
      "bom-ref": "84aec7e5-d854-4d5e-b27b-9a6fff0394e2"
    },
    {
      "name": "gnutls",
      "version": "3.7.4",
      "cpe": "cpe:2.3:a:*:gnutls:3.7.4:*:*:*:*:*:*:*",
      "bom-ref": "570dd456-b53d-4112-9918-2583e5975c3e"
    },
    {
      "name": "networkmanager",
      "version": "1.36.8+gitAUTOINC+905b316c1d",
      "cpe": "cpe:2.3:a:*:networkmanager:1.36.8:*:*:*:*:*:*:*",
      "bom-ref": "bc9abc78-6b9a-40e1-baf9-df790c99e295"
    }
    // ...
  ]
}

VEX:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:bc419ea6-0ac4-4fa2-84a4-2d6bee3891a2",
  "version": 1,
  "metadata": {
    "timestamp": "2023-03-10T21:40:25.805456"
  },
  "vulnerabilities": [
    {
      "id": "CVE-2022-3996",
      "analysis": {
        "state": "resolved"
      },
      "affects": [
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#013325a7-027a-49f4-bb7d-8f1de4020c28"
        }
      ]
    },
    {
      "id": "CVE-2022-37434",
      "analysis": {
        "state": "resolved"
      },
      "affects": [
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#516d3162-59a7-4578-b3d7-38e3a9ae9f59"
        }
      ]
    },
    {
      "id": "CVE-2018-25032",
      "analysis": {
        "state": "resolved"
      },
      "affects": [
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#516d3162-59a7-4578-b3d7-38e3a9ae9f59"
        }
      ]
    },
    {
      "id": "CVE-2012-2677",
      "analysis": {
        "state": "resolved"
      },
      "affects": [
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#6748fc9e-b349-470d-a8ea-0a50687e7aaa"
        }
      ]
    },
    {
      "id": "CVE-2022-1304",
      "analysis": {
        "state": "resolved"
      },
      "affects": [
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#bb184736-c304-4153-af64-49fb9e338cc3"
        }
      ]
    },
    {
      "id": "CVE-2022-32206",
      "analysis": {
        "state": "resolved"
      },
      "affects": [
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#9a19a983-255d-4584-b23a-fe87a11363ea"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#2a6602f2-d4f1-48c7-8038-9152ae7166bc"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#e7cb5aee-2c7d-4964-be67-47271297c032"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#d173d174-836c-46a2-9524-da293c5f42f7"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#62a02a70-6735-4ccc-8156-cc0fe03d605d"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#84aec7e5-d854-4d5e-b27b-9a6fff0394e2"
        }
      ]
    },
    {
      "id": "CVE-2022-43552",
      "analysis": {
        "state": "resolved"
      },
      "affects": [
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#9a19a983-255d-4584-b23a-fe87a11363ea"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#2a6602f2-d4f1-48c7-8038-9152ae7166bc"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#e7cb5aee-2c7d-4964-be67-47271297c032"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#d173d174-836c-46a2-9524-da293c5f42f7"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#62a02a70-6735-4ccc-8156-cc0fe03d605d"
        },
        {
          "ref": "urn:cdx:c353fcce-defe-4367-8bb9-8fde039fc639/1#84aec7e5-d854-4d5e-b27b-9a6fff0394e2"
        }
      ]
    }
    // ...
  ]
}

Upload via the following script:

curl -sSf -H "X-Api-Key: $DTRACK_API_KEY" \
    -F autoCreate=true \
    -F "projectName=$project" \
    -F "projectVersion=$version" \
    -F "bom=@build/tmp/deploy/images/$machine/$image-$machine.bom.json" \
    "https://$DTRACK_HOST/api/v1/bom"
curl -sSf -H "X-Api-Key: $DTRACK_API_KEY" \
    -F "projectName=$project" \
    -F "projectVersion=$version" \
    -F "vex=@build/tmp/deploy/images/$machine/$image-$machine.vex.json" \
    "https://$DTRACK_HOST/api/v1/vex"

Expected Behavior

I expect the VEX to apply even when I upload it right after uploading the SBOM. There may be other ways to achieve what I'm trying to do, but I'm struggling to make them work:

  1. CycloneDX has the pedigree field, but that doesn't seem to be supported by Dependency Track?
  2. There seems to be a way to embed the VEX into the SBOM file, but I couldn't make that work with Dependency Track either.

Dependency-Track Version

4.7.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.x

Browser

N/A

Checklist

valentijnscholten commented 1 year ago

You could let your script wait for the BOM processing to be completed via the /token/{uuid} endpoint. After that you can upload the VEX.

However when you upload a BOM without a VEX, vulnerabilities will be found and notifications will be triggered for those. This probably is unwanted for vulnerabilities that are marked as not applicable in the VEX that will be uploaded a little later.

So probablt DT should have some support for this scenario. Either by allowing upload of BOM and VEX together, or some "analysis only mode (skip notifications)". Or it should just store the VEX internally first and then process the BOM.

syalioune commented 1 year ago

Duplicate of https://github.com/DependencyTrack/dependency-track/issues/1872 Atomical update is indeed not supported at the moment.

To answer your questions

CycloneDX has the pedigree field, but that doesn't seem to be supported by Dependency Track?

It is not.

There seems to be a way to embed the VEX into the SBOM file, but I couldn't make that work with Dependency Track either.

The vulnerabilities node is ignored when uploading a BOM file through the /v1/bom upload

github-actions[bot] commented 1 year ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.