search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.68k stars 577 forks source link

different result for affected projects of aliases #2794

Open sephiroth-j opened 1 year ago

sephiroth-j commented 1 year ago

Current Behavior

If a vulnerability has an alias (e.g. CVE-2023-29197 and GHSA-wxmh-65f7-jcvw), then the backend response of /api/v1/vulnerability/source/NVD/vuln/CVE-2023-29197/projects and api/v1/vulnerability/source/GITHUB/vuln/GHSA-wxmh-65f7-jcvw/projects will not return the same projects.

Steps to Reproduce

  1. have Github Advisories enabled
  2. import this project bce082ea-de4c-4d85-9ee0-67fab6027dea-inventory.cdx.json.txt as it is affected by CVE-2023-29197 and wait for the analysis result
  3. open https://dt-frontend/vulnerabilities/NVD/CVE-2023-29197 in a new tab and look at the affected projects. it should also have GHSA-wxmh-65f7-jcvw as an alias.
  4. open https://dt-frontend/vulnerabilities/GITHUB/GHSA-wxmh-65f7-jcvw in a new tab (or reload the page due to DependencyTrack/frontend/issues/481)

Expected Behavior

The projects affected by the alias vulnerabilities should be the same.

Dependency-Track Version

4.8.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

valentijnscholten commented 1 year ago

I think this was a design choice, at least for the first iteration of alias functionality. The current database design around doesn't lend itself very well to easily/efficiently retrieve affected projects including projects affected by aliases.

sephiroth-j commented 1 year ago

A naiv approach would be

And I think that would be quite okay, assuming that V has only one or two aliases.

p.s. https://github.com/DependencyTrack/dependency-track/blob/25cf930e1b517130c7884354d4d94affe944a3d2/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java#L475 https://github.com/DependencyTrack/dependency-track/blob/25cf930e1b517130c7884354d4d94affe944a3d2/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java#L490-L493 Why no just using Set<Project> for projects right from the start?