Component: Re-Check Vulnerabilities Button

[msymons]

Issue Type:

• [X] enhancement request

Current Behavior:

When Dependency-Track has ingested a vulnerability then it will associate the vulnerability against components.

On occasion that the vulnerability has a CPE change. This is illustrated by the change history section of 2018-8088 a change which has now been reflected in OSS Index.

Dependency-Track does not reflect these changes and cannot perform automated rechecking (for reasons explained in #302), meaning that some components are left with false positives and others with false negatives.

Expected Behavior:

Per linked issue, Dependency-Track should be enhanced by the addition of a button on the component screen that would perform an on-demand check for that single purl.

..and then update the component accordingly.

In the screenshot above, the false negative and positive respectively relate to:

pkg:maven/org.slf4j/slf4j-ext@1.7.25?type=jar
pkg:maven/org.slf4j/slf4j-api@1.7.25?type=jar

As DT is based on REST API, the functionality should also be executable via the API (ie, not relying on UI).

I would also expect results to be part of the audit trail. DT currently has an audit trail for vulnerabilities... should there be one for components themselves?

Environment:

• Dependency-Track Version: 3.4.0
• BOM Format & Version: CycloneDX (cyclonedx-maven-plugin v1.3.1)
  • Analyser: OSS Index

[msymons]

@stevespringett, since logging this enhancement I have spotted multiple false negatives in DT that all led back to OSS Index. I reported them to OSS Index and all have been fixed and, more importantly, have appeared in Dependency-Track. eg CVE-2018-1000180 for Bouncy Castle.

I went so crazy reporting issues via email that Sonatype created this repo to aid the reporting process: OSSIndex/vulns

I believe that the delay in such items showing up in DT might be more to do with #342 than anything else... and that issue is resolved in the upcoming v3.5.0 release (and looks great when tested in snapshots).

Therefore, I think that this enhancement should be dropped from p2 to p3.

[stevespringett]

Thank you for letting me know OSS Index has a new way of reporting data issues. I wasn't aware of it, but glad they came up with something, because email....

[msymons]

@stevespringett I would like to request that this enhancement be boosted in priority again!

Per the description, the original motivation for logging this request was #302, which focused on false positives. I find that false positives are still an utter bugbear of my life when it comes to Dependency-Track.

CVE-2021-22147 is an example of an Elasticsearch CVE that has correct version range info in GitHub advisories and in OSS Index data... but the latter was only corrected in mid-October to [7.11.0,7.14.0) to exclude older versions of Elasticsearch. Any NEW project in Dependency-Track now has no problem at all... but I was left with scores of false positives in projects (ie, "Attributed On" dates in September and early October).

It took over an hour of effort to suppress all the false positives. And that is just for a single vulnerability. Thus, the need for a mechanism to force Dependency-Track to update specific vulnerabilities (the button of the title).

302 explains that...

there are audit decisions (project and global) to take into consideration as well as unknown actions taken as a result of a webhook response, ThreadFix, Kenna, or Fortify SSC analysis and defect tracker tickets created.

On the one hand, there will be many DT deployments that have no integration with Threadfix or other systems. Thus, the choice on whether or not to clean up false positives should the users to take (the user with permissions, that is!). On the other, I would hope that a good integration would allow for error correction. Defect tracker tickets would be a perfect example.

[melba-lopez]

@msymons i believe this is already in place. I've seen the regular checking of the vuln sources and also there's a "reanalyze" button at the project level. should this be closed?