Component Reports "No Data Available"

[msymons]

Issue Type:

• [X] defect report
• [ ] enhancement request

Current Behavior:

Seen in Dependency-Track v3.4.0, multiple components are reporting "No Data Available" and a blank "Last Measurement".

The consequence of this is that the Components screen displays null in Vulnerabilities Column.

Steps to Reproduce (if defect):

View Components Screen, with all columns displayed. Some components display null value for "Vulnerabilities" but are otherwise OK (correct license, etc).

Click on one component that has null vulnerabilities. The component will report "No Data Available" (The screenshot below truncates the "N") with the "Last Measurement" having no value. I checked that the components in my testing were all used in at least 1 project.

On clicking "Refresh" and reloading the page, there is now a timestamp for "Last Measurement" and the Overview is now displaying data, as shown here:

If one now returns to "Components Screen" and uses "Refresh" then the component will now display a value in "Vulnerabilities" (even though it may be "0").

Expected Behavior:

• Component should not display "No Data Available" when there is data available.
• Component should not display null "Vulnerabilities" when viewed on "Components" screen.

Environment:

• Dependency-Track Version: 3.4.0
• Distribution: [ Executable WAR ]
• BOM Format & Version: cyclonedx-maven-plugin-1.3.1
• Database Server: [ PostgreSQL ]
• Browser: Firefox 66.0.3

[msymons]

This defect has been previously reported as #297 (although that was with DT v3.5 snapshot)

[stevespringett]

Couple questions...

Dependency-Check scanner enabled/disabled?

Do the components in question have a Package URL? If so, provide an example.

[msymons]

Dependency-Check was formerly used but has been disabled on our system for the last couple of months. The scanners used are OSS Index, with npm re-enabled this morning after upgrade to v3.4.1

The components do all have a purl:

pkg:npm/acorn@5.7.3
pkg:maven/org.antlr/antlr4-runtime@4.7.1?type=jar

I do not know when antlr 4.7.1 was first added to the system (ie, before or after switching off dependency-check), but I do see that 4.7.2 is listed.... and I know it's more recent than our switch to BOMs (because I did the PR that updated it!) and this version does NOT have the "No data" issue.

As previously reported, doing a manual refresh button click for these two components fixed the problem.

[stevespringett]

In cases where a purl is not defined and dependencycheck is disabled, having no data is expected behavior for vulnerabilities. However, I'm unable to replicate this issue. I created a BOM with the components you're having trouble with and the components were imported and vulnerability and outdated analysis produced expected results.

At a minimum, vulnerability analysis takes place every 24 hours and metric updates takes place every hour.

[stevespringett]

Although I have not been able to reproduce this issue, I'm including the same optimizations for component and project metrics as I did for dependency metrics in #267 as the issue might be related.

[msymons]

Given that the optimizations mentioned above were released in DT 3.5, and that there have been no further mentions of problems, I think that it is safe to close this issue.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.