Closed muellerst-hg closed 9 months ago
@muellerst-hg Is it just the logs that make you conclude that the VEX is not working?
I uploaded you BOM and the provided VEX afterwards; The analysis for CVE-2022-27404 was correctly applied. None of the other vulnerabilities in the VEX file have an analysis
node so there's nothing to import really.
The logging is indeed a bug. The cause is how vulnerabilities from VEX and vulnerabilities from the project are being iterated over during import. I'll get this sorted.
Please let me know if the VEX import doesn't actually do anything. I was not able to reproduce this, but if you experience that then it would definitely be a bug that needs addressing as well.
Please let me know if the VEX import doesn't actually do anything. I was not able to reproduce this, but if you experience that then it would definitely be a bug that needs addressing as well.
Thanks for your quick reply. I tested some more realistic scenarios in the VEX file:
Removing the analysis section from a CVE did NOT work as expected. The audit is still present although I would expect it to vanish. Is this a behavior by design?
This is indeed by design as of now. The reasoning being that you should be able to apply analyses manually, without VEX uploads overriding it if the VEX does not have an analysis. Is this something you'd need in your workflow?
This is indeed by design as of now. The reasoning being that you should be able to apply analyses manually, without VEX uploads overriding it if the VEX does not have an analysis. Is this something you'd need in your workflow?
Let me think about it and discuss with my team. We're currently evaluating how to create, store and apply vex, specs like cyclonedx vex and OpenVex.
I agree, the current behavior makes sense, when you use dtrack frontend for auditing Scenarios which have more than a single source of truth could be tricky.
reopen the issue, which is about the misleading warning.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Current Behavior
I tried to import vex files both with API and Frontend (Tab Audit Vulnerabilities -> [Apply VEX] button) It fails with the following warning for each vulnerability in the vex file:
2023-11-22 17:00:25,420 WARN [CycloneDXVexImporter] Analysis data for vulnerability CVE-2022-27404 will be ignored because either the source is missing or there is a source/vulnid mismatch between VEX and Dependency Track database.
This even happens with VEX files I have exported from DependencyTrack and uploaded unchanged.
bom.json vex.json
Steps to Reproduce
The exported vex.json file is attached.
I also tried using the files and description from #2977 none of the vex files there work.
Expected Behavior
I would expect the vulnerabilities (incl. audits) to be applied to the project/component without any warning in the logs.
Dependency-Track Version
4.9.1
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
13.13
Browser
Mozilla Firefox
Checklist