search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.57k stars 540 forks source link

Apply VEX fails with warning [CycloneDXVexImporter] Analysis data for vulnerability ... will be ignored #3221

Closed muellerst-hg closed 9 months ago

muellerst-hg commented 9 months ago

Current Behavior

I tried to import vex files both with API and Frontend (Tab Audit Vulnerabilities -> [Apply VEX] button) It fails with the following warning for each vulnerability in the vex file:

2023-11-22 17:00:25,420 WARN [CycloneDXVexImporter] Analysis data for vulnerability CVE-2022-27404 will be ignored because either the source is missing or there is a source/vulnid mismatch between VEX and Dependency Track database.

This even happens with VEX files I have exported from DependencyTrack and uploaded unchanged.

bom.json vex.json

Steps to Reproduce

  1. Create a new project of type "Application" and import the following bom:
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:91e8fccf-6474-4267-882f-567fddd8b1a5",
  "version": 1,
  "metadata": {
    "timestamp": "2023-08-22T19:53:32.349324+00:00",
    "component": {
        "bom-ref": "0d6f1320-3f61-4328-9877-c93438ef3d73"
    }
  },
  "components": [
    {
      "name": "freetype",
      "version": "2.11.1",
      "cpe": "cpe:2.3:*:*:freetype:2.11.1:*:*:*:*:*:*:*",
      "bom-ref": "a58e2755-a4fb-4444-9106-cc40ed6ec350"
    }
  ]
}
  1. Wait for the BOM being processed
  2. Go to Tab "Audit Vulnerabilities" pick CVE-2022-27404 and add an audit
  3. Download VX file with "Export VEX" button
  4. Upload the VEX file you just exported with "Apply VEX" button
  5. Look at the log and find: 2023-11-22 17:10:17,888 WARN [CycloneDXVexImporter] Analysis data for vulnerability CVE-2022-27404 will be ignored because either the source is missing or there is a source/vulnid mismatch between VEX and Dependency Track database.

The exported vex.json file is attached.

I also tried using the files and description from #2977 none of the vex files there work.

Expected Behavior

I would expect the vulnerabilities (incl. audits) to be applied to the project/component without any warning in the logs.

Dependency-Track Version

4.9.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

13.13

Browser

Mozilla Firefox

Checklist

nscuro commented 9 months ago

@muellerst-hg Is it just the logs that make you conclude that the VEX is not working?

I uploaded you BOM and the provided VEX afterwards; The analysis for CVE-2022-27404 was correctly applied. None of the other vulnerabilities in the VEX file have an analysis node so there's nothing to import really.

The logging is indeed a bug. The cause is how vulnerabilities from VEX and vulnerabilities from the project are being iterated over during import. I'll get this sorted.

Please let me know if the VEX import doesn't actually do anything. I was not able to reproduce this, but if you experience that then it would definitely be a bug that needs addressing as well.

muellerst-hg commented 9 months ago

Please let me know if the VEX import doesn't actually do anything. I was not able to reproduce this, but if you experience that then it would definitely be a bug that needs addressing as well.

Thanks for your quick reply. I tested some more realistic scenarios in the VEX file:

nscuro commented 9 months ago

Removing the analysis section from a CVE did NOT work as expected. The audit is still present although I would expect it to vanish. Is this a behavior by design?

This is indeed by design as of now. The reasoning being that you should be able to apply analyses manually, without VEX uploads overriding it if the VEX does not have an analysis. Is this something you'd need in your workflow?

muellerst-hg commented 9 months ago

This is indeed by design as of now. The reasoning being that you should be able to apply analyses manually, without VEX uploads overriding it if the VEX does not have an analysis. Is this something you'd need in your workflow?

Let me think about it and discuss with my team. We're currently evaluating how to create, store and apply vex, specs like cyclonedx vex and OpenVex.

I agree, the current behavior makes sense, when you use dtrack frontend for auditing Scenarios which have more than a single source of truth could be tricky.

muellerst-hg commented 9 months ago

reopen the issue, which is about the misleading warning.

github-actions[bot] commented 8 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.