search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.58k stars 542 forks source link

Issues with Email Alert Content #325

Open msymons opened 5 years ago

msymons commented 5 years ago

Issue Type:

Current Behavior:

Dependency-Track v3.4.1 email alerts (which use Template Mimetype "text/plain") are not encoding/decoding correctly... when the advisory (as viewed in DT UI) displays a single quote, the email alert from DT has '. This makes emails rather hard to read, as can be seen here:

email-content

The screenshot does also illustrate a couple of other issues:

Steps to Reproduce (if defect):

I have seen the ' issue affecting alerts relating to multiple npm components. eg

pkg:npm/tunnel-agent@0.4.3
pkg:npm/lodash@4.17.10
pkg:npm/ws@1.1.2

I have not yet seen the issue for Maven components... but the explanation is because I've only just enabled both alerts and npm analysis (following upgrade to DT v3.4.1) and no maven alerts have yet been generated!

Anyway, for npm.

        <component type="library">
            <name>tunnel-agent</name>
            <version>0.4.3</version>
            <description>
                <![CDATA[HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.]]>
            </description>
            <hashes>
                <hash alg="SHA-1">6373db76909fe570e08d73583365ed828a74eeeb</hash>
            </hashes>
            <licenses>
                <license>
                    <id>Apache-2.0</id>
                </license>
            </licenses>
            <purl>pkg:npm/tunnel-agent@0.4.3</purl>
            <modified>false</modified>
        </component>

Expected Behavior:

Email alerts should decode encoded characters correctly.

Environment:

stevespringett commented 5 years ago

The system does not have control over how vulnerability intelligence providers encode their data. The most common is a combination of Markdown and HTML entity encoding. Therefor Markdown decoding and HTML entity decoding may be required.

For Markdown, use of https://github.com/atlassian/commonmark-java (TextContentRenderer) may be required.

Double decoding of large text fields will have a performance impact.