search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.66k stars 568 forks source link

Export and Import VEX fails to match Vulnerabilities correctly #3554

Open surendrapathak opened 7 months ago

surendrapathak commented 7 months ago

Current Behavior

If a CVE affects multiple components in the SBOM, the exploitability status is updated only for one of those components. Exporting the status as VEX and importing it in an identical configuration will change the status of both CVEs.

Effectively, VEX is applied only by CVE ID and not by CVE ID + affected component.

Steps to Reproduce

This was discovered based on a hunch, and therefore, the steps are custom:

  1. Create a Product and add two components, one with PURL pkg:pypi/gradio@1.0.0a1 and the other with PURL pkg:pypi/gradio@0.1.01
  2. Confirm two entries for the CVE-2023-41626 under 'Audit Vulnerabilities'
Screenshot 2024-03-14 at 6 58 04 PM
  1. Change the status of just one of those to 'EXPLOITABLE'
  2. Export VEX
  3. Change the status of one of these to 'Not Set'
Screenshot 2024-03-14 at 6 58 41 PM
  1. Re-import VEX
  2. Status sets to 'EXPLOITABLE' for both of the vulnerabilities
Screenshot 2024-03-14 at 6 59 07 PM

Expected Behavior

Only gradio v0.1.0 CVE-2023-41626 should be set to EXPLOITABLE

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

muellerst-hg commented 4 months ago

I can confirm the described behavior with the following bom: bom-express.json

muellerst-hg commented 4 months ago

@surendrapathak Could you please enable "BOM Validation" in "Configuration/Bom Format" settings and retry to "Apply VEX"? Importing the VEX file should fail with:

The uploaded BOM is invalid Schema validation failed

muellerst-hg commented 4 months ago

For completeness, here's the VEX file for the above bom-express.json which I exported using the Dependency-Track UI: vex-express.json

It contains duplicate items, which is invalid according to cyclonedx 1.5 schema

nscuro commented 4 months ago

Good catch @muellerst-hg!

Could you please raise a separate issue for that, since the problem described in this issue is related to matching once a VEX is already parsed.

muellerst-hg commented 4 months ago

Opened #3834 for cyclonedx schema issue

pdaran commented 3 months ago

I would also like to add that when exporting a VEX, the vulnerability's (BOM-)reference in the affects field of the vulnerability will only be the BOM reference of the project being scanned, and not the actual software component that actually contains the CVE.

To get the correct bom-references in the affects field of the vulnerability/VEX, you need to download the SBOM containing the vulnerabilities from "Download BOM -> Inventory with Vulnerabilities", rather than exporting the VEX, which would on the other hand of course aditionally contain all the components.

The expected behaviour is that the vulnerabilities should still contain the bom-reference to the actual component present in the SBOM when exporting the VEX so that it could be processed on a per component basis.