search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.43k stars 529 forks source link

Flutter packages (pub) get vulnerability from npm #3669

Open evyaroshevich opened 2 months ago

evyaroshevich commented 2 months ago

Current Behavior

While scanning the Flutter project, I discovered a false positive. DependencyTrack incorrectly identified the package pkg:pub/build@2.4.1 as belonging to the npm repository and issued the vulnerability CVE-2020-28423. Upon visiting the NIST NVD website to view the details, I found that it has cpe:2.3:a:monorepo-build_project:monorepo-build::::::node.js::*. Although in the actual bom file, the cpe is absent altogether. image

Steps to Reproduce

  1. git clone any flutter project with pub/build@2.4.1
  2. generate bom file
  3. upload bom file to dependencytrack server

Expected Behavior

the vulnerability should not appear on this component

Dependency-Track Version

4.11.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

nscuro commented 1 month ago

Which analyzer was the vulnerability attributed to? You can find this info in the Analyzer column of the Audit Vulnerabilities tab.

ostannar commented 1 month ago

Hi @evyaroshevich,

how do you generate the .sbom file for dependency track?

evyaroshevich commented 3 weeks ago

@nscuro Analyzer NVD image

evyaroshevich commented 3 weeks ago

Hi @ostannar I'm using a universal generator CycloneDX/cdxgen