False Alerts on Old Versions of Dependencies in Slack Notifications

[sunilnaidugc]

Current Behavior

In our Production environment we have observed that alerts for vulnerabilities are being triggered based on outdated versions of dependencies that have already been patched. These alerts do not reflect the latest SBOM uploads and are referencing old versions that are no longer in use. The outdated versions are not visible in the OWASP Dependency-Track UI but appear in Slack notifications.

Steps to Reproduce

1. Deploy a service with a vulnerable version of a dependency (e.g., pkg:npm/vite@5.2.2).
2. Patch the vulnerability by updating the dependency to a non-vulnerable version.
3. Upload the updated SBOM to OWASP Dependency-Track.
4. Monitor Slack notifications for vulnerability alerts referencing the old, vulnerable version despite the update.

Expected Behavior

Alerts for vulnerabilities should be based on the most recent SBOM uploads, reflecting the current versions of dependencies. Once a vulnerability is patched and the SBOM is updated, there should be no alerts referencing old versions of the dependencies.

Here are two examples of the issue:

1. A service currently at version c776dc233eaed received an alert for a vulnerability in pkg:npm/vite@5.2.2, which is an old version from March 22.
2. Another service currently at version 79 received an alert for a vulnerability in pkg:npm/vite@5.1.6, which is an old version from March 20.

These alerts are not consistent with the current state of the services and do not appear in the OWASP Dependency-Track UI, only in Slack notifications. This issue occurs sporadically and not on a regular basis.

Thank you for your assistance in resolving this issue.

Dependency-Track Version

4.10.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15.5

Browser

Google Chrome

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[sunilnaidugc]

Dear Dependency-Track Team/Users,

Good Day!

I am following up on the issue reported in GitHub Issue #3814 regarding outdated vulnerability alerts being triggered in our production environment. This is causing confusion for our customers, as the alerts reference old versions of dependencies that have already been patched and are no longer in use.

Key Points: This issue is occurring in our production environment, which is critical for our operations. Alerts are being generated based on outdated versions of dependencies, despite the most recent SBOM uploads reflecting patched versions. The outdated versions do not appear in the OWASP Dependency-Track UI but are still being referenced in Slack notifications. This inconsistency needs urgent attention to prevent confusion and ensure accurate monitoring. Here are two specific examples highlighting the issue:

A service currently at version c776dc233eaed received an alert for a vulnerability in pkg /vite@5.2.2, which is an old version from March 22. Another service currently at version 79 received an alert for a vulnerability in pkg /vite@5.1.6, which is an old version from March 20. As this issue is sporadic and not occurring on a regular basis, it adds to the difficulty in monitoring and maintaining the security of our services.

Could you please provide an update on the status of this issue? Your prompt attention to this matter would be greatly appreciated, as it directly impacts our production environment and the clarity of our security alerts. I would be so glad to share you all the necessary details about the issue if you require more.

Thank you for your assistance.

Best Regards, Sunil Kumar Golla AWS Cloud Senior Consultant | DPS-XAAS-Cloud BSH Household Appliances Manufacturing Pvt. Ltd Mobile: +91 6363509277 | Email: Sunil.Golla-ext@bshg.com