Given a project with two components which have the same vulnerability
When I click "Export VEX"
Then a VEX file is delivered which contains duplicate items in vulnerabilities section
But according to cyclonedx 1.5 schema this is invalid
Tested with 4.11.3 and 4.12-snapshot from 2024/06/11
Steps to Reproduce
Create a new project and upload the following BOM file:
bom-express.json
Wait for analysis to be finished
Go to "Audit Vulerabilties" tab and click "Download VEX" (which returns the following VEX file:
vex-express.json
)
Enable "BOM Validation" in "Configuration/Bom Format" settings
Click "Apply VEX" and try to upload the above VEX file
Upload fails with > The uploaded BOM is invalid. Schema validation failed
The same duplicates can be found when exporting the BOM using "Download BOM -> Inventory with Vulnerabilities"
Expected Behavior
I expect valid cyclonedx bom returned by "Export VEX".
Current Behavior
Given a project with two components which have the same vulnerability When I click "Export VEX" Then a VEX file is delivered which contains duplicate items in
vulnerabilities
section But according to cyclonedx 1.5 schema this is invalidTested with 4.11.3 and 4.12-snapshot from 2024/06/11
Steps to Reproduce
Go to "Audit Vulerabilties" tab and click "Download VEX" (which returns the following VEX file: vex-express.json )
The same duplicates can be found when exporting the BOM using "Download BOM -> Inventory with Vulnerabilities"
Expected Behavior
I expect valid cyclonedx bom returned by "Export VEX".
Dependency-Track Version
4.11.3
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
14
Browser
Mozilla Firefox
Checklist