search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.44k stars 530 forks source link

VEX export returns invalid cyclonedx #3834

Open muellerst-hg opened 3 weeks ago

muellerst-hg commented 3 weeks ago

Current Behavior

Given a project with two components which have the same vulnerability When I click "Export VEX" Then a VEX file is delivered which contains duplicate items in vulnerabilities section But according to cyclonedx 1.5 schema this is invalid

Tested with 4.11.3 and 4.12-snapshot from 2024/06/11

Steps to Reproduce

  1. Create a new project and upload the following BOM file: bom-express.json
  2. Wait for analysis to be finished

  3. Go to "Audit Vulerabilties" tab and click "Download VEX" (which returns the following VEX file: vex-express.json )

    1. Enable "BOM Validation" in "Configuration/Bom Format" settings
    2. Click "Apply VEX" and try to upload the above VEX file
    3. Upload fails with > The uploaded BOM is invalid. Schema validation failed

    The same duplicates can be found when exporting the BOM using "Download BOM -> Inventory with Vulnerabilities"

Expected Behavior

I expect valid cyclonedx bom returned by "Export VEX".

Dependency-Track Version

4.11.3

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14

Browser

Mozilla Firefox

Checklist

SaberStrat commented 1 day ago

I decided to have a go at this one. Fixed it locally, not sure if it's the prettiest solution, but I'd dare a PR with it.