search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.45k stars 532 forks source link

Attributed on date of vulnerability shows a date after suppression/comment date #3909

Open Sp33dy42 opened 6 days ago

Sp33dy42 commented 6 days ago

Current Behavior

VulnScreenshot 52 22 PM

Steps to Reproduce

  1. One of the ways this can be caused is through an SBOM update. The Attributed date is updated but the vulnerability stays the same. I also noticed that new vulnerabilities that are discovered 2 weeks after the SBOM is uploaded will retain the date of the SBOM upload. VulnScreenshot 52 22 PM

Expected Behavior

Expected behavior would be for the Attributed On field to update when a vulnerability is matched to a component.

Dependency-Track Version

4.10.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

nscuro commented 6 days ago

Are you using project cloning by chance?

This bug was fixed in 4.11: #3464

Sp33dy42 commented 5 days ago

Yes we are.

On Tue, Jul 2, 2024 at 2:59 AM Niklas @.***> wrote:

Are you using project cloning by chance?

This bug was fixed in 4.11: #3464 https://github.com/DependencyTrack/dependency-track/issues/3464

— Reply to this email directly, view it on GitHub https://github.com/DependencyTrack/dependency-track/issues/3909#issuecomment-2202607700, or unsubscribe https://github.com/notifications/unsubscribe-auth/BJDMSOTSH7AXNM2SF2MTVALZKJ2WXAVCNFSM6AAAAABKGXRKUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBSGYYDONZQGA . You are receiving this because you authored the thread.Message ID: @.***>

Sp33dy42 commented 5 days ago

Mirroring. Not cloning. Sorry. How would I know if we were cloning.

On Tue, Jul 2, 2024 at 2:59 AM Niklas @.***> wrote:

Are you using project cloning by chance?

This bug was fixed in 4.11: #3464 https://github.com/DependencyTrack/dependency-track/issues/3464

— Reply to this email directly, view it on GitHub https://github.com/DependencyTrack/dependency-track/issues/3909#issuecomment-2202607700, or unsubscribe https://github.com/notifications/unsubscribe-auth/BJDMSOTSH7AXNM2SF2MTVALZKJ2WXAVCNFSM6AAAAABKGXRKUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBSGYYDONZQGA . You are receiving this because you authored the thread.Message ID: @.***>

Sp33dy42 commented 5 days ago

Yes we are using Cloning. Should we shut this off.

nscuro commented 4 days ago

@Sp33dy42 Cloning happens either via /api/v1/project/clone REST API endpoint, or when using the Add Version functionality in the frontend.

DT versions prior to v4.11 had a bug where the attribution date for findings would not be retained when cloning. Instead they were assigned the current date.

You don't need to stop cloning projects, but you should update your DT installation to benefit from the bugfix.

Sp33dy42 commented 4 days ago

Thank you so much Niklas!

On Wed, Jul 3, 2024 at 8:37 AM Niklas @.***> wrote:

@Sp33dy42 https://github.com/Sp33dy42 Cloning happens either via /api/v1/project/clone REST API endpoint, or when using the Add Version functionality in the frontend.

DT versions prior to v4.11 had a bug where the attribution date for findings would not be retained when cloning. Instead they were assigned the current date.

You don't need to stop cloning projects, but you should update your DT installation to benefit from the bugfix.

— Reply to this email directly, view it on GitHub https://github.com/DependencyTrack/dependency-track/issues/3909#issuecomment-2206594479, or unsubscribe https://github.com/notifications/unsubscribe-auth/BJDMSOXSP3PPP6P6BIT7MZLZKQLFNAVCNFSM6AAAAABKGXRKUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBWGU4TINBXHE . You are receiving this because you were mentioned.Message ID: @.***>