Components get deleted in update

[Gepardgame]

Current Behavior

If you update an internal vulnerability with components, the the components will no longer be showen.

Steps to Reproduce

1. Create an internal vulnerability with one or more affected components.
2. Open the vulnerability(View details) and click the "Update" Button
3. Reload site and open Vulnerability again and go to Affected Components tab
4. Wonder why there are no components

Expected Behavior

Components should be shown, even so the vulnerability gets updated.

The problem is there in the code VulnerabilityQueryManager.java#L798. I don't know there the attribution would be reported again.

Dependency-Track Version

4.12.0-SNAPSHOT

Dependency-Track Distribution

Executable WAR

Database Server

H2

Database Server Version

No response

Browser

N/A

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[Gepardgame]

@sahibamittal You implemented this function. The old source is INTERNAL and the new one is INTERNAL, which concludes to the deletion of the attributes, even so it is still relevant. I can think that has been implemented for to prevent duplications, but I don't know for sure.

[nscuro]

I suspect that we don't create AffectedVersionAttributions for manually created VulnerableSoftware records.

Then when it comes to reconcileVulnerableSoftware, manually created VulnerableSoftwares end up in this branch: https://github.com/DependencyTrack/dependency-track/blob/d03cb83725b3f44fa47fbc78c3f601b626178bbd/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java#L779-L785

[Gepardgame]

That is not the problem, but the source is the same so https://github.com/DependencyTrack/dependency-track/blob/d03cb83725b3f44fa47fbc78c3f601b626178bbd/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java#L787-L788 is true, which deletes the Attribut and will not add it to vsList.