search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.73k stars 582 forks source link

Only GHSA ID returned for vulnerability having an NVD ID #4214

Open andreeaButerchi opened 2 months ago

andreeaButerchi commented 2 months ago

Current Behavior

Hello,

We have NVD + GHSA configured as vulnerability sources within our ODT instance. Since we activated the GHSA we were used to get most of vulnerabilities twice (once with the NVD id like CVE-2016-1000027 and once again with the GHSA id: GHSA-4wrc-f8pq-fpqp)... We were not thrilled...but we made our peace with it...and adapted our code to make sure no duplicates were returned to the end user... But yesterday we noticed that for some projects we get only t he GHSA ID -> which kind of breaks our logic :( Image

We get the same behavior when calling the API: v1/bom/cyclonedx/project/xxxxx?variant=withVulnerabilities When calling the endpoint: api/v1/vulnerability/project/xxxxx we do get both IDs (CVE + GHSA): { "cveId": "CVE-2016-1000027", "ghsaId": "GHSA-4wrc-f8pq-fpqp", "uuid": "44666f26-b8dd-4a0f-a36a-7a07e4e27aa8" }

We have the same behaviour with 2 different versions of ODT: Dependency-Trac v4.12.0 Dependency-Track v4.11.7

Thank you very much for your help! Andreea

Steps to Reproduce

  1. upload an SBOM holding a Spring 5.3.40 (or lower): "publisher": "Spring IO", "group": "org.springframework", "name": "spring-core", "version": "5.3.40", "description": "Spring Core",

When ODT finished its analysis -> we end up with only :GHSA-4wrc-f8pq-fpqp We don't get CVE-2016-1000027

Expected Behavior

as both sources (NVD +GHSA) are configured -> we expected to have both IDs returned. In this case GHSA-4wrc-f8pq-fpqp and CVE-2016-1000027

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

valentijnscholten commented 2 months ago

Is you component using a PURL or CPE? I assume PURL because you get GHSA matches. In that case the CVE should come from OSSIndex. But that seems to attribute the vulnerability to spring web only:

If that is incorrect, you can report that here: https://ossindex.sonatype.org/doc/report-vulnerability

andreeaButerchi commented 2 months ago

hello @valentijnscholten ! thank you for your quick answer... but it's not a PURL vs CPE or OSSIndex issue :( On the exact same instance of OWASP Dependency Track, for another application (with a vulnerable version of Spring Framework) we do get both: Image

And based on the /vulnerability/project we can see that ODT knows both IDs as we can see they are bound by an aliasis: "aliases": [ { "cveId": "CVE-2016-1000027", "ghsaId": "GHSA-4wrc-f8pq-fpqp", "uuid": "44666f26-b8dd-4a0f-a36a-7a07e4e27aa8" } ],

So there must be another explication :(

Thank you very much for your help!

valentijnscholten commented 2 months ago

In you start post you mention:

"publisher": "Spring IO",
"group": "org.springframework",
"name": "spring-core",
"version": "5.3.40",
"description": "Spring Core",

Which is different from spring-web in your comment/screenshot and seems to confirm my observation :-)

andreeaButerchi commented 2 months ago

Hello @valentijnscholten ,

Sorry for the wrong copy/paste within the steps to reproduce :( Please do consider I was speaking about Spring-Web all along: "group": "org.springframework", "name": "spring-web", "version": "5.3.40", "description": "Spring Web",

The only difference I could spot might be the version 5.3.40 of SPRING-WEB, which is an enterprise version (meaning it's available only for those that bought extra support once the community version reached end of life): https://enterprise.spring.io/projects/spring-framework I checked the maven central repo and we can see that the latest available spring-web version is 5.3.39 (for spring-web 5.3): https://mvnrepository.com/artifact/org.springframework/spring-web/5.3.39 For this version we do get both IDs: CVE-2016-1000027 & GHSA-4wrc-f8pq-fpqp Image

However as soon as we upgrade to the enterprise editon of spring-web (5.3.40), we get only the GHSA-4wrc-f8pq-fpqp:

Image

valentijnscholten commented 2 months ago

Is there a reason you are still not proving the exact section of the BOM this is about (which would include the PURL)?

andreeaButerchi commented 2 months ago

Here you go: you have the cdxgen generated SBOM (which was uploaded to ODT) and the result of api/v1/bom/cyclonedx/project/xxxxxx?variant=withVulnerabilities

for both Spring-web 5.3.39 & 5.3.40: scalaws-spring-web5.3.39-vulnerabilities-sbom.json scalaws-spring-web5.3.40-sbom.json scalaws-spring-web5.3.40-vulnerabilities-sbom.json scalaws-springweb5.3.39-sbom.json

Hope it helps! Thanks!

valentijnscholten commented 2 months ago

As can be seen in OSSIndex, 5.3.40 doesn't have any vulnerabilities in OSSIndex. Might be because it's non-free/non-public version.

Can you next time provide accurate info to save us some time? Next to 5.3.39 and 5.3.40 there's also 5.3.25 in the screenshot.

andreeaButerchi commented 2 months ago

Thank you for confirming our hypothesis :) It was only this morning we started to focus/suspect on the enterprise edition of Spring Web (5.3.40) versus previous ones (and within these previous one there is Spring Web 5.3.25, Spring Web 5.3.39.... and quite a few other versions < 5.3.40... which they all have the 2 IDs). Sorry if you think the infos were not accurate (beside the spring-core which I do appologize once again :( ) I tried to provide as much data as possible and accordingly with the progress we were making.

Thank you for your help & especially for your understanding :)