search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.72k stars 580 forks source link

Threat Suppression for Component: Threat Invisible at Project Level #649

Open msymons opened 4 years ago

msymons commented 4 years ago

Current Behavior:

In DT 3.8.0, performing vulnerability triage within a project seems to work fine. After the audit is peformed, the audit trail displays correct comment, analysis, and suppression state.

However, there are problems with performing triage from /components page.

  1. When the component vulnerability tab is refreshed the "Analysis" column does not display analysis result. eg "Exploitable".
  2. If the vulnerability is suppressed then it disappears from component vulnerability tab. The consequence is that it cannot then be unsuppressed (or have any other kind of auditing performed).
  3. The suppression also impacts projects that use the component.... the vulnerability is entirely missing from the project audit tab, although the counter on the tab (new feature in 3.8.0) is correct. Thus, for one project and 3 tests, the audit tab counter says 15 but the page itself says "Showing 1 to 10 of 12 rows".

Steps to Reproduce:

  1. Pick a component/version that has several vulnerabilities and which is used in at least one project Check that the vulnerabilities are displaying in the project, and reported against the component/version. Chose one of the vulnerabilities (x) and make a note of the id.
  2. On components page, locate the component/version. Make sure you do not accidentally select a different version! 3 On Vulnerabilities tab, enter audit mode. Locate vulnerability x and set Analysis to "Exploitable". After refreshing the screen, note that the Analysis column is not displaying "Exploitable" as it should.
  3. Update analysis and suppress the vulnerability. On page refresh, note that the vulnerability has disappeared fom the screen.
  4. Navigate back to project that uses the component. The vulnerability is now missing.

Expected Behavior:

Vulnerability suppression does not remove vulnerabilities from display. It must be possible to re-do triage and reverse suppression.

What I am actually expecting is to have a way whereby triage performed on an individual vulnerability in a project can be updated by re-performing for the component as a whole. With the defect reported above I do not know if this is possible. If not, I can log a separate enhancement ...and also request a way to globally triage a vulnerability such that all vulnerable versions of a component are audited in one go (jackson-databind has a LOT of versions and a LOT of vulnerabilities).

Environment:

stevespringett commented 4 years ago
  1. When the component vulnerability tab is refreshed the "Analysis" column does not display analysis result. eg "Exploitable".

This is likely a bug in the frontend.

  1. If the vulnerability is suppressed then it disappears from component vulnerability tab. The consequence is that it cannot then be unsuppressed (or have any other kind of auditing performed).

It can be unsuppressed. This can be done via API. I believe 3.7.x and previous allowed for this capability in the UI as well.

  1. The suppression also impacts projects that use the component.... the vulnerability is entirely missing from the project audit tab, although the counter on the tab (new feature in 3.8.0) is correct. Thus, for one project and 3 tests, the audit tab counter says 15 but the page itself says "Showing 1 to 10 of 12 rows".

The count is off, but the lack of project visibility is by design and documented.

I think the issues identified in this ticket will disappear once #593 is implemented as global auditing will no longer be supported in the future. As a workaround, I'd recommend no users be granted global audit permissions and run an API query to identify suppressed global findings.

msymons commented 4 years ago

I have tried "unsuppression" via the API in v3.8.0 but could not it to work. I tried to use analysis, which has GET parameters:

The 1st problem is that when a vulnerability disappears from the component listing in the UI, there is no easy way to even know that anything has disappeared. And should you think "hold on... I am sure that there used to be more CVE listed" then working out WHAT is missing involves either:

Both methods can be tedious for a component such as jackson-databind which has scores of vulnerabilities.

The 2nd problem is in the project page. Here, one does not even know what component has a missing vulnerability... so that makes it even harder to track things down.

In my testing, I did make a note of the exact component that was having a vulnerability suppressed. Thus I have the uuid to use for component parameter. However, I do not have the uuid for vulnerability.

I'm afraid that the first API I tried was the component API (rather than vulnerability` API). I did this because it was listed first and the swagger documentation example response shows vulnerabilities being included. However, I got none. Example response:

{
  "group": "com.fasterxml.jackson.core",
  "name": "jackson-databind",
  "version": "2.9.10.2",
  "classifier": "LIBRARY",
  "md5": "a97303348bdb96c53609baffe3b992ae",
  "sha1": "2d0bbad28d59cec1ba02cecfff1d0748932c4386",
  "sha256": "a5143abadc0e446f0d4cbe5800a2847561f3070f5b9fbfe1072de91099ace491",
  "sha512": "ee01c0a01780198e219b7f95a26af640f1f1740ece8b4b633e832b9784bf5d9ea42bbaef11e3e3e3f04a3aae313cd788c438beed33530c2e02b6f2887eb46977",
  "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.2?type=jar",
  "description": "General data-binding functionality for Jackson: works on core streaming API",
  "resolvedLicense": {
    "uuid": "f7ef35c3-06ff-4217-a95c-6d350dae08cd",
    "name": "Apache License 2.0",
    "licenseId": "Apache-2.0",
    "isOsiApproved": true,
    "isFsfLibre": true,
    "isDeprecatedLicenseId": false
  },
  "lastInheritedRiskScore": 55,
  "uuid": "a45f9285-fe52-4633-bccd-d2f532e6d720",
  "usedBy": 0,
  "isInternal": false
}

Is this a defect, either in documentation or implementation?

I then tried the vulnerability API. Here I had better luck, succesfully retrieving a complete list of 11 vulnerabilities for the component. One observation... it would sure help if the response included whether or not each vulnerability is suppressed or not. Something for logging as a enhancement?

This allowed me to finally try out the analysis API. When providing all three parameters for a suppressed vulnerability, the returned content was empty... which I guess matches my original report, even though it's not helpful. For a few minutes I thought I had got a parameter or auth token wrong!

Removing project parameter finally gave good results:

{
  "analysisState": "EXPLOITABLE",
  "analysisComments": [
    {
      "timestamp": 1586188606342,
      "comment": "NOT_SET → EXPLOITABLE",
      "commenter": "marks"
    },
    {
      "timestamp": 1586192225459,
      "comment": "Suppressed",
      "commenter": "marks"
    }
  ],
  "isSuppressed": true
}

Lastly, I was too nervous to attempt using PUT to record analysis. Is the documentation complete? I would expect to have to specify some uuid data... although the GET for analysis results did not include such info in the response.

Harshal1693 commented 2 years ago

I do agree that getting the correct UUIDs to be used, is extremely inconvenient but I was able to unsuppress a previously suppressed vulnerability globally by sending a PUT request to the below-mentioned endpoint:

{ "project": "Project UUID", "component": "Component UUID", "vulnerability": "Vulnerability UUID", "analysisState": "EXPLOITABLE", "comment": "Unsuppressing for testing", "suppressed": false }

Please Note: Although this PUT request takes a project UUID in the request, the vulnerability gets unsuppressed globally for all the projects (rather than unsuppressing it only for that particular project).