stevespringett
commented
3 years ago The FAQ implies that Package URLs are a hard requirement, but the CycloneDX spec mentions that: If PURL is not an option or not all components represented in the BOM contain a PURL, then UUID is recommended
I think there's a misunderstanding between the purl element and using purl as an identifier in a components bom-ref. The spec states:
bom-ref attribute of a component element
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
purl element of a component
Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
Dependency-Track uses the purl element for vulnerability and repo use cases. If a component is a package (library, framework, os package, etc), then PURL is a requirement. If the component is not a package but rather an application, operating system, or hardware device, then PURL is not required (or even possible). For these components, CPE is required. The CycloneDX website has a table of component types and the recommendations for each type for use in security use cases. https://cyclonedx.org/use-cases/#known-vulnerabilities
Dependency Track does not support the CycloneDX vulnerability extension. There are plans to add the vulnerability extension as an option when outputting CycloneDX for Dependency Track projects, but there are no current plans on importing vulnerabilities defined in the CycloneDX vulnerability extension. If this is a requirement, pull requests are highly encouraged 😉 The primary purpose for this extension is to provide GRC and related risk management systems, the ability to import that data along with all the risk scores from each vulnerability. But I also see your point in possibly having that capability in Dependency Track in the future as well.
alfredodeza
w2n1ck
swarkentin
Current Behavior:
Uploaded a CycloneDX BOM to a new project and none of the vulnerabilities reported in the BOM made it into the audit. I searched the open/closed issues and found that https://github.com/DependencyTrack/dependency-track/issues/744 explained something similar.
The suggestion was to follow the FAQ which mentions specifically this:
There are a couple of issues here:
1) The FAQ implies that Package URLs are a hard requirement, but the CycloneDX spec mentions that:
2) We are uploading a BOM with the vulnerability extension. Specifically, the example XML from CycloneDX used here: https://cyclonedx.org/ext/vulnerability/ which has PURLs and vulnerabilities
3) It is not clear from reading the documentation or after uploading a BOM with vulnerabilities, that:
Steps to Reproduce:
Upload any of the examples in https://cyclonedx.org/ext/vulnerability/
Additional Details:
I think this is more of a documentation enhancement rather than a bug. There are a few places that should highlight the strict requirements (e.g. PURLs) and that there is no support for the vulnerability extension in CycloneDX.
From searching the docs, these are some places where I think might make sense, perhaps there are other good spots as well:
In places where it is noted that DependencyTrack uses PURLs, there should be an emphasis on the requirement. For example, this line with "relies":
Could be changed to "requires" :