get_vulnerable_bom_components() sometimes returns components not given by get_version_components()

[iskunk]

As I understand, the get_version_components() method returns all the components for a specified project version, and get_vulnerable_bom_components() returns the subset of those components [for a specified project version] that have a security vulnerability.

I am observing that get_vulnerable_bom_components() sometimes returns a superset of components, potentially a much larger one. For example, I have a project with a single version that shows five components, three of them vulnerable, in the Web UI. get_version_components() returns five items, as expected. get_vulnerable_bom_components(), however, returns over 1500---all but three of which appear to be completely unrelated to the project version.

(I may be misunderstanding the intent of get_vulnerable_bom_components(), and if so, I'd appreciate being corrected.)

[gsnyder2007]

Well you have the right idea. get_vulnerable_bom_components calls the REST endpoint to return those components having vulnerabilities, however, it returns one record (json object) PER vulnerability so you will oftentimes get more records back from the vulnerable bom component endpoint than there are components. 1500 for 5 is a lot but if one of those components were for example the Linux kernel, well, you can get a lot of vulnerabilities returned. Does that help? If you still feel there is some kind of bug let us know and we can look into it. We would need more info to do that. Specifically the URL's for the 5 components you cite should be enough.

[iskunk]

I have edited the title of this issue to better reflect the problem.

I confirmed that my 5/1500 example did return a list of repeated components, all of which related to GNU C Library and the Linux Kernel. I was too hasty in choosing that example---my apologies. That was not the one that originally prompted this report.

I am seeing other project versions where get_vulnerable_bom_components() returns components that are not present in the original BOM (as returned by get_version_components(), or listed in the Web UI). E.g. if the original BOM is "A B C," then get_vulnerable_bom_components() gives me "A B C X Y." Is there a reason for the "X Y," or should the set of components returned be a subset of the original BOM?

[OffBy0x01]

There are definitely a difference in number of records between each - though in my experience that is because the vulnerable-components endpoint is per vulnerability per component-version origin (as opposed to per component-version).

I would suggest you try filtering the output of get_vulnerable_bom_components() for unique component versions. If any of these component versions do not exist when you make the get_version_components() request, then there might be an issue.