After I upload 2 Advisory Files I ran into apparent duplicate Vulnerabilities

carlosthe19916 commented 6 days ago

Steps to reproduce:

Upload the following Advisories in an empty Trustify
- CVE-2021-32714.json
- RUSTSEC-2021-0079.json
Fetch the list of Vulnerabilities from GET /api/v1/vulnerability and you will see the following response:

{
    "items": [
        {
            "identifier": "CVE-2021-32714",
            "title": "Integer Overflow in Chunked Transfer-Encoding",
            "published": "2021-07-07T19:35:10Z",
            "modified": "2021-07-07T19:35:10Z",
            "cwe": "CWE-190",
            "average_severity": null,
            "average_score": null,
            "advisories": [
                {
                    "uuid": "urn:uuid:7e8868ec-170a-492f-a93c-d64130f4220f",
                    "identifier": "CVE-2021-32714",
                    "hashes": [
                        "sha256:53dbabe96c9e778941cff248c2607e927a2d0984d2fd8d81617dafb2bc53d420"
                    ],
                    "issuer": {
                        "id": 2,
                        "name": "GitHub_M",
                        "cpe_key": null,
                        "website": null
                    },
                    "published": "2021-07-07T19:35:10Z",
                    "modified": "2021-07-07T19:35:10Z",
                    "title": "Integer Overflow in Chunked Transfer-Encoding",
                    "severity": null,
                    "score": null
                }
            ]
        },
        {
            "identifier": "CVE-2021-32714",
            "average_severity": "critical",
            "average_score": 9.1,
            "advisories": [
                {
                    "uuid": "urn:uuid:b0ecbfbf-0b21-47ab-9226-cdb5b061323b",
                    "identifier": "RUSTSEC-2021-0079",
                    "hashes": [
                        "sha256:8297ce58d1a870b0ef2f1e3bb4a08e87b54696e5faa85ba1724978ef80d2d5b1"
                    ],
                    "issuer": {
                        "id": 1,
                        "name": "Rust Security Advisory Database",
                        "cpe_key": null,
                        "website": null
                    },
                    "published": "2021-07-07T12:00:00Z",
                    "modified": "2021-10-19T22:14:35Z",
                    "title": "Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss",
                    "severity": "critical",
                    "score": 9.1
                }
            ]
        }
    ],
    "total": 2
}

Both items in the response have the same identifier. The problem is that the identifier is being used to fetch a single Advisory e.g. /api/v1/vulnerability/CVE-2021-32714. The question is, which Vulnerability am I fetching if both have the same identifier?

The other entities are using something like uuid, not sure if that would be the solution but whatever the solution is, there should be a unique key to identify a Vulnerability

bobmcwhirter commented 6 days ago

Reproduced

I've been uploading one, then uploading the other.

Found myself in this state when selecting multiple files in the same file-picker operation.

carlosthe19916 commented 16 hours ago

@bobmcwhirter I am reopening this issue as it is still happening. I uploaded the same files, the order does not matter and I can see 2 vulnerabilities rather than only one:

After the files are uploaded you can verify the duplicate vulnerabilities with GET /api/v1/vulnerability

https://github.com/trustification/trustify/assets/2582866/e6268b6d-7723-4535-bf3e-335b25f0d5c4

bobmcwhirter commented 16 hours ago

Well crap. Thanks!

trustification / trustify

After I upload 2 Advisory Files I ran into apparent duplicate Vulnerabilities #471