question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Dependency Track ignores dependsOn tag in CycloneDX format

See original GitHub issue

Current Behavior: Security Vulnerabilities do not include the dependsOn tag of the CycloneDX file. For example, suppose that we have the following reference and dependsOn field, where component-a has no security vulnerability but b and c have vulnerabilities:

{
      "ref" : "pkg:maven/component/component-a@0.0.1?type=jar",
      "dependsOn" : [
        "pkg:maven/component/component-b@0.0.1?type=jar",
        "pkg:maven/component/component-c@0.0.1?type=jar"
      ]
},

Dependency Track will not show these relationships to component-a in the vulnerabilities tab. You will only see the component-b/c with a vulnerability risk and component-a will not yield any information that it depends on this software module with the given vulnerability.

Proposed Behavior: Given the above CycloneDX file and scenario, Dependency Track should log the vulneribility inside component-a too or reference the vulnerability of component-b/c in component-a.

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:7 (2 by maintainers)

github_iconTop GitHub Comments

4reactions
stevespringettcommented, May 10, 2022

Another possibility is to include a new dependency graph view (a few visual representations are planned) which shows the exploded dependency tree and highlights the nodes that are vulnerable. Snyk has a similar view which is very useful.

1reaction
jimklimovcommented, Nov 28, 2022

Didn’t know this was already indirectly mentioned in your issue.

Just another point of view at indirect dependencies 😃

Read more comments on GitHub >

github_iconTop Results From Across the Web

Dependency Graph Filtering · Issue #87 - GitHub
Current Behavior: The Dependency Graph implementation is currently displays ... Dependency Track ignores dependsOn tag in CycloneDX format ...
Read more >
Continuous Integration & Delivery - Dependency-Track
Dependency -Track consumes and analyzes CycloneDX BOMs at high-velocity and is ideal for use in modern build pipelines. The generation of CycloneDX BOMs ......
Read more >
2021 - Tom Alrich's Blog
Dependency Track does all the basics required for software ... CycloneDX SBOM format project, and leader of the Dependency-Track project:.
Read more >
Dependency Scanning - GitLab Docs
GitLab scans all dependencies, including transitive dependencies (also known as nested dependencies). You can take advantage of dependency scanning by either:.
Read more >
Use Cases - CycloneDX
Components in a BOM can be nested to form an assembly. ... A dependency graph is typically one node deep and capable of...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found