Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerabilities not detected

See original GitHub issue

Current Behavior:

A new Dependency Track project was created (using the jenkins plugin). The BOM file is the same as a another project. The other project shows 22 vulnerabilities (NPM, NVD, OSSIndex) but the newly created version has no vulnerabilities.

The original upload (when the project was also automatically created) happened 20h ago. The analyzer should have done it’s analyzing (1) when the BOM was uploaded and (2) every 6h.

I tried manually re-uploading the BOM file but without success. The logs of that attempt can be found below.

Steps to Reproduce:

Not sure what makes my setup reproduce this issue.

Expected Behavior:

The project should show the same amount of vulnerabilities.

Environment:

Dependency-Track Version: 4.4.2
Distribution: Docker
BOM Format & Version: XML Schema v1.3
Database Server: PostgreSQL
Browser: Chrome

Additional Details:

2022-04-14 13:20:30,809 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,545 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,581 INFO [BomUploadProcessingTask] Processed 18 components and 0 services uploaded to project 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,963 INFO [InternalAnalysisTask] Starting internal analysis task
2022-04-14 13:20:32,037 INFO [InternalAnalysisTask] Internal analysis complete
2022-04-14 13:20:32,041 INFO [PolicyEngine] Evaluating 18 component(s) against applicable policies
2022-04-14 13:20:32,144 INFO [PolicyEngine] Policy analysis complete
2022-04-14 13:20:32,146 INFO [MetricsUpdateTask] Executing metrics update for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:32,551 INFO [MetricsUpdateTask] Completed metrics update for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534

Issue Analytics

State:
Created a year ago
Reactions:5
Comments:12 (4 by maintainers)

Top GitHub Comments

3reactions

chergikcommented, Apr 20, 2022

We are having the same issue and are on the version 4.2.0.

0reactions

mveckcommented, Nov 2, 2022

Finding similar problems, where our own internal investigation shows that:

CVE is known in the NVD (CVE-2020-11440)
CVE is linked to a component in the project (cpe:2.3⭕windriver:vxworks:7.0:-::::::)
Link is found by our internal tooling which should link to DT and should give similar results.
Vulnerability is correctly registered in DT (VULNID can be found using CVE)
Vulnerable-Software is correctly registered in DT (SWID can be found using CPE).
Vulnerable-Software -> Vulnerability can be found in VULNERABLESOFTWARE_VULNERABILITIES (VULNID,SWID tuple)
Component can be found.
Component-> Vulnerability can NOT be found (component_ID,VulnID).

I would expect that the analysis would automatically populate the last table based on the information which is available, but it shows that the last step (linking component to the vulnerability) has some hickups…

In our project this results in 600+ vulnerabilities not mapped by DT in multiple projects, but these vulnerabilities are found in the NVD.