Vulnerabilities not detected
See original GitHub issueCurrent Behavior:
A new Dependency Track project was created (using the jenkins plugin). The BOM file is the same as a another project. The other project shows 22 vulnerabilities (NPM, NVD, OSSIndex) but the newly created version has no vulnerabilities.
The original upload (when the project was also automatically created) happened 20h ago. The analyzer should have done it’s analyzing (1) when the BOM was uploaded and (2) every 6h.
I tried manually re-uploading the BOM file but without success. The logs of that attempt can be found below.
Steps to Reproduce:
Not sure what makes my setup reproduce this issue.
Expected Behavior:
The project should show the same amount of vulnerabilities.
Environment:
- Dependency-Track Version: 4.4.2
- Distribution: Docker
- BOM Format & Version: XML Schema v1.3
- Database Server: PostgreSQL
- Browser: Chrome
Additional Details:
2022-04-14 13:20:30,809 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,545 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,581 INFO [BomUploadProcessingTask] Processed 18 components and 0 services uploaded to project 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,963 INFO [InternalAnalysisTask] Starting internal analysis task
2022-04-14 13:20:32,037 INFO [InternalAnalysisTask] Internal analysis complete
2022-04-14 13:20:32,041 INFO [PolicyEngine] Evaluating 18 component(s) against applicable policies
2022-04-14 13:20:32,144 INFO [PolicyEngine] Policy analysis complete
2022-04-14 13:20:32,146 INFO [MetricsUpdateTask] Executing metrics update for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:32,551 INFO [MetricsUpdateTask] Completed metrics update for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
Issue Analytics
- State:
- Created a year ago
- Reactions:5
- Comments:12 (4 by maintainers)
Top Results From Across the Web
No vulnerabilities found - Tenable Community
No vulnerabilities found. I came across a host where when scanned, it did not show up with any vulnerabilities, when I know it...
Read more >Finding Devices Not Being Scanned For Vulnerabilities
Finding Devices Not Being Scanned For Vulnerabilities. First, let's take a look at the most basic query to find devices missing vulnerability ......
Read more >Design: Auto-resolve vulnerabilities when no longer detected
Problem to solve When a security vulnerability was previously detected but is no longer found in a subsequent scan, the status...
Read more >Vulnerabilities not being detected?
So recently installed OpenVAS 21 and was testing out the scanner, I put a VM with Apache/2.4.29 and i scanned with shodan and...
Read more >View detected vulnerabilities - Ivanti
If the security scanner discovers any of the selected definitions on target devices, this information is reported to the core server. To delete...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
We are having the same issue and are on the version 4.2.0.
Finding similar problems, where our own internal investigation shows that:
I would expect that the analysis would automatically populate the last table based on the information which is available, but it shows that the last step (linking component to the vulnerability) has some hickups…
In our project this results in 600+ vulnerabilities not mapped by DT in multiple projects, but these vulnerabilities are found in the NVD.