question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerabilities not detected

See original GitHub issue

Current Behavior:

A new Dependency Track project was created (using the jenkins plugin). The BOM file is the same as a another project. The other project shows 22 vulnerabilities (NPM, NVD, OSSIndex) but the newly created version has no vulnerabilities.

The original upload (when the project was also automatically created) happened 20h ago. The analyzer should have done it’s analyzing (1) when the BOM was uploaded and (2) every 6h.

I tried manually re-uploading the BOM file but without success. The logs of that attempt can be found below.

Steps to Reproduce:

Not sure what makes my setup reproduce this issue.

Expected Behavior:

The project should show the same amount of vulnerabilities.

Environment:

  • Dependency-Track Version: 4.4.2
  • Distribution: Docker
  • BOM Format & Version: XML Schema v1.3
  • Database Server: PostgreSQL
  • Browser: Chrome

Additional Details:

2022-04-14 13:20:30,809 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,545 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,581 INFO [BomUploadProcessingTask] Processed 18 components and 0 services uploaded to project 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,963 INFO [InternalAnalysisTask] Starting internal analysis task
2022-04-14 13:20:32,037 INFO [InternalAnalysisTask] Internal analysis complete
2022-04-14 13:20:32,041 INFO [PolicyEngine] Evaluating 18 component(s) against applicable policies
2022-04-14 13:20:32,144 INFO [PolicyEngine] Policy analysis complete
2022-04-14 13:20:32,146 INFO [MetricsUpdateTask] Executing metrics update for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:32,551 INFO [MetricsUpdateTask] Completed metrics update for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534

Issue Analytics

  • State:open
  • Created a year ago
  • Reactions:5
  • Comments:12 (4 by maintainers)

github_iconTop GitHub Comments

3reactions
chergikcommented, Apr 20, 2022

We are having the same issue and are on the version 4.2.0.

0reactions
mveckcommented, Nov 2, 2022

Finding similar problems, where our own internal investigation shows that:

  • CVE is known in the NVD (CVE-2020-11440)
  • CVE is linked to a component in the project (cpe:2.3⭕windriver:vxworks:7.0:-::::::)
  • Link is found by our internal tooling which should link to DT and should give similar results.
  • Vulnerability is correctly registered in DT (VULNID can be found using CVE)
  • Vulnerable-Software is correctly registered in DT (SWID can be found using CPE).
  • Vulnerable-Software -> Vulnerability can be found in VULNERABLESOFTWARE_VULNERABILITIES (VULNID,SWID tuple)
  • Component can be found.
  • Component-> Vulnerability can NOT be found (component_ID,VulnID).

I would expect that the analysis would automatically populate the last table based on the information which is available, but it shows that the last step (linking component to the vulnerability) has some hickups…

In our project this results in 600+ vulnerabilities not mapped by DT in multiple projects, but these vulnerabilities are found in the NVD.

Read more comments on GitHub >

github_iconTop Results From Across the Web

No vulnerabilities found - Tenable Community
No vulnerabilities found. I came across a host where when scanned, it did not show up with any vulnerabilities, when I know it...
Read more >
Finding Devices Not Being Scanned For Vulnerabilities
Finding Devices Not Being Scanned For Vulnerabilities. First, let's take a look at the most basic query to find devices missing vulnerability ......
Read more >
Design: Auto-resolve vulnerabilities when no longer detected
Problem to solve When a security vulnerability was previously detected but is no longer found in a subsequent scan, the status...
Read more >
Vulnerabilities not being detected?
So recently installed OpenVAS 21 and was testing out the scanner, I put a VM with Apache/2.4.29 and i scanned with shodan and...
Read more >
View detected vulnerabilities - Ivanti
If the security scanner discovers any of the selected definitions on target devices, this information is reported to the core server. To delete...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found