Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Vulnerabilities with Severity UNASSIGNED not Displayed Properly in UI
See original GitHub issueCurrent Behavior:
When a vulnerability has Severity “Unassigned” (something I’ve seen, so far, only with OSS Index vulnerabilities) then The “projects” tab does not display the presence of the vulnerability:
When drilling down into the project, the vulnerable component does not display correctly on the "Dependencies"tab (ie, vulnerabilities displays blue bar with a “0” count) and also displays incorrectly on “Overview”…
As can be seen in the above screenshot, the vulnerable component does display in “Audit” tab.
There seems to be no problem with the email alerting… a “New Vulnerability Identified” email is generated and looks to be all in order.
Steps to Reproduce:
- Ensure that OSS Index Analyser is enabled in DT
- Create a new project
- Upload a BOM that contains the following component
<component type="library">
<name>shelljs</name>
<version>0.5.3</version>
<description>
<![CDATA[Portable Unix shell commands for Node.js]]>
</description>
<hashes>
<hash alg="SHA-1">c54982b996c76ef0c1e6b59fbdc5825f5b713113</hash>
</hashes>
<licenses>
<license>
<name>BSD*</name>
</license>
</licenses>
<purl>pkg:npm/shelljs@0.5.3</purl>
<modified>false</modified>
</component>
Expected Behavior:
Dependency-Track should be able to handle vulnerabilities that have unassigned severity scores
Environment:
- Dependency-Track Version: 3.4.1
- Distribution: [Executable WAR]
- BOM Format & Version: cyclonedx-node-module (CycloneDX Spec v1.0)
- Database Server: [PostgreSQL]
Additional Details:
As the vulnerability details for OSS Index vulnerabilities are dynamic, I would expect to see 560f37f7-6c1d-4b9c-aad3-34dcfcf218d7 get updated at some point. Hence, using the OSS Index REST API:
curl -X GET "https://ossindex.sonatype.org/api/v3/component-report/pkg%3Anpm%2Fshelljs%400.5.3" -H "accept: application/vnd.ossindex.component-report.v1+json" -H "authorization: Basic xxxxxx"
…the reponse is curently:
{
"coordinates": "pkg:npm/shelljs@0.5.3",
"description": "Portable Unix shell commands for Node.js",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/shelljs@0.5.3",
"vulnerabilities": [
{
"id": "560f37f7-6c1d-4b9c-aad3-34dcfcf218d7",
"title": "Possible Command Injection",
"description": "There are `relevant security flaws surrounding command injection and unexpected globbing` due to the use of the exec function.",
"cvssScore": 0,
"reference": "https://ossindex.sonatype.org/vuln/560f37f7-6c1d-4b9c-aad3-34dcfcf218d7"
}
]
}
Note that cvssScore = 0.
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Corrected milestone
Confirmed this to be a defect - an oversight actually. Unassigned metrics are not being tracked. These will be added to 3.5. Historical metrics will not have unassigned stats, but from the time v3.5 is upgraded, all metrics at that point will start to have unassigned stats.