-
-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilities are 0 and license section has no entries #446
Comments
What is the PackageURL of the component in question?
Can you clarify please? Are you refering to the license of the component? If so, that is determined in the BOM, not Dependency-Track. If you're referring to the list of all SPDX licenses in Dependency-Track (over 400 of them), then that is populated on startup. Initial seeding takes about 10-30 minutes on first startup and should not be interrupted. |
Hi Steve, Another point worth mentioning is that, I have deployed the exact version of dependency track on a docker, and I see that the component shows vulnerabilities with just the name, version and vendor details. It doesn't need a PURL. I have a bit of grey area on why PURL is needed ? As for the license, yes, I am referring to the list of all SPDX licenses (over 400). I allowed the war file to complete the entire initial execution. Anyways, I will give it another try and clean install everything. Thank you for the help. |
Refer to Dependency-Track v3.6 and higher will no longer perform fuzzy matching against the NVD. PURL or CPE are required for vulnerability analysis for every component. These are not required fields for components themselves, but if you want them analyzed correctly, PURL needs to be there. |
If you add a component manually (never recommended), then you'll also need to manually add that components PURL if you want it analyzed. Also ensure that OSS Index is enabled (refer to best practices). PURL is populated for you if you use CycloneDX build plugins (e.g. Maven, Gradle, etc). |
Could you please tell me how to find out a package URL of a component. For Ex Apache Struts. Also, I am adding components manually to find how many assets out of my list is covered by NVD. This will eventually be automated, wherein I will have an excel sheet of applications and their vendors (all of which are first verified in NVD CPE dictionary), a tool will read the applications list and add them to DT via API calls. I first need to understand what details DT needs for a component to be matched against NVD and hence adding manually. Will be automated in further phases. |
This document tells you how to declare it. Its not something you 'find' like a URL, rather, something you specify with accuracy. https://docs.dependencytrack.org/datasources/routing/ For Java components, you'll use: |
I am in process of clean installing DT. In the intitial stages, before NIST mirror starts, there are 5 errors popping up: I have just taken the war and started running DT. Also, even after clean install, the licenses (400) are empty. What is it that I am missing ? |
There is no way of knowing. Obviously an environmental issue, but there's no way of knowing. Consult the docs and your sysadmin. Or use the Docker image as it provides a working environment. |
Hi preethamngesh8 I am in the same position as you are, doing the same thing you described. For some of the added components zero vulnerabilities are listed, even though they have vulnerabilities listed in NVD, e.g. MongoDB 4.0.6 In your case, did it help to specify a PURK for Struts 2.3.31? @stevespringett : Many thanks for your patience with us and your support to get things clarified. For me DT looks like an awesome tool and I put a lot of effort into it to understand how it works. |
Hi dagobertdebug, From what I understand, if you enable OSS index, it overrides the results from NVD. Because I observed a difference in the vulnerabilities mentioned in OSS Index and NVD. So, if you have enabled OSS Index, then you need to verify vulnerabilities with OSS Index search. Although this is what I was able to deduce from my limited experience. I would love to have comments from @stevespringett. And yes, you were right in thanking Steve for the amazing guidance he provides in case of many silly issues. A big 'thank you' from my side too. :) |
@dagobertdebug also note that PURL only applies to packages (libraries, frameworks, etc). If you want to find vulnerabilities in applications (such as MongoDB), operating systems, hardware, etc, you'll need to ensure the component has a valid CPE. A valid v2.2 CPE for MongoDB 4.0.6 would be:
Once Dependency-Track v3.6 is released (next week), it will use these CPEs to accurately identify vulnerabilities from the NVD or from VulnDB (if you have it setup). |
Hi.. just wanted to confirm that adding CPE worked for MongoDB which now shows the NVD results. Many thanks! |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Hi Steve,
Environment Details:
Dependency Track Version: 3.5.1
Deployment Method: WAR deployment.
I have executed dep track. The setup is successful. But when I add a component which I know has vulnerabilities, it shows 0. I have referred to #421 which says disable dependency-check and enable OSS index. I have done the same and checked. Still it gives 0 vulnerabilities.
Apart from this I observed that the licenses in the dep track application was 0.
Is there something I need to look at ?
The text was updated successfully, but these errors were encountered: