Comments (8)
Hi @msymons , the release will probably not happen until the end of the year.
from dependency-track-plugin.
I have performed testing of the "risk gateway" and it seems to no longer be fit for purpose when connecting to a Dependency-Track server that has been configured with additional vulnerability sources that lead to vulnerability aliasing. In my case, the "extra" is GHSA... but adding Snyk as an analyser in DT would cause the same problem... and having both GHSA and Snyk would make things even worse. ie, there would be triplicates and not just duplicates.
Using the example from the description, a project with 18 actual high severity vulnerabilities, setting the threshold in the plugin to 19 "High Finding" will result in a build fail... having not accounted for aliases.
I think that the problem might be addressable using the /metrics
endpoint. For the same project...
/api/v1/metrics/project/UUID/current
I get response body:
{
"critical": 1,
"high": 18,
"medium": 22,
"low": 6,
"unassigned": 0,
"vulnerabilities": 47,
"vulnerableComponents": 19,
"components": 358,
"suppressed": 2,
"findingsTotal": 47,
"findingsAudited": 0,
"findingsUnaudited": 47,
"inheritedRiskScore": 172,
"policyViolationsFail": 0,
"policyViolationsWarn": 0,
"policyViolationsInfo": 1,
"policyViolationsTotal": 1,
"policyViolationsAudited": 0,
"policyViolationsUnaudited": 1,
"policyViolationsSecurityTotal": 1,
"policyViolationsSecurityAudited": 0,
"policyViolationsSecurityUnaudited": 1,
"policyViolationsLicenseTotal": 0,
"policyViolationsLicenseAudited": 0,
"policyViolationsLicenseUnaudited": 0,
"policyViolationsOperationalTotal": 0,
"policyViolationsOperationalAudited": 0,
"policyViolationsOperationalUnaudited": 0,
"firstOccurrence": 1681898444080,
"lastOccurrence": 1683727278217
}
Ah ha! high = 18. Just what we want.
from dependency-track-plugin.
@sephiroth-j , thanks for adding this issue to a milestone. Have you yet got any idea of when plugin v5.0.0 might be released? Having a date (even if it is approximate) will allow my devs to decide whether to make use of the DT API or to wait for the v5.0.0 plugin release.
from dependency-track-plugin.
The next version will "support" aliases in such a way that they will simply be ignored. If there are two vulnerabilities v1 and v2 and v2 is an alias of v2, only v1 will be kept and v2 will be discarded. no duplicates -> correct numbers
from dependency-track-plugin.
The drawback in that approach is that I often see vulnerabilities with GHSA or Snyk IDs having a lot more information in the description when compared with the CVE that they alias.
eg compare GHSA-3gh6-v5v9-6v9j with CVE-2023-36479 in NVD
from dependency-track-plugin.
🤔
But keeping them would lead to the current higher an incorrect numbers on the results summary page. The bar at the top of the table shows the numbers of the findings from the table - if filtered by severity, the counter for the other severities is zero.
from dependency-track-plugin.
Is there nothing that can be used from metrics endpoint? At least as a fix for the "risk gateway" problem described in my comment of May 10th '23?
I have also discussed things with @nscuro since posting my previous comment today. We do need to do more on our side:
DT needs to support aliases better, it shouldn’t be the Jenkins plugin having to deal with this.
We do have open issues and welcome all feedback.
from dependency-track-plugin.
Of course, I could use the metrics API for the severity count. But then I get inconsistent numbers between the different charts and the previously mentioned table. Then I could also filter aliases there when I count the numbers for the bar at the top of the table, but when the table contains two vulnerabilities where one is an alias of the other, I want to display the correct result 2. So I prefer to have consistent numbers across all pages and charts, even if that means not showing alias-vulnerabilities.
from dependency-track-plugin.
Related Issues (20)
- Produce a report of the dependency track findings HOT 4
- Get Artifact from outside the workspace HOT 3
- Error was: Input length = 1 HOT 2
- Support threshold for "unnassigned" vulnerabilities HOT 1
- Add the possibility to assign (newly created) projects to a team HOT 2
- Dtrack-API with contextpath not accessible
- Implement Support for SBOM Quality Score Tool (sbomqs) HOT 2
- Using the dependency-track-plugin behind an (authenticating) proxy HOT 1
- Allow overrideGlobals to override Global timeout and interval settings.
- Explanation of upload error "Error was: Input length = 1 HOT 1
- I don't want to show Dependency-Track Project on Jenkins HOT 1
- HTTP 403 Forbidden, but curl works fine HOT 1
- Upload with Parent uuid does not work with 4.10.0 HOT 2
- Request Tier 2 Plugin for Dependency Track CloudBees HOT 1
- how to build the project HOT 1
- Update to Vue.js 3
- Fails if Dependencey Track API server returns Not Modified HOT 3
- sbom upload fails with "Input length = 1" after Jenkins upgrade HOT 1
- Set stage as unstable
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-track-plugin.