Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

different result for affected projects of aliases #2794

Open
2 tasks done
sephiroth-j opened this issue May 31, 2023 · 2 comments · May be fixed by #4517
Open
2 tasks done

different result for affected projects of aliases #2794

sephiroth-j opened this issue May 31, 2023 · 2 comments · May be fixed by #4517
Labels
defect Something isn't working in triage

Comments

@sephiroth-j
Copy link
Contributor

Current Behavior

If a vulnerability has an alias (e.g. CVE-2023-29197 and GHSA-wxmh-65f7-jcvw), then the backend response of /api/v1/vulnerability/source/NVD/vuln/CVE-2023-29197/projects and api/v1/vulnerability/source/GITHUB/vuln/GHSA-wxmh-65f7-jcvw/projects will not return the same projects.

Steps to Reproduce

  1. have Github Advisories enabled
  2. import this project bce082ea-de4c-4d85-9ee0-67fab6027dea-inventory.cdx.json.txt as it is affected by CVE-2023-29197 and wait for the analysis result
  3. open https://dt-frontend/vulnerabilities/NVD/CVE-2023-29197 in a new tab and look at the affected projects. it should also have GHSA-wxmh-65f7-jcvw as an alias.
  4. open https://dt-frontend/vulnerabilities/GITHUB/GHSA-wxmh-65f7-jcvw in a new tab (or reload the page due to Affected projects tab not updated when switching between aliases frontend#481)

Expected Behavior

The projects affected by the alias vulnerabilities should be the same.

Dependency-Track Version

4.8.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist
@sephiroth-j sephiroth-j added defect Something isn't working in triage labels May 31, 2023
This was referenced May 31, 2023
Merged
Closed
@valentijnscholten
Copy link
Contributor

I think this was a design choice, at least for the first iteration of alias functionality. The current database design around doesn't lend itself very well to easily/efficiently retrieve affected projects including projects affected by aliases.

@sephiroth-j
Copy link
Contributor Author

sephiroth-j commented Jun 1, 2023
edited
Loading

A naiv approach would be

  • collect affected projects of vulnerability V
  • for each alias i of V
    • collect affected projects of vulnerability i
    • add them to the already collected projects of V

And I think that would be quite okay, assuming that V has only one or two aliases.

p.s.

dependency-track/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java

Line 475 in 25cf930

final List<Project> projects = new ArrayList<>();

dependency-track/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java

Lines 490 to 493 in 25cf930

final Set<Project> set = new LinkedHashSet<>(projects);
projects.clear();
projects.addAll(set);
return projects;

Why no just using Set<Project> for projects right from the start?

sephiroth-j added a commit to sephiroth-j/dependency-track that referenced this issue Jan 5, 2025
@sephiroth-j
include aliases of vulnerabilities when collecting the affected projects
2485cd3 
fixes DependencyTrack#2794

Signed-off-by: Ronny Perinke <23166289+sephiroth-j@users.noreply.github.com>
@sephiroth-j sephiroth-j linked a pull request Jan 5, 2025 that will close this issue
Open
5 tasks
sephiroth-j added a commit to sephiroth-j/dependency-track that referenced this issue Jan 6, 2025
@sephiroth-j
include aliases of vulnerabilities when collecting the affected projects
02787d4 
fixes DependencyTrack#2794

Signed-off-by: Ronny Perinke <23166289+sephiroth-j@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working in triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue #2794: fix different result for affected projects of aliases sephiroth-j/dependency-track
2 participants
@valentijnscholten @sephiroth-j