Track and handle changes in which versions are affected by a given vulnerability

[nscuro]

Current Behavior:

When mirroring vulnerability databases, we map them to the following internal models:

• Vulnerability: The vulnerability itself, including ID, source, references, severity, CVSS, etc.
• VulnerableSoftware: Describes which components and component versions are affected by a given vulnerability

As it is now, VulnerableSoftware are treated as "append-only" (edit: by the OSV mirroring task, but not by NVD or GHSA tasks), meaning entries are never removed, even though the relationship they describe may not be reported by any source anymore (e.g. when the related advisory was corrected).

Proposed Behavior:

Track what sources reported a given VulnerableSoftware, and track when it isn't reported anymore. Consider a VulnerableSoftware entry to be outdated / removed once no source reports it anymore.

Additionally, expose this "reported by" information to the API and UI, similar to the existing FindingAttribution. Remember to consider that VulnerableSoftware can stem from manual creation as well since we introduced support for internal vulnerabilities.

[sahibamittal]

Scenario A:
on date 1: vulnerable ranges are [0,1], [2,3]
on date 2: vulnerable ranges are [2,3] ---> then [0,1] should be 'no longer reported as of date 2' ?

Points of discussion:

How to track data which is no longer reported by a datasource? Compare the latest incoming with last fetched data in DB?
Cleanup during scheduled analysis? or set up separate scheduled cleanup?

[nscuro]

Update: As of now, it's only OSV that does not "cleanup after itself". It just appends new VulnerableSoftware entries to whatever is there already. Both the NVD and GHSA mirroring only persist the affected version ranges that are reported during their current task execution, everything else will be dropped implicitly. They do not keep historic data, and even override what's reported by OSV right now.

dependency-track/src/main/java/org/dependencytrack/tasks/OsvDownloadTask.java

Lines 186 to 190 in 84fd49d

	if (existing != null) {
	vsList.addAll(existing.getVulnerableSoftware());
	}
	synchronizedVulnerability.setVulnerableSoftware(new ArrayList<> (vsList));
	qm.persist(synchronizedVulnerability);

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.