Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VEX export returns invalid cyclonedx #3834

Closed
2 tasks done
muellerst-hg opened this issue Jun 11, 2024 · 3 comments
Closed
2 tasks done

VEX export returns invalid cyclonedx #3834

muellerst-hg opened this issue Jun 11, 2024 · 3 comments
Labels
defect Something isn't working good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.11.6

Comments

@muellerst-hg
Copy link

Current Behavior

Given a project with two components which have the same vulnerability
When I click "Export VEX"
Then a VEX file is delivered which contains duplicate items in vulnerabilities section
But according to cyclonedx 1.5 schema this is invalid

Tested with 4.11.3 and 4.12-snapshot from 2024/06/11

Steps to Reproduce

  1. Create a new project and upload the following BOM file:
    bom-express.json
  2. Wait for analysis to be finished
  3. Go to "Audit Vulerabilties" tab and click "Download VEX" (which returns the following VEX file:
    vex-express.json
    )
  4. Enable "BOM Validation" in "Configuration/Bom Format" settings
  5. Click "Apply VEX" and try to upload the above VEX file
  6. Upload fails with > The uploaded BOM is invalid. Schema validation failed

The same duplicates can be found when exporting the BOM using "Download BOM -> Inventory with Vulnerabilities"

Expected Behavior

I expect valid cyclonedx bom returned by "Export VEX".

Dependency-Track Version

4.11.3

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14

Browser

Mozilla Firefox

Checklist
@muellerst-hg muellerst-hg added defect Something isn't working in triage labels Jun 11, 2024
@muellerst-hg muellerst-hg mentioned this issue Jun 11, 2024
Open
2 tasks
@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk good first issue Good for newcomers size/S Small effort and removed in triage labels Jun 11, 2024
@SaberStrat
Copy link

I decided to have a go at this one. Fixed it locally, not sure if it's the prettiest solution, but I'd dare a PR with it.

@SaberStrat SaberStrat mentioned this issue Jul 8, 2024
Merged
5 tasks
@SaberStrat SaberStrat mentioned this issue Jul 19, 2024
Closed
@SaberStrat
Copy link

SaberStrat commented Jul 22, 2024
edited
Loading

Thinking about the deduplications on vulnerabilities I'm trying to implement, and am not sure if I'm understanding @muellerst-hg remark correctly:

The same duplicates can be found when exporting the BOM using "Download BOM -> Inventory with Vulnerabilities"

DT doesn't seem to be doing a validation check when importing a BOM with vulns so I'm not getting an error with the exported BOM from the example, but as per CycloneDX Schema, the whole Vulnerability object needs to be unique, including the Affects. The vulns in the exported BOM of OP's example are the ones that are duplicated in a VEX, but the difference in the BOM is that the Affects are the different Components, whereas in the VEX it is the (same) project-component in both vulnerability objects.

So I'm not sure if the exported BOM with Vulnerabilities is problematic as well or it's fine, and this is really only about the exported VEX.

@nscuro nscuro closed this as completed in be40919 Aug 9, 2024
@nscuro nscuro added this to the 4.12 milestone Aug 9, 2024
@nscuro nscuro mentioned this issue Aug 10, 2024
Merged
2 tasks
@nscuro nscuro modified the milestones: 4.12, 4.11.6 Aug 10, 2024
@github-actions GitHub Actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.11.6
Development

No branches or pull requests
3 participants
@nscuro @SaberStrat @muellerst-hg