Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add source attributions for affected component version ranges #2098

Merged
merged 23 commits into from
Nov 15, 2022
Merged

Add source attributions for affected component version ranges #2098

merged 23 commits into from
Nov 15, 2022

Conversation

sahibamittal
Copy link
Contributor

@sahibamittal sahibamittal commented Oct 26, 2022
edited by nscuro
Loading

Description

This PR adds source attributions for affected component ranges.

Starting with the OSV integration, we now have multiple sources contributing vulnerability intelligence data for the same vulnerability. For example, both the GitHub Advisories and OSV integration may contribute affected version ranges for the same GHSA vulnerability.

By tracking attributions, mirroring tasks are now able to differentiate between affected ranges they previously reported, and those reported by mirroring tasks for other sources. This makes it possible to dynamically prune outdated records, without interfering with other sources' data.

Prior to this PR, the OSV mirroring task would only ever append to the ranges already associated with a given vulnerability, while the GitHub Advisories mirroring task would bluntly replace everything with what was reported by GitHub.

Additionally, this information is exposed via REST API, and displayed in the Affected Components tab of the vulnerability details view:

image

Users can now see what source reported what, and when.

Addressed Issue

Closes #1815

Additional Details

Internally, Dependency-Track stores version ranges in VulnerableSoftware objects. Based on the data mirrored from sources, VulnerableSoftware records are associated with Vulnerability records, forming an "affected by" relationship.

The relationship between VulnerableSoftware and Vulnerability is M:N, meaning the same VulnerableSoftware record may be associated with multiple vulnerabilities. In fact, some are associated with over 1000 vulns:

image

We investigated adding the attribution fields to the VULNERABLESOFTWARE_VULNERABILITIES join table (possible with JDO, see this DataNucleus example). But this resulted in very messy code to maintain and update these relationships, so we decided against doing it this way.

Instead, attributions are now a separate object / table that just holds foreign keys to both Vulnerability and VulnerableSoftware. This is similar to the way we handle FindingAttributions already.

@sahibamittal
add reportedBy and updatedAt in vulnerable software
2240bf8 
Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
@sahibamittal
test added
c29f115 
Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
@sonatype-lift
Copy link
Contributor

sonatype-lift bot commented Oct 26, 2022

⚠️ 16 God Classes were detected by Lift in this project. Visit the Lift web console for more details.

@sahibamittal
new class AffectedPackageAttribution added
d9dae4e 
Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
@sahibamittal
Merge branch 'master' into Issue-1815-handle-affected-package-versions
69b0f88
@sahibamittal
fix test fail
37b1b14 
Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
@nscuro nscuro self-assigned this Oct 27, 2022
@sahibamittal
fix test fail
8f81852 
Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
@sahibamittal
fix test fail
dc9c276 
Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
@sahibamittal
annotation jsonIgnore added
5d0bd41 
Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
@sahibamittal
osv test fix
99014fb 
Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
@sahibamittal
fix performance by making field transient
eedfb58 
Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
@sahibamittal sahibamittal mentioned this pull request Nov 1, 2022
Merged
@sahibamittal

This comment was marked as outdated.

Sign in to view
@nscuro nscuro linked an issue Nov 4, 2022 that may be closed by this pull request
Track and handle changes in which versions are affected by a given vulnerability #1815
Closed
@nscuro nscuro marked this pull request as draft November 4, 2022 12:33
@nscuro
Preliminary work to handle multiple sources reporting affected versio…
4405b2d 
…ns for the same vulnerability

Previously, GitHub was blunty overriding any VulnerableSoftware<->Vulnerability relationships established by OSV, while OSV would just append on what's already there.

Using attributions for these relationships, this issue is now solved. The performance impact so far has been minimal, although no real benchmarks have been made.

Tests are still a WIP and will be added in a later commit.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Add affected version attribution test for GitHubAdvisoryMirrorTask
042fe9f 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Track first seen and last seen for AffectedVersionAttributions
97344a5 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Handle old VulnerableSoftware records without attribution
bf552cc 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Fix redundant persist(vsList) calls in NvdParser
9f8ab33 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Minor improvements to AffectedVersionAttribution persistence handling
f688b32 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Perform updates of multiple attributions in a single transaction
f138bce 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Add affected version range attribution test for OSV
33a6e67 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Add documentation; Remove unneeded test files
f49ca62 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Add index to improve attribution lookups
db2b96b 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro removed their request for review November 6, 2022 18:05
@nscuro
OSV: Treat versionStartIncluding=0 as null
7d17503 
This is consistent with how other sources do it, and avoids duplicate `VulnerableSoftware` records that end up meaning the same thing.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Fix VulnerabilityResourceTest, add test case for deletion
a0eacfc 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Use getObjectByUuid instead of getObjectById
8ac18de 
Because the latter throws an exception instead of returning `null` when the object was not found.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro marked this pull request as ready for review November 7, 2022 12:21
@nscuro
Copy link
Member

nscuro commented Nov 7, 2022

@sahibamittal I updated the PR description with screenshots and some implementation details.

@nscuro nscuro changed the title Issue-1815 : handle affected package new versions Add source attributions for affected component version ranges Nov 15, 2022
@nscuro nscuro merged commit 4be1a6c into DependencyTrack:master Nov 15, 2022
@sahibamittal sahibamittal deleted the Issue-1815-handle-affected-package-versions branch November 15, 2022 09:25
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

@nscuro nscuro nscuro approved these changes

@stevespringett stevespringett stevespringett approved these changes

Assignees

@nscuro nscuro

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Track and handle changes in which versions are affected by a given vulnerability
3 participants
@sahibamittal @nscuro @stevespringett