Same CVE is present several times within the SBOM:vulnerabilities section

[andreeaButerchi]

Hello,

Following the ODT scan, checking the SBOM (with vulnerabilities) we noticed that the vulnerabilities section hold the same CVE several time :(
The bom-ref is the same, everything is the same, the only difference is the affects part.
Indeed the scanned project has several versions of the same library, but I would have expected to see the CVE only once, and have the impacted versions only within the affects array...As we already have a list for the affects part
Am I missing something?
Is there a configuration that I did not notice?
Please find attached a print screen from the UI as it's easier to read...

but I did download and check the SBOM in order to make sure that the only difference is the affects part:
{
"bom-ref": "3d996b7c-8151-4c68-8887-bcffd0485013",
"id": "CVE-2024-28863",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"severity": "unknown",
"method": "other"
}
],
"description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.",
"published": "2024-03-21T23:15:00Z",
"updated": "2024-06-10T17:16:00Z",
"affects": [
{
"ref": "4534975c-172f-4b00-96c1-4d6a0412c87c"
}
]
},
{
"bom-ref": "3d996b7c-8151-4c68-8887-bcffd0485013",
"id": "CVE-2024-28863",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"severity": "unknown",
"method": "other"
}
],
"description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.",
"published": "2024-03-21T23:15:00Z",
"updated": "2024-06-10T17:16:00Z",
"affects": [
{
"ref": "55d479c5-aa84-428c-8ce9-07da8be31ad0"
}
]
},

{
  "bom-ref": "3d996b7c-8151-4c68-8887-bcffd0485013",
  "id": "CVE-2024-28863",
  "source": {
    "name": "NVD",
    "url": "https://nvd.nist.gov/"
  },
  "ratings": [
    {
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/"
      },
      "severity": "unknown",
      "method": "other"
    }
  ],
  "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.",
  "published": "2024-03-21T23:15:00Z",
  "updated": "2024-06-10T17:16:00Z",
  "affects": [
    {
      **"ref": "b5297bef-951a-4161-b31b-10a1c3e09a96"**
    }
  ]
},
    {
  "bom-ref": "3d996b7c-8151-4c68-8887-bcffd0485013",
  "id": "CVE-2024-28863",
  "source": {
    "name": "NVD",
    "url": "https://nvd.nist.gov/"
  },
  "ratings": [
    {
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/"
      },
      "severity": "unknown",
      "method": "other"
    }
  ],
  "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.",
  "published": "2024-03-21T23:15:00Z",
  "updated": "2024-06-10T17:16:00Z",
  "affects": [
    {
      **"ref": "1e756a31-85ac-473b-b13a-d701435dfcb6"**
    }
  ]
},    

[nscuro]

Generally this behavior is intentional, because while affects can be an array, other relevant parts, such as analysis, can't be. That means that having separate vulnerabilities records for the same CVE is necessary to correctly represent the potentially different analyses of components.

Now, that being said, in your case there is no analysis part. And I think DT needs to do a better job of recognizing that. So I agree that in your case you should get a single vulnerabilities record for CVE-2024-28863.

[andreeaButerchi]

Thank you very much for your answer. We would make sure to handle both cases on our code :)
Do you need for us to create an issue? I'm only asking as I would very much like to know if one day the behavior is enhanced on DT side :)

[nscuro]

If you could create a defect report that would be great. I'll have a look how much work it's going to be, likely we can squeeze it in the upcoming v4.12 release.

[andreeaButerchi]

done: #3907
Thanks!!

[andreeaButerchi]

Hello @nscuro !
Any news on this ticket?
We still struggle with same vulnerability returned several time with the only difference being the affects part:
{ "id": "CVE-2024-38819", "source": { "name": "NVD", "url": "https://nvd.nist.gov/" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/" }, "severity": "unknown", "method": "other" } ], "description": "Spring Web - Path Traversal", "affects": [ { "ref": "0b7668bd-3051-4a22-ae41-eda6c5f1bdb1" } ], "bom-ref": "644e32aa-495c-42dc-aad0-62b3518bc554" }, { "id": "CVE-2023-7272", "source": { "name": "NVD", "url": "https://nvd.nist.gov/" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/" }, "severity": "unknown", "method": "other" } ], "description": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.", "published": "2024-07-17T15:15:00Z", "updated": "2024-07-18T12:28:00Z", "affects": [ { "ref": "5419d3e3-0b24-46a4-afbd-7af1b71fc988" } ], "bom-ref": "02c2b61e-3ff9-49a4-85e5-175d5aaf0177" }, { "id": "CVE-2024-38819", "source": { "name": "NVD", "url": "https://nvd.nist.gov/" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/" }, "severity": "unknown", "method": "other" } ], "description": "Spring Web - Path Traversal", "affects": [ { "ref": "f39eb828-887f-4401-a62f-d12ea7d41324" } ], "bom-ref": "644e32aa-495c-42dc-aad0-62b3518bc554" },

Thank you very much for your help!