Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Components which are not having any vulnerabilities is showing as vulnerable component with CVE's in Dependency Track 4.12.1 #4468

Open
2 tasks done
itmanju opened this issue Dec 16, 2024 · 3 comments
Labels
defect Something isn't working in triage

Comments

@itmanju
Copy link

itmanju commented Dec 16, 2024

Current Behavior

Components which are not having any vulnerabilities is showing as vulnerable component with CVE's in Dependency Track 4.12.1.
Example:
Name: @react-leaflet/core
Version : 2.1.0
Purl: pkg:npm/%40react-leaflet/[email protected]
Image

Attached is the list of CVE shown by DT for the above Example component

Steps to Reproduce

1.Create the component and provide the purl as given above
2.Check for vulnerabilities it shows 10 vulnerabilities
3.checked the component and version in other vulnerability sources but they show no vulnerability ( Synk)

Expected Behavior

1.Only the current vulnerability showed be shown.
2.Historical vulnerabilities should not be shown.

Dependency-Track Version

4.12.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

12

Browser

Google Chrome

Checklist

@itmanju itmanju added defect Something isn't working in triage labels Dec 16, 2024
@aja08379
Copy link

Still seeing similar with pandas as well, ref: #3267

@coopercr
Copy link

Vulns may still pop if the plugin only checks the version in use, so if you've forked the plugin will pop even if the vulnerability is somehow not present - it still sees the affected version. I only looked at the first one, for Pimcore, but that plugin is a version check.Check out the others for same.

@melvin2001
Copy link

I believe I am seeing this same issue, Pandas 1.3.0 showing as vulnerable to CVE-2020-13091 when it should be version under 1.0.3

Easily reproduceable with the following minimal sbom:

{ "bomFormat": "CycloneDX", "specVersion": "1.6", "components": [ { "type": "library", "name": "pandas", "version": "1.3.0", "purl": "pkg:pypi/[email protected]", "cpe": "cpe:2.3:a:python:pandas:1.3.0:*:*:*:*:*:*:*" } ] }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
defect Something isn't working in triage
Projects
None yet
Development

No branches or pull requests

4 participants