Giters

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Home Page:https://dependencytrack.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Export and Import VEX fails to match Vulnerabilities correctly

surendrapathak opened this issue · comments

commented

Current Behavior

If a CVE affects multiple components in the SBOM, the exploitability status is updated only for one of those components. Exporting the status as VEX and importing it in an identical configuration will change the status of both CVEs.

Effectively, VEX is applied only by CVE ID and not by CVE ID + affected component.

Steps to Reproduce

This was discovered based on a hunch, and therefore, the steps are custom:

  1. Create a Product and add two components, one with PURL pkg:pypi/gradio@1.0.0a1 and the other with PURL pkg:pypi/gradio@0.1.01
  2. Confirm two entries for the CVE-2023-41626 under 'Audit Vulnerabilities'
Screenshot 2024-03-14 at 6 58 04 PM
  1. Change the status of just one of those to 'EXPLOITABLE'
  2. Export VEX
  3. Change the status of one of these to 'Not Set'
Screenshot 2024-03-14 at 6 58 41 PM
  1. Re-import VEX
  2. Status sets to 'EXPLOITABLE' for both of the vulnerabilities
Screenshot 2024-03-14 at 6 59 07 PM

Expected Behavior

Only gradio v0.1.0 CVE-2023-41626 should be set to EXPLOITABLE

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist