Export and Import VEX fails to match Vulnerabilities correctly
surendrapathak opened this issue · comments
Surendra Pathak commented
Current Behavior
If a CVE affects multiple components in the SBOM, the exploitability status is updated only for one of those components. Exporting the status as VEX and importing it in an identical configuration will change the status of both CVEs.
Effectively, VEX is applied only by CVE ID and not by CVE ID + affected component.
Steps to Reproduce
This was discovered based on a hunch, and therefore, the steps are custom:
- Create a Product and add two components, one with PURL
pkg:pypi/gradio@1.0.0a1
and the other with PURLpkg:pypi/gradio@0.1.01
- Confirm two entries for the CVE-2023-41626 under 'Audit Vulnerabilities'
- Change the status of just one of those to 'EXPLOITABLE'
- Export VEX
- Change the status of one of these to 'Not Set'
- Re-import VEX
- Status sets to 'EXPLOITABLE' for both of the vulnerabilities
Expected Behavior
Only gradio v0.1.0 CVE-2023-41626 should be set to EXPLOITABLE
Dependency-Track Version
4.7.x
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported