Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pushing the same Cyclone BOM multiple times produce different reports #1176

Closed
oscarfh opened this issue Aug 27, 2021 · 1 comment · Fixed by #1177
Closed

Pushing the same Cyclone BOM multiple times produce different reports #1176

oscarfh opened this issue Aug 27, 2021 · 1 comment · Fixed by #1177
Labels
defect Something isn't working pending release

Comments

@oscarfh
Copy link

oscarfh commented Aug 27, 2021

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

Pushing the same Cyclone BOM multiple times produce different reports.

Details

I started Dependency Track using the docker compose file (using both 4.3.1 and 4.3.3). Then
I generated CycloneDX BOM file for an example project I downloaded from Micronaut Launch (I added some extra libs to increase the number of vulnerabilities, because the one I downloaded had 0).
Then I uploaded it twice, using

curl -X "POST" "http://localhost:8081/api/v1/bom" \
     -H 'Content-Type: multipart/form-data' \
     -H "X-Api-Key: <key>" \
     -F "autoCreate=true" \
     -F "projectName=myTest" \
     -F "projectVersion=0.0.1" \
     -F "bom=@build/reports/bom.xml"

But dependency track generates a different report in the first time when compared with the following ones
image
The first report has19 vulnerabilities with a risk score of 80. The next ones have 9 reports, risk score of 38. If I upload a third time, the results will be identical to the second one. The first time seems like the outlier here, but I wonder which one is correct.

Steps to Reproduce:

  • Start the dependency tracker using the docker compose file (4.3.1 or 4.3.3)
  • Generate a bom file (or use the one in the example)
  • Upload the file using the curl command provided above.
  • Wait for the analysis to complete
  • Upload it once more, changing only the version
  • Compare the analysis results.

Expected Behavior:

The analyses result should be the same for every run, as long as the file is the same.

Environment:

  • Dependency-Track Version: 4.3.1 and 4.3.36
  • Distribution: Docker
  • BOM Format & Version: xml
  • Database Server: ? The default one
  • Browser: Firefox

Additional Details:

(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)

Log entries:
First upload:

dtrack-apiserver_1  | 18:25:30.693 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1  | 18:25:31.101 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1  | 18:25:31.108 INFO [BomUploadProcessingTask] Processed 158 components and 0 services uploaded to project d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1  | 18:25:32.954 INFO [InternalAnalysisTask] Starting internal analysis task
dtrack-apiserver_1  | 18:25:32.965 INFO [InternalAnalysisTask] Internal analysis complete
dtrack-apiserver_1  | 18:25:32.966 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
dtrack-apiserver_1  | 18:25:32.966 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
dtrack-apiserver_1  | 18:25:34.787 INFO [OssIndexAnalysisTask] Analyzing 68 component(s)
dtrack-apiserver_1  | 18:25:35.426 INFO [OssIndexAnalysisTask] Analyzing 41 component(s)
dtrack-apiserver_1  | 18:25:35.426 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
dtrack-apiserver_1  | 18:25:35.427 INFO [PolicyEngine] Evaluating 158 component(s) against applicable policies
dtrack-apiserver_1  | 18:25:35.558 INFO [PolicyEngine] Policy analysis complete
dtrack-apiserver_1  | 18:25:35.558 INFO [MetricsUpdateTask] Executing metrics update for project: d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1  | 18:25:35.988 INFO [MetricsUpdateTask] Completed metrics update for project: d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1  | 18:25:45.043 INFO [JsonWebToken] Received token that did not pass signature verification

Second:

dtrack-apiserver_1  | 18:26:07.581 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1
dtrack-apiserver_1  | 18:26:08.146 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1
dtrack-apiserver_1  | 18:26:08.152 INFO [BomUploadProcessingTask] Processed 158 components and 0 services uploaded to project 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1
dtrack-apiserver_1  | 18:26:09.086 INFO [InternalAnalysisTask] Starting internal analysis task
dtrack-apiserver_1  | 18:26:09.095 INFO [InternalAnalysisTask] Internal analysis complete
dtrack-apiserver_1  | 18:26:09.095 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
dtrack-apiserver_1  | 18:26:09.095 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
dtrack-apiserver_1  | 18:26:09.159 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
dtrack-apiserver_1  | 18:26:09.160 INFO [PolicyEngine] Evaluating 158 component(s) against applicable policies
dtrack-apiserver_1  | 18:26:09.256 INFO [PolicyEngine] Policy analysis complete
dtrack-apiserver_1  | 18:26:09.257 INFO [MetricsUpdateTask] Executing metrics update for project: 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1
dtrack-apiserver_1  | 18:26:09.643 INFO [MetricsUpdateTask] Completed metrics update for project: 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1

Third:

dtrack-apiserver_1  | 18:26:26.129 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
dtrack-apiserver_1  | 18:26:26.461 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
dtrack-apiserver_1  | 18:26:26.464 INFO [BomUploadProcessingTask] Processed 158 components and 0 services uploaded to project b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
dtrack-apiserver_1  | 18:26:27.489 INFO [InternalAnalysisTask] Starting internal analysis task
dtrack-apiserver_1  | 18:26:27.498 INFO [InternalAnalysisTask] Internal analysis complete
dtrack-apiserver_1  | 18:26:27.498 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
dtrack-apiserver_1  | 18:26:27.498 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
dtrack-apiserver_1  | 18:26:27.549 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
dtrack-apiserver_1  | 18:26:27.549 INFO [PolicyEngine] Evaluating 158 component(s) against applicable policies
dtrack-apiserver_1  | 18:26:27.617 INFO [PolicyEngine] Policy analysis complete
dtrack-apiserver_1  | 18:26:27.618 INFO [MetricsUpdateTask] Executing metrics update for project: b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
dtrack-apiserver_1  | 18:26:27.943 INFO [MetricsUpdateTask] Completed metrics update for project: b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
nscuro added a commit to nscuro/dependency-track that referenced this issue Aug 27, 2021
@nscuro
Fix pagination in OssIndexAnalysisTask
b68b23d 
Fixes DependencyTrack#1176

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro mentioned this issue Aug 27, 2021
Merged
@stevespringett stevespringett added defect Something isn't working pending release and removed in triage labels Aug 30, 2021
stevespringett added a commit that referenced this issue Aug 31, 2021
@stevespringett
#1176 - Fixed issue preventing fully cached OSS Index vulnerability r…
7b70c30 
…esults from being applied to a new project with identical inventory.
stevespringett added a commit that referenced this issue Aug 31, 2021
@stevespringett
#1176 - Fixed issue preventing fully cached OSS Index vulnerability r…
b63f4de 
…esults from being applied to a new project with identical inventory.
@github-actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working pending release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix pagination in OssIndexAnalysisTask nscuro/dependency-track
2 participants
@oscarfh @stevespringett