You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The defect may already be reported! Please search for the defect before creating one.
Current Behavior:
Pushing the same Cyclone BOM multiple times produce different reports.
Details
I started Dependency Track using the docker compose file (using both 4.3.1 and 4.3.3). Then
I generated CycloneDX BOM file for an example project I downloaded from Micronaut Launch (I added some extra libs to increase the number of vulnerabilities, because the one I downloaded had 0).
Then I uploaded it twice, using
But dependency track generates a different report in the first time when compared with the following ones
The first report has19 vulnerabilities with a risk score of 80. The next ones have 9 reports, risk score of 38. If I upload a third time, the results will be identical to the second one. The first time seems like the outlier here, but I wonder which one is correct.
Steps to Reproduce:
Start the dependency tracker using the docker compose file (4.3.1 or 4.3.3)
Upload the file using the curl command provided above.
Wait for the analysis to complete
Upload it once more, changing only the version
Compare the analysis results.
Expected Behavior:
The analyses result should be the same for every run, as long as the file is the same.
Environment:
Dependency-Track Version: 4.3.1 and 4.3.36
Distribution: Docker
BOM Format & Version: xml
Database Server: ? The default one
Browser: Firefox
Additional Details:
(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)
Log entries:
First upload:
dtrack-apiserver_1 | 18:25:30.693 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1 | 18:25:31.101 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1 | 18:25:31.108 INFO [BomUploadProcessingTask] Processed 158 components and 0 services uploaded to project d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1 | 18:25:32.954 INFO [InternalAnalysisTask] Starting internal analysis task
dtrack-apiserver_1 | 18:25:32.965 INFO [InternalAnalysisTask] Internal analysis complete
dtrack-apiserver_1 | 18:25:32.966 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
dtrack-apiserver_1 | 18:25:32.966 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
dtrack-apiserver_1 | 18:25:34.787 INFO [OssIndexAnalysisTask] Analyzing 68 component(s)
dtrack-apiserver_1 | 18:25:35.426 INFO [OssIndexAnalysisTask] Analyzing 41 component(s)
dtrack-apiserver_1 | 18:25:35.426 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
dtrack-apiserver_1 | 18:25:35.427 INFO [PolicyEngine] Evaluating 158 component(s) against applicable policies
dtrack-apiserver_1 | 18:25:35.558 INFO [PolicyEngine] Policy analysis complete
dtrack-apiserver_1 | 18:25:35.558 INFO [MetricsUpdateTask] Executing metrics update for project: d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1 | 18:25:35.988 INFO [MetricsUpdateTask] Completed metrics update for project: d318e68d-74ca-42fb-b0a0-98f032f64739
dtrack-apiserver_1 | 18:25:45.043 INFO [JsonWebToken] Received token that did not pass signature verification
Second:
dtrack-apiserver_1 | 18:26:07.581 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1
dtrack-apiserver_1 | 18:26:08.146 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1
dtrack-apiserver_1 | 18:26:08.152 INFO [BomUploadProcessingTask] Processed 158 components and 0 services uploaded to project 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1
dtrack-apiserver_1 | 18:26:09.086 INFO [InternalAnalysisTask] Starting internal analysis task
dtrack-apiserver_1 | 18:26:09.095 INFO [InternalAnalysisTask] Internal analysis complete
dtrack-apiserver_1 | 18:26:09.095 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
dtrack-apiserver_1 | 18:26:09.095 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
dtrack-apiserver_1 | 18:26:09.159 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
dtrack-apiserver_1 | 18:26:09.160 INFO [PolicyEngine] Evaluating 158 component(s) against applicable policies
dtrack-apiserver_1 | 18:26:09.256 INFO [PolicyEngine] Policy analysis complete
dtrack-apiserver_1 | 18:26:09.257 INFO [MetricsUpdateTask] Executing metrics update for project: 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1
dtrack-apiserver_1 | 18:26:09.643 INFO [MetricsUpdateTask] Completed metrics update for project: 38a4fb0b-7278-4d87-99d8-6ffdf01ff3d1
Third:
dtrack-apiserver_1 | 18:26:26.129 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
dtrack-apiserver_1 | 18:26:26.461 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
dtrack-apiserver_1 | 18:26:26.464 INFO [BomUploadProcessingTask] Processed 158 components and 0 services uploaded to project b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
dtrack-apiserver_1 | 18:26:27.489 INFO [InternalAnalysisTask] Starting internal analysis task
dtrack-apiserver_1 | 18:26:27.498 INFO [InternalAnalysisTask] Internal analysis complete
dtrack-apiserver_1 | 18:26:27.498 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
dtrack-apiserver_1 | 18:26:27.498 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
dtrack-apiserver_1 | 18:26:27.549 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
dtrack-apiserver_1 | 18:26:27.549 INFO [PolicyEngine] Evaluating 158 component(s) against applicable policies
dtrack-apiserver_1 | 18:26:27.617 INFO [PolicyEngine] Policy analysis complete
dtrack-apiserver_1 | 18:26:27.618 INFO [MetricsUpdateTask] Executing metrics update for project: b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
dtrack-apiserver_1 | 18:26:27.943 INFO [MetricsUpdateTask] Completed metrics update for project: b1b1d2a1-3f8b-46c8-bc7e-173d7fd7d005
The text was updated successfully, but these errors were encountered:
The defect may already be reported! Please search for the defect before creating one.
Current Behavior:
Pushing the same Cyclone BOM multiple times produce different reports.
Details
I started Dependency Track using the docker compose file (using both 4.3.1 and 4.3.3). Then
I generated CycloneDX BOM file for an example project I downloaded from Micronaut Launch (I added some extra libs to increase the number of vulnerabilities, because the one I downloaded had 0).
Then I uploaded it twice, using
But dependency track generates a different report in the first time when compared with the following ones
The first report has19 vulnerabilities with a risk score of 80. The next ones have 9 reports, risk score of 38. If I upload a third time, the results will be identical to the second one. The first time seems like the outlier here, but I wonder which one is correct.
Steps to Reproduce:
Expected Behavior:
The analyses result should be the same for every run, as long as the file is the same.
Environment:
Additional Details:
(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)
Log entries:
First upload:
Second:
Third:
The text was updated successfully, but these errors were encountered: