Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Other repositories for composer seem to not work #2544

Closed
2 tasks done
fakeNews-jpg opened this issue Mar 1, 2023 · 3 comments
Closed
2 tasks done

Other repositories for composer seem to not work #2544

fakeNews-jpg opened this issue Mar 1, 2023 · 3 comments
Labels
defect Something isn't working in triage

Comments

@fakeNews-jpg
Copy link

Current Behavior

I try to use dependency track to manage dependencies of a wordpress installed with composer.
Yet, the sbom generated is not understood correctly by dependency track since vulnerabilities are not detected.

When using wpackagist.org as composer repository, the vulnerabilities are not detected. (i added the repository in administration/repositories/composer)

In this example, wordpress and elementor are vulnerable to known public vulnerabilities

You may find more information on this issue i created since i thought it was due to a sbom generation problem : CycloneDX/cyclonedx-php-composer#324

Please can you explain a way to make dependency track to work with a wordpress installed with composer ?

Thanks a lot in advance

Steps to Reproduce

here is the generated bom :

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
  <metadata>
    <tools>
      <tool>
        <vendor><![CDATA[cyclonedx]]></vendor>
        <name><![CDATA[cyclonedx-php-composer]]></name>
        <version><![CDATA[3.11.0]]></version>
      </tool>
    </tools>
    <component type="library" bom-ref="pkg:composer/coucou/cava@1.0.0">
      <group><![CDATA[coucou]]></group>
      <name><![CDATA[cava]]></name>
      <version><![CDATA[1.0.0]]></version>
      <description><![CDATA[coucou.fr]]></description>
      <purl><![CDATA[pkg:composer/gpsea/festivaldulivredecreteil@1.0.0]]></purl>
    </component>
  </metadata>
  <components>
    <component type="application" bom-ref="pkg:composer/composer/installers@1.12.0">
      <group><![CDATA[composer]]></group>
      <name><![CDATA[installers]]></name>
      <version><![CDATA[1.12.0]]></version>
      <description><![CDATA[A multi-framework Composer library installer]]></description>
      <licenses>
        <license>
          <id><![CDATA[MIT]]></id>
        </license>
      </licenses>
      <purl><![CDATA[pkg:composer/composer/installers@1.12.0]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://github.com/composer/installers.git]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=git & reference=d20a64ed3c94748397ff5973488761b22f6d3f19)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://api.github.com/repos/composer/installers/zipball/d20a64ed3c94748397ff5973488761b22f6d3f19]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=d20a64ed3c94748397ff5973488761b22f6d3f19 & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://composer.github.io/installers/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
        <reference type="issue-tracker">
          <url><![CDATA[https://github.com/composer/installers/issues]]></url>
          <comment><![CDATA[As set via `support.issues` in composer package definition.]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://github.com/composer/installers/tree/v1.12.0]]></url>
          <comment><![CDATA[As set via `support.source` in composer package definition.]]></comment>
        </reference>
        <reference type="other">
          <url><![CDATA[https://packagist.com]]></url>
          <comment><![CDATA[As set via `funding` in composer package definition. (type=custom)]]></comment>
        </reference>
        <reference type="other">
          <url><![CDATA[https://github.com/composer]]></url>
          <comment><![CDATA[As set via `funding` in composer package definition. (type=github)]]></comment>
        </reference>
        <reference type="other">
          <url><![CDATA[https://tidelift.com/funding/github/packagist/composer/composer]]></url>
          <comment><![CDATA[As set via `funding` in composer package definition. (type=tidelift)]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/fancyguy/webroot-installer@1.1.0">
      <group><![CDATA[fancyguy]]></group>
      <name><![CDATA[webroot-installer]]></name>
      <version><![CDATA[1.1.0]]></version>
      <description><![CDATA[A composer installer for libraries that live in an application webroot.]]></description>
      <licenses>
        <license>
          <id><![CDATA[BSD-3-Clause]]></id>
        </license>
      </licenses>
      <purl><![CDATA[pkg:composer/fancyguy/webroot-installer@1.1.0]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://github.com/fancyguy/webroot-installer.git]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=git & reference=a2d5c2e149d837e5580a62a91d3c91577aa30d28)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://api.github.com/repos/fancyguy/webroot-installer/zipball/a2d5c2e149d837e5580a62a91d3c91577aa30d28]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=a2d5c2e149d837e5580a62a91d3c91577aa30d28 & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[http://fancyguy.github.com/webroot-installer/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
        <reference type="issue-tracker">
          <url><![CDATA[https://github.com/fancyguy/webroot-installer/issues]]></url>
          <comment><![CDATA[As set via `support.issues` in composer package definition.]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://github.com/fancyguy/webroot-installer/tree/master]]></url>
          <comment><![CDATA[As set via `support.source` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/koodimonni-language/core-fr_fr@6.1.1">
      <group><![CDATA[koodimonni-language]]></group>
      <name><![CDATA[core-fr_fr]]></name>
      <version><![CDATA[6.1.1]]></version>
      <description><![CDATA[WordPress core translations for French (France) - fr_fr]]></description>
      <purl><![CDATA[pkg:composer/koodimonni-language/core-fr_fr@6.1.1]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/translation/core/6.1.1/fr_FR.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="application" bom-ref="pkg:composer/koodimonni/composer-dropin-installer@1.4">
      <group><![CDATA[koodimonni]]></group>
      <name><![CDATA[composer-dropin-installer]]></name>
      <version><![CDATA[1.4]]></version>
      <description><![CDATA[Install packages or a few files from packages into custom paths without overwriting existing stuff.]]></description>
      <licenses>
        <license>
          <id><![CDATA[WTFPL]]></id>
        </license>
      </licenses>
      <purl><![CDATA[pkg:composer/koodimonni/composer-dropin-installer@1.4]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://github.com/Koodimonni/Composer-Dropin-Installer.git]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=git & reference=9596ef8f50cbba2cdc707ca3b1f5e4a0e9fa7e7e)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://api.github.com/repos/Koodimonni/Composer-Dropin-Installer/zipball/9596ef8f50cbba2cdc707ca3b1f5e4a0e9fa7e7e]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=9596ef8f50cbba2cdc707ca3b1f5e4a0e9fa7e7e & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="issue-tracker">
          <url><![CDATA[https://github.com/Koodimonni/Composer-Dropin-Installer/issues]]></url>
          <comment><![CDATA[As set via `support.issues` in composer package definition.]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://github.com/Koodimonni/Composer-Dropin-Installer/tree/1.4]]></url>
          <comment><![CDATA[As set via `support.source` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wordpress/wordpress@5.3.2">
      <group><![CDATA[wordpress]]></group>
      <name><![CDATA[wordpress]]></name>
      <version><![CDATA[5.3.2]]></version>
      <purl><![CDATA[pkg:composer/wordpress/wordpress@5.3.2]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://github.com/WordPress/WordPress.git]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=git & reference=5.3.2)]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/child-theme-configurator@2.6.0">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[child-theme-configurator]]></name>
      <version><![CDATA[2.6.0]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/child-theme-configurator@2.6.0]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/child-theme-configurator/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/2.6.0)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/child-theme-configurator.2.6.0.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/child-theme-configurator/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/duplicate-page@4.5.1">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[duplicate-page]]></name>
      <version><![CDATA[4.5.1]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/duplicate-page@4.5.1]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/duplicate-page/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=trunk)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/duplicate-page.zip?timestamp=1675851876]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/duplicate-page/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/elementor@3.6.2">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[elementor]]></name>
      <version><![CDATA[3.6.2]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/elementor@3.6.2]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/elementor/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/3.6.2)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/elementor.3.6.2.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/elementor/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/matomo@4.13.5">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[matomo]]></name>
      <version><![CDATA[4.13.5]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/matomo@4.13.5]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/matomo/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/4.13.5)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/matomo.4.13.5.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/matomo/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/premium-addons-for-elementor@4.9.50">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[premium-addons-for-elementor]]></name>
      <version><![CDATA[4.9.50]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/premium-addons-for-elementor@4.9.50]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/premium-addons-for-elementor/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/4.9.50)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/premium-addons-for-elementor.4.9.50.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/premium-addons-for-elementor/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/royal-elementor-addons@1.3.65">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[royal-elementor-addons]]></name>
      <version><![CDATA[1.3.65]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/royal-elementor-addons@1.3.65]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/royal-elementor-addons/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/1.3.65)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/royal-elementor-addons.1.3.65.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/royal-elementor-addons/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
  </components>
  <dependencies>
    <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    <dependency ref="pkg:composer/fancyguy/webroot-installer@1.1.0"/>
    <dependency ref="pkg:composer/koodimonni-language/core-fr_fr@6.1.1">
      <dependency ref="pkg:composer/koodimonni/composer-dropin-installer@1.4"/>
    </dependency>
    <dependency ref="pkg:composer/koodimonni/composer-dropin-installer@1.4"/>
    <dependency ref="pkg:composer/wordpress/wordpress@5.3.2">
      <dependency ref="pkg:composer/fancyguy/webroot-installer@1.1.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/child-theme-configurator@2.6.0">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/duplicate-page@4.5.1">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/elementor@3.6.2">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/matomo@4.13.5">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/premium-addons-for-elementor@4.9.50">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/royal-elementor-addons@1.3.65">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/coucou/cava@1.0.0">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
      <dependency ref="pkg:composer/wordpress/wordpress@5.3.2"/>
      <dependency ref="pkg:composer/koodimonni-language/core-fr_fr@6.1.1"/>
      <dependency ref="pkg:composer/wpackagist-plugin/child-theme-configurator@2.6.0"/>
      <dependency ref="pkg:composer/wpackagist-plugin/duplicate-page@4.5.1"/>
      <dependency ref="pkg:composer/wpackagist-plugin/elementor@3.6.2"/>
      <dependency ref="pkg:composer/wpackagist-plugin/matomo@4.13.5"/>
      <dependency ref="pkg:composer/wpackagist-plugin/royal-elementor-addons@1.3.65"/>
      <dependency ref="pkg:composer/wpackagist-plugin/premium-addons-for-elementor@4.9.50"/>
    </dependency>
  </dependencies>
</bom>

Expected Behavior

Wordpress is outdated (v 5.3.2) idem for elementor and report should show CVEs associated

Dependency-Track Version

4.6.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist
@fakeNews-jpg fakeNews-jpg added defect Something isn't working in triage labels Mar 1, 2023
@syalioune
Copy link
Contributor

Hello @fakeNews-jpg,

There are two different points.

  • Custom composer repository : Dependency Track (DT) only uses the repository information to fetch metadata about the component such as the latest available version. It is not used for vulnerability detection. Regarding composer, DT uses the repository metadata v1 endpoint. It does seems that https://wpackagist.org/ does not support this endpoint. See https://wpackagist.org/p2/wpackagist-plugin/elementor.json which results in a 404 and https://repo.packagist.org/p/johnpbloch/wordpress.json which works. As a consequence, you won't get information about the latest version available for components related to wpackagist as opposed to webroot-installer in the picture below
    image

  • Missing vulnerabilities : Since your SBOM contains purl, DT will check vulnerabilities with (based on your configuration) OSS Index, Github Advisories, Google OSV, Snyk and not NVD. Taking pkg:composer/wordpress/wordpress@5.3.2 as an example, OSS Index does not report any vulnerability for this purl. However OSS Index report vulnerabilities for pkg:composer/johnpbloch/wordpress@5.3.2. My point being that DT can only work with the data provided by the vulnerability databases. If you feel that your purls are legit (e.g wordpress/wordpress being equivalent to johnpbloch/wordpress or others), you have to file an issue to the respective vulnerability databases for updates

You can find the contact points below :

@fakeNews-jpg
Copy link
Author

Thanks a lot for this really complete answer,

I close this issue as this seem to not be related to DT

@fakeNews-jpg fakeNews-jpg mentioned this issue Mar 2, 2023
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Apr 2, 2023

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working in triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@syalioune @fakeNews-jpg