Missing Vulnerabilities from CycloneDX BOM upload #783
Comments
I think there's a misunderstanding between the bom-ref attribute of a component element
purl element of a component
Dependency-Track uses the Dependency Track does not support the CycloneDX vulnerability extension. There are plans to add the vulnerability extension as an option when outputting CycloneDX for Dependency Track projects, but there are no current plans on importing vulnerabilities defined in the CycloneDX vulnerability extension. If this is a requirement, pull requests are highly encouraged 😉 The primary purpose for this extension is to provide GRC and related risk management systems, the ability to import that data along with all the risk scores from each vulnerability. But I also see your point in possibly having that capability in Dependency Track in the future as well. |
|
@stevespringett thank you so much for your thorough feedback. Confirming that there is no support for the vulnerability extension is very useful to us at this point. I think that the most important thing is emphasizing further that there is no support for vulnerabilities (yet) and that PURLs are a hard requirement for packages. In particular these two statements:
And:
I'm happy to produce doc updates, but wasn't entirely sure where those should go. If you could point me in the right way, I can start getting that worked out. |
|
Doc improvements are always welcome. It's good to have a fresh set of eyes on things, especially as software changes over time. Docs are here: https://github.com/DependencyTrack/dependency-track/tree/master/docs/_docs and will next be published when Dependency-Track 4.0 is released. |
|
I used https://github.com/cyclonedx/cyclonedx-python to generate bom.xml For Python. After the XML is uploaded through the "Upload BOM" Function, there is no vulnerability detection result |
|
@w2n1ck ensure OSS Index is enabled. Refer to https://docs.dependencytrack.org/FAQ/ |
|
We were running into something similar. OSS Sonatype Index does not always contain CVEs that are present in NIST NVD. I put together a PR that attempts to augment the python bill of materials with CPEs, where possible, to match NVD. One specific example where this works is PR is open for comment: |
|
If OSS Index is missing vulnerabilities, please let them know so they can correct the issue. Once corrected, DT will identify the vulnerable components upon next analysis. |
Current Behavior:
Uploaded a CycloneDX BOM to a new project and none of the vulnerabilities reported in the BOM made it into the audit. I searched the open/closed issues and found that #744 explained something similar.
The suggestion was to follow the FAQ which mentions specifically this:
There are a couple of issues here:
We are uploading a BOM with the vulnerability extension. Specifically, the example XML from CycloneDX used here: https://cyclonedx.org/ext/vulnerability/ which has PURLs and vulnerabilities
It is not clear from reading the documentation or after uploading a BOM with vulnerabilities, that:
Steps to Reproduce:
Upload any of the examples in https://cyclonedx.org/ext/vulnerability/
Additional Details:
I think this is more of a documentation enhancement rather than a bug. There are a few places that should highlight the strict requirements (e.g. PURLs) and that there is no support for the vulnerability extension in CycloneDX.
From searching the docs, these are some places where I think might make sense, perhaps there are other good spots as well:
In places where it is noted that DependencyTrack uses PURLs, there should be an emphasis on the requirement. For example, this line with "relies":
Could be changed to "requires" :
The text was updated successfully, but these errors were encountered: