-
-
Notifications
You must be signed in to change notification settings - Fork 564
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic report is not adding MD5/SHA1 correctly #20
Comments
This issue should be resolved for all new generated SHA1 hashes and corrects existing records. |
I still see a problem here, the code now adds 8 characters in order to avoid the problem of the supression.xml parser. However, this si not creating a real SHA1 nor MD5 hash. The methods setMd5() and setSha1 of the libraryVersion class are nto called anywhere. Thus, in this check dependency.setSha1sum((libraryVersion.getSha1() != null) ? libraryVersion.getSha1() : libraryVersion.getUuidAsSha1Hash()); the condition is always false and the sha1 is set as "00000000".concat(uuid.replace("-", ""));. Another point is that if this hash is the same for 2 different components, then it won't be possible to suppress a vulnerability from just one of the components. |
You're correct in that the setMd5 and setSha1 methods are never called. This will be changed by #4 . The idea is that when the Dependency-Check XML reports are imported, or when the (future) RESTful API is invoked, that the Md5 and Sha1 values will be set with real hash values. This will not only be used in the suppression file, but to assist Dependency-Track in identifying what the component is. As part of this enhancement, the values will also be settable on the add/modify form when adding a library version. I figured I'd leave the database fields (and setters/getters) in place so that I wouldn't have to worry about SQL upgrade code later on. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I've noticed that the dynamic report created by the dependency-track does not correctly add the SHA1 and MD5 of the dependency. It adds the "libraryVersion.getUndashedUuid()" since, the libraryVersion.getSha1() is null.
I've realized about this issue when trying to suppress some vulnerabilities, because copying the suppression code into the supression.xml file cause a problem when parsing this xml (libraryVersion.getUndashedUuid() does not have 40 characters as SHA1 requests).
I've solved this updating the performAnalysis method in the DependencyCheckAnalysis class. You can see the code below:
Surely this is not the best solution, since it does not work well when a new dependency is added, but it works well with dependencies added before.
The text was updated successfully, but these errors were encountered: