Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Components get deleted in update #4175

Closed
2 tasks done
Gepardgame opened this issue Sep 26, 2024 · 3 comments · Fixed by #4208
Closed
2 tasks done

Components get deleted in update #4175

Gepardgame opened this issue Sep 26, 2024 · 3 comments · Fixed by #4208
Labels
defect Something isn't working good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.12

Comments

@Gepardgame
Copy link
Contributor

Gepardgame commented Sep 26, 2024
edited
Loading

Current Behavior

If you update an internal vulnerability with components, the the components will no longer be showen.

Steps to Reproduce

  1. Create an internal vulnerability with one or more affected components.
  2. Open the vulnerability(View details) and click the "Update" Button
  3. Reload site and open Vulnerability again and go to Affected Components tab
  4. Wonder why there are no components

Expected Behavior

Components should be shown, even so the vulnerability gets updated.

The problem is there in the code VulnerabilityQueryManager.java#L798. I don't know there the attribution would be reported again.

Dependency-Track Version

4.12.0-SNAPSHOT

Dependency-Track Distribution

Executable WAR

Database Server

H2

Database Server Version

No response

Browser

N/A

Checklist
@Gepardgame Gepardgame added defect Something isn't working in triage labels Sep 26, 2024
@Gepardgame
Copy link
Contributor Author

@sahibamittal You implemented this function. The old source is INTERNAL and the new one is INTERNAL, which concludes to the deletion of the attributes, even so it is still relevant. I can think that has been implemented for to prevent duplications, but I don't know for sure.

@nscuro
Copy link
Member

nscuro commented Sep 27, 2024

I suspect that we don't create AffectedVersionAttributions for manually created VulnerableSoftware records.

Then when it comes to reconcileVulnerableSoftware, manually created VulnerableSoftwares end up in this branch:

dependency-track/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java

Lines 779 to 785 in d03cb83

if (attributions.isEmpty()) {
// DT versions prior to 4.7.0 did not record attributions.
// Drop the VulnerableSoftware for now. If it was previously
// reported by another source, it will be recorded and attributed
// whenever that source is mirrored again.
continue;
}

@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk good first issue Good for newcomers size/S Small effort and removed in triage labels Sep 27, 2024
@Gepardgame
Copy link
Contributor Author

That is not the problem, but the source is the same so

dependency-track/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java

Lines 787 to 788 in d03cb83

final boolean previouslyReportedBySource = attributions.stream()
.anyMatch(attr -> attr.getSource() == source);
is true, which deletes the Attribut and will not add it to vsList.

@Gepardgame Gepardgame mentioned this issue Sep 30, 2024
Closed
2 tasks
@nscuro nscuro added this to the 4.12 milestone Sep 30, 2024
@nscuro nscuro mentioned this issue Oct 1, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.12
2 participants
@nscuro @Gepardgame