CVEs showing duplicates

[aejazuddinam]

Hi @stevespringett ,

After a project is build and published in Dependency Track, we could see duplicate CVEs reported on the application as well components are duplicated which makes the vulnerabilities number increased. Is this the normal behavior of Dependency track tool ?

Regards,
Aejaz

[msymons]

For commons-beanutils there should not be a repetition of CVE-2019-10086 for component version 1.9.3. Possibly the results were viewed in DT too soon after upload and before the analysis results had "settled down"?

Seeing a commons-beanutils 1.9.2 and a 1.8.0 is very common and indicates that there is a dependency-version clash in the project. My projects generate shaded jars and examination of build log shows that only one version of the beanutils (or whatever) is included in the shaded jar. Furthermore, in my experience, it is almost always that latest version that is included. But not always. And that is why I advise checking for duplicate versions and addressing them via dependencyManagement.

The examples you give above prove that Dependency-Track will display duplicates. But it does not specifically call them out... which can be a pain in a project with hundreds of components.

Thus, I use cyclonedx-cli tool. Using a real example to illustrate:

$ ./cyclonedx-win-x86.exe analyze --input-file bom.xml --output-format text --multiple-component-versions
Analysis results for [email protected]:
BOM Serial Number: urn:uuid:a21f0529-ef20-4e87-9544-d3a6b44d78d3
BOM Version: 1
Timestamp: 24/09/2021 16:43:26

Components with multiple versions:

commons-codec:commons-codec versions: 1.15 1.10

Note that the reporting of the presence of multiple versions here proves that what you are seeing is in the BOM itself and that Dependency-Track has reported things correctly.

Although the clash might be resolved by a simple addition to dependencyManagement you might also want to know WHERE the clash came from.

• Your IDE might have help for you, such as this for IntelliJ.
• Your build log can give you the info, using dependency:tree
• BOMs from cyclonedx-maven-plugin contains dependency relationships down at the bottom of the BOM.
• Dependency-Track v4.3.x will take this info from the BOM and render it as a graph. The implementation is currently an MVP and only goes a couple of levels deep... so it might not reveal the source of your beanutils. But it's a great start.

[aejazuddinam]

Hi @msymons ,
No the results were not viewed in DT too soon after upload and before the analysis results had "settled down", the results are same after many attempts and waiting period in DT.

My project has multiple components 100+, the above was few of the vuln. example, there are many apart from that jackson-databind, httpclient, guava etc (total ranging from 100-300+ for different projects)