Dependentry track - getting 0 vulnerability

[nagmashaikh1]

Dependency track - 4.3.6
docker
jenkins
dotnet cyclone dx 2.3.0

I am generating bom.xml file using dotnet cyclonedx command and uploading that to dependencytrack using jenkins pipeline.

I am getting 0 vulnerabilities for the 9 components detected.
I have sonatype oss index enabled.

When i check on sonatype oss index I can see a vulnerability for the itext component for the version i am using in my project.

Why i can see vulnerability in oss index for that component version and not getting that in dependency track project.

[redaabdellah21]

@nagmashaikh1 did you take a look at docker logs? is there any error regarding the treatment of the BOM?

i had a similar problem when using a dotnet BOM. it was because a field length in the postgresql component "publisher field".
otherwise, verify that the bom gives the right PURL, sonatype uses the PURL to check for vulnerabilities (don't think this is the problem, it seems to give the version)

[nagmashaikh1]

Hi @redaabdellah21 ,
I checked docker logs and don't see any error. I have removed my project id here below. But it is not giving me any error regarding postgres. Any other logs that i can check?

13:07:06.786 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: project_id
13:07:07.036 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: project_id
13:07:07.064 INFO [BomUploadProcessingTask] Processed 9 components and 0 services uploaded to project
13:07:07.070 INFO [InternalAnalysisTask] Starting internal analysis task
13:07:07.075 INFO [InternalAnalysisTask] Internal analysis complete
13:07:07.126 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
13:07:07.133 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
13:07:07.134 INFO [PolicyEngine] Evaluating 9 component(s) against applicable policies
13:07:07.184 INFO [PolicyEngine] Policy analysis complete

[redaabdellah21]

is it possible to share your BOM so DT developpers can try to reproduce the incident?

[nagmashaikh1]

Hi @redaabdellah21

You can try with this bom.xml. Rename txt file to xml format.
bom.txt

[redaabdellah21]

I got the same results @nagmashaikh1. the only difference i can see is the vulnerabiliti identifier. it is not the typical CVE--.

i am not sure i can help you more since i don't fully understand how their analyzes and sources work.

[nagmashaikh1]

Hi, @redaabdellah21

Did you also get 0 vulenrabilities? what is the differnece in vulnerability idenfitfier?

[redaabdellah21]

Hi,
yes i have got 0 vulnerabilities. i tried looking the component up in NVD databse.
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Aitextpdf&cpe_product=cpe%3A%2F%3A%3Aitext&cpe_version=cpe%3A%2F%3Aitextpdf%3Aitext%3A5.5.12

check this URL and see if it is the exact component. if yes add the cpe manually cpe:2.3:a:itextpdf:itext:5.5.12:::::::*
i know this does not solve the problem of DT not getting vulnerabilities but...

i am used to vulnID's being in the form of CVE--. sonatype is giving a vulnID like sonatype--. which i haven't yet seen.

[nagmashaikh1]

Hi @redaabdellah21

I did not add the cpe, but i can see the dt project is automatically updated and i can see vulnerability for one component [email protected].

I did not run the analysis again. Only one thing i did yesterday, i only turned off and then on the OSS index analyser. But why the attributed on field shows today's date, when i did not run the analysis again today?
Can you explain?

[redaabdellah21]

not able to reproduce, even though i used my sonatype email and api key. is there anything else to do?

to my knowledge, DT checks vulnerabilities at least once every 24h. it is automated that way because analysis may be an expensive task (in terms of ressources) so you don't have to launch the analysis manually to get new vulnerabilities, it does it for you.

it is attributed on today, cause DT checked it today.

maybe i am wrong, i hope a contributer reads this and confirms.

[nagmashaikh1]

@redaabdellah21 Other than oss analyser, nothing else to do.

I agree it could be because of DT checking vulnerability every 24 hrs. But i think it should have reflected yesterday also, since i have been trying it for two days.

Hope one of the contributors confirm this on this here.

Thanks for your help and efforts here.

[redaabdellah21]

with pleasure @nagmashaikh1

[nscuro]

OSS Index recently introduced some major changes.

One of the changes listed in that post is:

OSS Index will provide not just public vulnerability data, but also some of our proprietary data generated by our 65+ person research team and our Nexus Intelligence engine

That proprietary data is what you see labeled with SONATYPE- IDs. What the post fails to mention is that this data is only available to authenticated users of their API. DT has OSS Index enabled per default, but obviously in an unauthenticated manner. DT logs a warning for this every time an OSS Index analysis is performed:

An API username or token has not been specified for use with OSS Index. Using anonymous access

Once you provide API credentials, DT will be able to consume the proprietary data from OSS Index.

I will make sure to include this in our documentation.

[nagmashaikh1]

Yes, post using proper API username/token is what got the proprietary data. This was missing in document understanding.
Thanks @nscuro

[redaabdellah21]

@nscuro is it normal that vulnerabilities found by sonatype oss index don't show in the exploit predictions graph?