Vulnerability not found after changes to AbstractVulnerableSoftwareAnalysisTask #5712
Description
Current Behavior
Hi DT community,
DT does no longer find CVEs in the attached sbom. I've analyzed it already a little and found out, that probably the recent changes in AbstractVulnerableSoftwareAnalysisTask are causing this. It seems the purlType does never get set in VulnerableSoftware.java.
This the problematic call stack:
VulnerableSoftware.getPurlType() (c:\repos\dependency-track\src\main\java\org\dependencytrack\model\VulnerableSoftware.java:283) VulnerableSoftware.buildVersFromFields() (c:\repos\dependency-track\src\main\java\org\dependencytrack\model\VulnerableSoftware.java:197) VulnerableSoftware.getVers() (c:\repos\dependency-track\src\main\java\org\dependencytrack\model\VulnerableSoftware.java:255) AbstractVulnerableSoftwareAnalysisTask.comparePurlVersions(VulnerableSoftware,Version) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\scanners\AbstractVulnerableSoftwareAnalysisTask.java:167) AbstractVulnerableSoftwareAnalysisTask.analyzePurlVersionRange(QueryManager,List,PackageURL,String,Component,VulnerabilityAnalysisLevel) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\scanners\AbstractVulnerableSoftwareAnalysisTask.java:94) AbstractVulnerableSoftwareAnalysisTask.analyzeVersionRange(QueryManager,List,Cpe,PackageURL,String,Component,VulnerabilityAnalysisLevel,boolean) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\scanners\AbstractVulnerableSoftwareAnalysisTask.java:72) InternalAnalysisTask.versionRangeAnalysis(QueryManager,Component) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\scanners\InternalAnalysisTask.java:158) InternalAnalysisTask.analyze(List) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\scanners\InternalAnalysisTask.java:91) InternalAnalysisTask.inform(Event) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\scanners\InternalAnalysisTask.java:65) VulnerabilityAnalysisTask.analyzeComponents(QueryManager,Collection,VulnerabilityAnalysisLevel) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\VulnerabilityAnalysisTask.java:288) VulnerabilityAnalysisTask.analyzeProject(QueryManager,Project,VulnerabilityAnalysisLevel) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\VulnerabilityAnalysisTask.java:167) VulnerabilityAnalysisTask.analyzeProject(UUID,VulnerabilityAnalysisLevel) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\VulnerabilityAnalysisTask.java:201) VulnerabilityAnalysisTask.inform(Event) (c:\repos\dependency-track\src\main\java\org\dependencytrack\tasks\VulnerabilityAnalysisTask.java:86) BaseEventService.lambda$publish$0(Class,Event) (\alpine-infra-3.5.1.jar\alpine.event.framework\BaseEventService.class:69) 0x000001eacca7d000.run() (Unknown Source:-1) ThreadPoolExecutor.runWorker(ThreadPoolExecutor$Worker) (\java.base\java.util.concurrent\ThreadPoolExecutor.class:1144) ThreadPoolExecutor$Worker.run() (\java.base\java.util.concurrent\ThreadPoolExecutor.class:642) Thread.runWith(Object,Runnable) (\java.base\java.lang\Thread.class:1596) Thread.run() (\java.base\java.lang\Thread.class:1583)
Steps to Reproduce
- You have to enable all 3 fuzzy matching settings under Administration -> Analyzers -> Internal -> Enable the three top most switches.
- Make a breakpoint in AbstractVulnerableSoftwareAnalysisTask at line 94: "if (comparePurlVersions(vs, version))"
- Create a random project and upload the attached SBOM
- The code at the breakpoint will always return false
Expected Behavior
The code below the if condition gets executed and the vulnerability is added.
Dependency-Track Version
4.14.0-SNAPSHOT
Dependency-Track Distribution
Executable WAR
Database Server
H2
Database Server Version
No response
Browser
Google Chrome
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported