finding exports VulnerabilityAlias incorrectly because of Type erasure

[lme-nca]

Current Behavior

Currently if you export the findings or a project, for example over the findings /export endpoint the following JSON is generated:

        "vulnerability": {
            "severity": "HIGH",
            "cvssV3BaseScore": 7.5,
            "vulnId": "CVE-2022-42004",
            "aliases": [
                {
                    "allBySource": {
                        "NVD": "CVE-2022-42004",
                        "OSV": "DSA-5283-1",
                        "GITHUB": "GHSA-rgv9-q543-rqg4"
                    },
                    "cveId": "CVE-2022-42004",
                    "ghsaId": "GHSA-rgv9-q543-rqg4",
                    "id": 8089,
                    "osvId": "DSA-5283-1"
                },
                {
                    "allBySource": {
                        "NVD": "CVE-2022-42004",
                        "OSV": "DLA-3207-1"
                    },
                    "cveId": "CVE-2022-42004",
                    "id": 38073,
                    "osvId": "DLA-3207-1"
                }
            ],
            "cweId": 502,
            "description": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.",
            "epssScore": 0.01108,
            "source": "NVD",
            "cwes": [
                {
                    "cweId": 502,
                    "name": "Deserialization of Untrusted Data",
                    "id": 0
                }
            ],
            "uuid": "f1fcfb1c-76db-435d-91ca-e9b0df18f7c2",
            "severityRank": 1,
            "cweName": "Deserialization of Untrusted Data",
            "epssPercentile": 0.54449
        },

Steps to Reproduce

1.call the export findings endpoint: /v1/finding/project/c6d2b597-c538-41fb-ba91-...../export
2. look at the JSON

Expected Behavior

As discussed with @nscuro on Slack: https://owasp.slack.com/archives/C6R3R32H4/p1675805664776859 it seems the allBySource element and id element should not have been included in the JSON.

After some research this seems to be caused by Java Type erasure, specifically:

The FindingsQueryManager.getFindings method (used by the export endpoint) set the vulnerabilityAliases on the Findings object directly by placing a List in the Map<String, Object> vulnerability of the Findings object. (see line 279 in FindingsQueryManager.

Because the VulnerabilityAlias list object is set into the Object part of the MAP which loses the Type specific data and annotations (such as @JsonIgnore).

I also wrote a a quick Test function to test this:
@test
public void serialises_VulnerabilityAlias() throws JsonProcessingException {
var alias = new VulnerabilityAlias();
alias.setCveId("someCveId");
alias.setSonatypeId("someSonatypeId");
alias.setGhsaId("someGhsaId");
alias.setOsvId("someOsvId");
alias.setSnykId("someSnykId");
alias.setGsdId("someGsdId");
alias.setVulnDbId("someVulnDbId");
alias.setInternalId("someInternalId");
alias.setUuid(null);
var list = new ArrayList();
list.add(alias);

     Map<String, Object> vulnerability = new LinkedHashMap<String, Object>();
     vulnerability.put("aliases",list);
    final JSONObject root = new JSONObject();

    root.put("vuln", vulnerability);
    String output = root.toString();

    Assert.assertTrue(output.contains("allBySource"));
}

Dependency-Track Version

4.7.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.