Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VDR erronously include full SBOM inventory #2788

Closed
2 tasks done
stevespringett opened this issue May 25, 2023 · 2 comments · Fixed by #2878
Closed
2 tasks done

VDR erronously include full SBOM inventory #2788

stevespringett opened this issue May 25, 2023 · 2 comments · Fixed by #2878
Labels
defect Something isn't working
Milestone
4.9

Comments

@stevespringett
Copy link
Member

Current Behavior

When exporting a VDR, the entire inventory is exported whether the components are affected by vulnerabilities or not.

Steps to Reproduce

  1. Export VDR from the UI

Expected Behavior

The VDR should only contain components that are affected by a vulnerability, not the full inventory.

Dependency-Track Version

4.8.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist
@stevespringett stevespringett added defect Something isn't working in triage labels May 25, 2023
@nscuro nscuro removed the in triage label May 25, 2023
@nscuro nscuro added this to the 4.9 milestone May 25, 2023
nscuro added a commit to nscuro/dependency-track that referenced this issue Jul 8, 2023
@nscuro
Fix VDR export containing non-vulnerable components
f2d6b07 
Fixes DependencyTrack#2788

Signed-off-by: nscuro <[email protected]>
@nscuro nscuro mentioned this issue Jul 8, 2023
Merged
2 tasks
@nscuro
Copy link
Member

nscuro commented Jul 8, 2023

@stevespringett I raised #2878 to address this. Problem is that filtering components like this will inevitably break the dependency graph.

Few ideas how to handle that:

  1. Don't. Just accept that the graph will have holes.
  2. Remove the dependency graph entirely from VDR exports.
  3. Attempt to close the gaps by re-wiring broken edges to the next-best candidate (i.e., connect transitive dependency to root node when direct dependency was filtered out); Could become quite expensive for large projects with complex graphs.

In any case, I reckon we could make use of compositions to signal that something is missing. Question is, do we need to "fix" broken graphs?

@github-actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working
Projects
None yet
Milestone
4.9
Development

Successfully merging a pull request may close this issue.

Fix VDR export containing non-vulnerable components nscuro/dependency-track
2 participants
@stevespringett @nscuro