Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The internal analyzer is not detecting vulnerabilities in Dependency Track #2797

Open
2 tasks done
Souhila99 opened this issue May 31, 2023 · 0 comments
Open
2 tasks done
Labels
defect Something isn't working in triage

Comments

@Souhila99
Copy link

Souhila99 commented May 31, 2023

Current Behavior

When I upload an SBOM that contains internal components and third party packages (ex : debian) there are no vulnerabilities that are shown for the created project.
Knowing that i have enabled OSSIndex and I have added the sonatype account.
I did a test with an SBOM that contains python packages and there are vulnerabilities that are detected with the OSSIndex analyzer. So the issue is related to the internal analyzer.

Steps to Reproduce

  1. Upload an SBOM that contains some debian packages that are vulnerables.
  2. After the VulnerabilityAnalysis task is done check if the project contains vulnerabilities

Expected Behavior

The vulnerabilities should be shown for the created project

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
defect Something isn't working in triage
Projects
None yet
Development

No branches or pull requests

1 participant