-
-
Notifications
You must be signed in to change notification settings - Fork 583
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
system wide vulnerability management #1495
Comments
Thanks for the suggestions. Global auditing of vulnerabilities was supported from v1.0 to v3.8 and was removed in v4.0. This was a much needed change that opens up new use cases never previously possible. One of the many issues with global auditing is that it's not possible to rely on a components cpe, purl, or coordinates for identity. These were hard lessons learned from older versions of DT. So more in-depth analysis of the components provenance, pedigree, and resulting hash values are necessary to determine if a component is the same or not. This is logic the database layer will not be able to perform, thus would have a big impact on the DT application itself if implemented. For these scenarios, many orgs assume the risk of misidentification and use simple scripts to automatically suppress findings across all projects, and have a way (based on expiration time) to un-suppress findings. Such a script could easily be created in a few minutes. There should be no reason why orgs have to manually suppress findings across their portfolio of projects. I like the idea of having a global view of suppressed findings and a way for a centralized security team to manage that. Many orgs currently use general purpose BI tools to obtain this type of data and present in custom dashboards. But this specific capability would be a welcome addition to DT. |
Thanks. I was thinking about a new "allowlist" feature...for example:
---> CI pipeline not blocked anymore. From allowlist tab you can also delete/list allowed vulnerabilities. Regards the "scripts automation" solution, do you have something ready (or just an example) in order to avoid to reinvent the wheel? |
Oh, an allowlist. Thats interesting. Never occurred to me. Will need to give that some thought. Possibly doable. I don't have any scripts handy, however, I know folks in the Slack channel have created similar script previously. Some may be able to share. https://dependencytrack.org/slack/invite |
We have a bit similar situation but in our case it's the OS level vulnerabilities that we'd like to "disable" based on our own criteria. For example CVE-2021-3711 is found in most of our projects from the base image even though it's already fixed in the Debian package we use. I think in both of these cases there would need to be a way to modify the vulnerability itself in DependencyTrack. We would like to add some exclusion rule like if the package version is 1.1.1d-0+deb10u7 or higher then DependencyTrack wouldn't attach the vulnerability even if the CPE from NVD matches. In @bovy89's case there could be a way to mark the vulnerability itself as excluded or attach an exclusion rule with a wildcard match to it. |
DT v4.5 will have the ability to add/edit private vulnerabilities. However, the functionality is scoped to only private vulns and not vulns retrieved from public sources (e.g NVD). If we added the ability to modify public vulns, the edits would get overwritten whenever the next synchronization occurs. So modifying the affected components isn't really an option. I do like the idea of having an exclusion rule or list which would be maintained independently of the vulnerability itself. @eldis80 in your case, would you want the ability to openly allow Additionally, do you want an automated analysis decision and audit trail made for every affected component in every project? For example, CVE-2021-3711 would be identified on the component, but an automated analysis decision would have been made marking the finding as 'not an issue' with an explanation that it was in the allow list, and the finding being suppressed so that metrics are not impacted? |
@stevespringett We don't want to openly allow it in every project but rather add some exclusion rule based on PURL/CPE. I think we'd prefer that the vulnerability wouldn't even get attached to project/components if the exclusion rule matches. We currently have a script we can use to suppress the findings but it reappears whenever there's a new version of the openssl Debian package and therefore a new component for the project. It doesn't happen very often in this case but the script can only be run retroactively so it's a bit of a PITA. |
Any update on that? (at least a global allowlist) |
Another example of CVE affecting a multitude of projects where a global allowlist would be useful: FasterXML/jackson-databind#3590 |
We'd also love a centralized way to whitelist vulnerabilities for multiple projects, but not necessarily all. So we'd definitely like this system wide ignore list to have some kind of filter for vulnerabilities. Managing 'unfixable' vulnerabilties centralized within Dependency-Track would be definitely be more elegant than a DIY script. At the very least placed before metrics get calculated and notifications sent out. |
IMO for use-cases like this one (and many others, like policies) we need something like OPA. Some form of lightweight, sandboxed script or DSL. Otherwise we'll end up in configuration-/input-field-hell. I built an external integration that uses OPA to make automatic analysis decisions (https://github.com/nscuro/dtapac), precisely for the reason that allowlists and denylists do not work in practice. There are many factors that can go into an analysis decision, and oftentimes you want the decision to be scoped, like @SaberStrat is implying. OPA can be embedded into Go applications, or used as an external service. DT is a Java application, and adding yet another external service is most likely not something we want, so maybe alternatives like GraalVM's JavaScript could work. |
I think a global suppress/exclude/whitelist list would already be very helpful and is easy to implement and use. A scripting framework sounds harder to implement and also harder to use. Not everyone dealing with these audit decisions is able to or willing to write scripts to "simple exclusions". |
Having this webhook mechanism is indeed a nice way of handling decisions based on several inputs but having a global static filter on the dependencytrack side would ease management of global unwanted findings |
@nscuro I’d take what I can get. If it’s a scripting field, so be it. Though I can’t tell which would be truly easier to implement and use in practice. |
Dependency-Track is a wonderful project but this is a huge pain point that leads to many many false positives being presented in the interface which leads to a lot of cleanup work (since obviously auditors want to see accurate data! among other reasons). I also have the problem of multiple "false positive" CVEs detected across a large number of projects and there's no easy way to manage all of them at once. Ideally there'd be a sort of checkbox next to each CVE for each project in a global vulnerability view where you could choose which projects you wanted to manage the status of the CVE for and then mass edit those projects to suppress/validate etc. I see there is a PR in the works with some enhancements on the way but I think bulk-management should be apart of that PR/enhancement. |
We are in a situation where we use one library in many projects which has many versions (and more to come). Due to bad NVD and OSSIndex metadata the component associated with a CVE which is clearly wrong (apparently the maximum version is not taken into account). Therefore it would be useful to add global suppressions, similar as it's possible in Dependecy Check but may be a bit more fine-grained. |
These two things would help me either:
When using OWASP dependency-check I can provide suppressions via xml file as described in #2579 but there is no equivalent available on DT. |
Hey all, we're currently looking into this and have put some documentation down here: DependencyTrack/hyades#930 High-level overview:
Feedback and any kind of feedback would be much appreciated! :) |
Hi,
I would congratulate with you because that is a great project but I'm going to describe some "usability problems" that for me needs an improvement to make this project even better:
Our environment:
- use cases:
Usability problems:
The text was updated successfully, but these errors were encountered: