VULNERABILITY.SEVERITY should be updated in database #2474 #3151
Conversation
mge-mm
force-pushed
the
dependency-track-2474
branch
from
2115578 to
fbc1e0f
Compare
mge-mm
changed the title
mge-mm
force-pushed
the
dependency-track-2474
branch
from
a45b10c to
4a131c6
Compare
|
Thanks for the PR @mge-mm, I'll get this reviewed over the weekend.
Have you tested how long this takes on an instance that has the entire NVD (and / or GitHub Advisories, OSV) mirrored? Because the DB upgrades are executed before health- and liveliness checks are registered, a prolonged upgrade could cause issues with Kubernetes deployments. |
|
Hello @nscuro, |
Also fixed: * services not being cloned, despite `includeServices` being set to `true`. * ACLs not being enforced for the `/clone` endpoint And added tests for cloning that were previously missing. Signed-off-by: nscuro <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
mge-mm
force-pushed
the
dependency-track-2474
branch
from
832f63f to
e1924e3
Compare
Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Marlon Gaethje <[email protected]>
A (more or less intentional) regression in Jackson 2.15 causes `@JsonIgnore` annotations on `transient` fields to be ignored. As a workaround, the annotation can be added to getters and setters instead (FasterXML/jackson-databind#3909 (comment)). Signed-off-by: nscuro <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Bumps debian from `0941f9e` to `3fd8144`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: Niklas <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Overriding the default `alpine_` prefix. Support for API key prefixes was added in stevespringett/Alpine#496 Signed-off-by: nscuro <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Removes `alpine.enforce.authentication` and `alpine.enforce.authorization` from `application.properties` and documentation. Settings those values to `false` is not supported. Fixes DependencyTrack#3043 Signed-off-by: nscuro <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: nscuro <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.0.0...v4.1.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3.12.0 to 3.13.0. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](actions/setup-java@v3.12.0...v3.13.0) --- updated-dependencies: - dependency-name: actions/setup-java dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
VEX documents are scoped to projects, and do not contain individual components. It makes no sense to include the dependency graph. This was a regression introduced in DependencyTrack#2657 Signed-off-by: nscuro <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Regression introduced in DependencyTrack#2966 Signed-off-by: nscuro <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: nscuro <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Update cyclonedx-core-java to 8.0.0. Previous version used was SNAPSHOT, so changes have already been tested. Signed-off-by: Mark Symons <[email protected]> Signed-off-by: Marlon Gaethje <[email protected]>
Signed-off-by: mge-mm <[email protected]>
|
Hi @nscuro,
It takes about 15 secs to upgrade all Null severities with entire NVD mirrored. |
|
Thanks @mge-mm! Could you perhaps rebase your changes on top of the current I think during commit sign-off there have been some unwanted modifications of unrelated commits, which I'm afraid I cannot merge like this. |
|
@nscuro I had to recreate this changes on a new branch. Neither IntelliJ norTortoiseGit was able to reset Marlons branch to a clean state to work from or properly rebase it on the latest master. This was the most buggy rebase i ever saw when I tried :D . Please close this PR and instead check the new PR #3287. |
Description
The severity value of a vulnerability is now calculated before creating the vulnerability. With this change, it is impossible that the severity field of a vulnverabilty is null in the database when a vulnerability is created.
This PR added a upgrade script (v4110) which recomputes all database severity values with value NULL of a vulnerability and updates them in the database. This is necessary because there are existing vulnerabilities in the database which have a severity value of NULL. These vulnerabilities are not effected by the changes above and their severity values have to be recalculated separately.
Addressed Issue
#2474
Checklist
- [ ] This PR fixes a defect, and I have provided tests to verify that the fix is effective- [ ] This PR implements an enhancement, and I have provided tests to verify that it works as intended- [ ] This PR introduces new or alters existing behavior, and I have updated the documentation accordingly