Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for importing vulnerabilities in BOMs #2951

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support for importing vulnerabilities in BOMs #2951

wants to merge 1 commit into from

Conversation

LapNik
Copy link

@LapNik LapNik commented Aug 14, 2023
edited

Description

CycloneDX 1.4 vulnerabilities included in an imported BOM will be saved as internal issues.

Addressed Issue

closes #783
closes #1297

Additional Details

  • All vulnerabilities imported from a BOM are saved as internal. It didn't seem like the different vulnerability sources used distinctive IDs so I thought this would be the simplest solution.
  • I could not figure out what AffectedVersionAttribution was used for so I didn't "reconcile" them.

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@LapNik LapNik force-pushed the bom-vulnerabilities-squashed branch from eb68272 to a5df93b Compare August 16, 2023 05:56
@LapNik LapNik force-pushed the bom-vulnerabilities-squashed branch from a5df93b to 2e9f966 Compare August 29, 2023 08:54
@LapNik
Add support for importing vulnerabilities in BOMs
943acfc 
CycloneDX 1.4 spec allows listing vulnerabilities in the BOM. These were
previously ignored by Dependency Track. This commit adds support so that
those vulnerabilities are saved and can be managed along with other
vulnerabilities.

Signed-off-by: Niko Lappalainen <niko.lappalainen@m-files.com>
@LapNik LapNik force-pushed the bom-vulnerabilities-squashed branch from 2e9f966 to 943acfc Compare October 27, 2023 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature: Import vulnerabilities from BOM Missing Vulnerabilities from CycloneDX BOM upload
1 participant
@LapNik