Comments (4)
This issue should be resolved for all new generated SHA1 hashes and corrects existing records.
from dependency-track.
I still see a problem here, the code now adds 8 characters in order to avoid the problem of the supression.xml parser. However, this si not creating a real SHA1 nor MD5 hash. The methods setMd5() and setSha1 of the libraryVersion class are nto called anywhere. Thus, in this check
dependency.setSha1sum((libraryVersion.getSha1() != null) ? libraryVersion.getSha1() : libraryVersion.getUuidAsSha1Hash());
the condition is always false and the sha1 is set as "00000000".concat(uuid.replace("-", ""));.
I would suggest to set the sha1 and md5 when the libraryVersion is created.
Another point is that if this hash is the same for 2 different components, then it won't be possible to suppress a vulnerability from just one of the components.
from dependency-track.
You're correct in that the setMd5 and setSha1 methods are never called. This will be changed by #4 . The idea is that when the Dependency-Check XML reports are imported, or when the (future) RESTful API is invoked, that the Md5 and Sha1 values will be set with real hash values. This will not only be used in the suppression file, but to assist Dependency-Track in identifying what the component is.
As part of this enhancement, the values will also be settable on the add/modify form when adding a library version.
I figured I'd leave the database fields (and setters/getters) in place so that I wouldn't have to worry about SQL upgrade code later on.
from dependency-track.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from dependency-track.
Related Issues (20)
- Inactive parent when its actual active HOT 1
- Update Dependency-Track BOM to Support CycloneDX 1.5 HOT 1
- Problem with support BOM from trivy 0.50.0 (also 0.50.1) HOT 3
- OpenAPI GET /v1/component/project/{uuid} return value incorrect HOT 4
- Add support for Amazon ALAS datasources for Amazon Linux 1, 2 & 2023 HOT 3
- Enhance metrics to include audited/unaudited violations by classification HOT 2
- A field with a length greater than 255 is causing an error during BOM processing. HOT 1
- issues with team notifications HOT 5
- Expiration support for vulnerability suppressions
- Automatically convert package-lock.json to CycloneDX and import HOT 1
- Ability to create a policy condition based on "Attributed on" value.
- Notification not triggered for existing vulnerabilities HOT 1
- Enhance MS Teams alerts with project name and URL on BOM_PROCESSING_FAILED events HOT 1
- Dependency-Track Should Perform Update Check HOT 2
- JSON Schema for NVD Vulnerability Data API version 2.1.0 HOT 2
- Global Suppression for Withdrawn or Rejected CVEs/Vulnerabilities HOT 3
- Incomplete Recognition of Users/Projects Created through APIs. HOT 1
- Use cpe and/or purl from cyclonedx metadata.component to set project cpe and/or purl. HOT 1
- API returns 500 Internal Server Error instead of 405
- Vulnerability Table Error HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-track.