Analysis process

[savujevi]

Hello,

I have some questions about the analysis process in DT.

Is it correct, that the purl is used to analyse the dependency against NPM and OSS ?

According to the following text found in a discussion:
"Dependency-Track caches responses from NPM Advisories and OSS Index for 24 hours"
how is the process of the analysis ? Is the analysis made against the internal cache, or is the purl used against the api of OSS Index and NMP advisories ?

According to the purl construction: is the package type responsible if the NPM Advisory or the OSS Index is asked for ?

Which kind of package type is the correct one for NPM: npm or node-pkg ?

What metadata is collected from maven and npm repos which are not already integrated in the bom and in which way is the data asked for ?

I know these are a lot of question.

Thank you for your help.

Best regards,
Sascha Vujevic

[stevespringett]

Is it correct, that the purl is used to analyse the dependency against NPM and OSS ?

Yes. OSS Index uses purl directly, NPM does not directly support purl, so the purl is deconstructed and the namespace and name are used with the NPM Audit API.

Is the analysis made against the internal cache, or is the purl used against the api of OSS Index and NMP advisories ?

The analysis is made based on a components identity (purl type, namespace, name, version). If the component identity is already in cache, it will use those results. If not in cache, DT will analyze using OSS Index and NPM Audit APIs.

Which kind of package type is the correct one for NPM: npm or node-pkg ?

The purl type for npm is npm. Refer to https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst

What metadata is collected from maven and npm repos which are not already integrated in the bom and in which way is the data asked for ?

The latest version of a package and the last published date are currently the only data that is retrieved from remote repos. This data is used to determine if a component is out of date and if so, by how much.

[savujevi]

Thank you for the response.

Am I right that all dependencies of each project is automatically scanned each day for outdated dependencies and vulnerabilities ?
And if not how can this be achieved ?

Thank you.

[stevespringett]

Yes. All configured repositories are queried every day to pickup the latest version and last published date for components. See also https://docs.dependencytrack.org/datasources/repositories/

[savujevi]

Thank you for the information.
Would an already imported project (bom file) be "scanned" again, if a new vulnerability has bin found during a new import from the vulnerability databases ?
Thank you for the information.

[stevespringett]

All components in the portfolio are analyzed every 24 hours at a minimum. So even if a BOM has not been uploaded to a project in a while, the system will surface any any new vulnerabilities that come up.

[HagarJNode]

Is the analysis is made based on components also done with internal repositories?

We have a Nexus repository that which also hold our maven repositories and I tried setting it up for but nothing happens. I'm unsure if the Dependency Track do infact get information, if the setup was correct, but I don't see any access denied messages in the DT log.

We would like to get those warning with old versions for our own artifacts / components in projects that is being analyzed.

Working now, so don't pay attention to this question.