PURL URL is not identified in Dependency Tracker

[VASAVI512]

Hello Steve,

Dependency tracker is not identifying the PULR url, though they correct. But when we i have given the CPE manually in DT its showing the component Vulnerabilities. SBOM json file has PULR information.

Example PURL urls :
"purl" : "pkg:deb/debian/[email protected]?arch=amd64",
"purl" : "pkg:deb/debian/[email protected]%2Bdfsg-1%2Bdeb10u1?arch=i386",
"purl" : "pkg:deb/ubuntu/[email protected]%2Bdfsg1-0.5?arch=amd64",

DT version: 4.5.0
SBOM generated from Blackduck Cyclone DX 1.3 version

Please help us to understand, why DT is not showing few of the PURL vulnerabilities?.

Regards,
Vasavi

[JN-CSIRT]

The route to DEB repository (as well as GitHub Repository) does not exist in DT. There are selected repositories only.
It should be added into DT.

[VASAVI512]

Thank you for your response.
Where can i get the list of repositories that DT will add through PURL link.
Is there any plan to add/update the repositories ?

[nscuro]

Dependency-Track per default uses Sonatype OSS Index to identify vulnerabilities based on PURL. OSS Index however does not support the Debian ecosystem (see here for supported ecosystems).

When you provide CPEs, Dependency-Track can match those against the NVD, which does include Debian vulnerabilities. The NVD doesn't support PURL, that's why components with PURL cannot be matched directly against the NVD right now.

[g-sahil22]

Hi @nscuro ,

I generate SBOM using cdxgen for live OS based on RPM, and sonatype OSS index support RPM, but still dependency track no report any vulnerability

pkg:rpm/[email protected]#NetworkManager-1.40.0-5.0.2.el8_7.src.rpm
pkg:rpm/[email protected]#abattis-cantarell-fonts-0.0.25-6.el8.src.rpm
pkg:rpm/[email protected]#bash-4.4.20-4.el8_6.src.rpm
pkg:rpm/[email protected]#binutils-2.30-117.0.3.el8.src.rpm

Thanks
Sahil

[syalioune]

Hello,

You can refer to nscuro reply here #1829 (reply in thread)

OSS Index does not return any vulnerabilities for those packages, so does DT.

[VASAVI512]

Understood. Yes if i provide the CPEs manually DT is able to show the vulnerabilities for deb components as well.

But, the below PURL urls also not working in DT, though they are Sonatype OSS index range. Conda is supported by Sonatype.
Please let me know understand why these are PURL urls are not showing risk in DT.

Python Pillow, 8.3.0
"purl" : "pkg:conda/[email protected]_0-linux-64"

Python programming language , 2.7.16
"purl" : "pkg:rpm/clearlinux/[email protected]?arch=x86_64"

Flask-Cors, 3.0,10
"purl" : "pkg:pypi/[email protected]"

python-sqlite3, 2.7.16
"purl" : "pkg:yocto/[email protected]?arch=core2-32",

Jinja, 2.1
"purl" : "pkg:apk/alpine/[email protected]?arch=noarch",

[g-sahil22]

HI @nscuro ,

Which parameter dependency track is used in backed for google OSV?

[nscuro]

@g-sahil22 Can you expand on that question? I'm not sure I understand what you're asking for.

[g-sahil22]

for NVD it is CPE for the Sonatype OSS index it is PURL, similarly, for Google OSV, because google OSV contains a good database of OS packages

[nscuro]

Got it, thanks. For OSV, DT will also use PURL.

[g-sahil22]

Thanks @nscuro

[JN-CSIRT]

Hi Niklas,
what's about Github and Sourceforge PURLs? It could be great to check the components in Github for actuality as e.g. for Maven...
OSS does not support them in Ecosystem :(
Is there any plans to add them into DT?

[nscuro]

No active plan for it, but if you raise an enhancement request we can track it and deliver that in a future version.

[VASAVI512]

Hi Niklas,

I am raising the ticket wit Sonatype, though there are CPE's we do not find the vulnerabilities in DT.
And,
Comp: Git
Version: 2.20.1
pkg:deb/debian/[email protected]%2Bdeb10u3?arch=amd64&epoch=1
We see the vulnerablility data in DT for the DEB packages, how is it possible, as per your comments deb is not in supported ecosystems.

Regards,
Vasavi

[nscuro]

Debian was supported by OSS Index prior to their big migration (see the announcement here):

Some ecosystems will no longer be supported.As part of this change we will be dropping support for Drupal, Debian, Chocolatey, Alpine, Bower and Go Dep. Note: Go Mod will continue to be supported and we encourage all OSS Index users to upgrade to newer Go Mod modules.

It's possible that the vulnerability you're referring to was identified prior to this change.

[officerNordberg]

I worked on the fuzzy matching precisely to match Debian artifacts and my disappointment with PURL matching of NVD CVEs. YMMV

…

On Jul 27, 2022, at 2:29 AM, Niklas ***@***.***> wrote:  No active plan for it, but if you raise an enhancement request we can track it and deliver that in a future version. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[VASAVI512]

Hi Niklas,

We would like to know how DT data back up and restore is working. Can you share any document how to do Back up and restore through Dockers.

Regards,
Vasavi