Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suppress 'no longer vulnerable' vulnerabilities reported by Snyk #1620

Closed
2 tasks done
sahibamittal opened this issue Jan 10, 2025 · 3 comments · Fixed by DependencyTrack/hyades-apiserver#1024
Closed
2 tasks done
Assignees
Labels
enhancement New feature or request

Comments

@sahibamittal
Copy link
Collaborator

Current Behavior

Scenario: For a component, say Snyk reported a vulnerability earlier. Now it is no longer vulnerable. But in DT we don't have any process to remove such vulnerability from our records, and it is being reported to users as vulnerable.
When we receive records from Snyk, we filter the records which have non-empty data and in this case, such vulnerabilities are never deleted.

Proposed Behavior

Implement cleanup of 'no longer vulnerable' vulnerabilities.

Checklist

@sahibamittal sahibamittal added the enhancement New feature or request label Jan 10, 2025
@sahibamittal sahibamittal self-assigned this Jan 10, 2025
@nscuro
Copy link
Member

nscuro commented Jan 11, 2025

When we receive records from Snyk, we filter the records which have non-empty data and in this case, such vulnerabilities are never deleted.

Are you saying Snyk reports vulnerability record without any data, when they revoke an entry?

Is this issue about actual deletion of VULNERABILITY records, or about auto-supression of findings?

@sahibamittal
Copy link
Collaborator Author

sahibamittal commented Jan 13, 2025

When we receive records from Snyk, we filter the records which have non-empty data and in this case, such vulnerabilities are never deleted.

Are you saying Snyk reports vulnerability record without any data, when they revoke an entry?

Is this issue about actual deletion of VULNERABILITY records, or about auto-supression of findings?

Yes it seems Snyk returns record with empty data if that component version is no longer vulnerable. We've observed this with pkg:maven/org.springframework/[email protected]
It's impacting all projects with this component.
Currently, to remove such vulnerability, the project has to be deleted and re-uploaded.

@nscuro
Copy link
Member

nscuro commented Jan 13, 2025

Yes it seems Snyk returns record with empty data if that component version is no longer vulnerable.

Oh wow, seems like a really odd thing to do...

In that case the Snyk analyzer could set the rejected field of the vulnerability.

@sahibamittal sahibamittal changed the title Delete 'no longer vulnerable' vulnerabilities reported by Snyk Suppress 'no longer vulnerable' vulnerabilities reported by Snyk Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment