-
-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Offer alias-based de-duplication of vulnerabilities #1994
Offer alias-based de-duplication of vulnerabilities #1994
Comments
In our case, this issue is the reason not to enable GitHub Advisories. But the noise induced by ~80% of duplicated findings makes it unusable. Ignoring finding with an existing alias would be good enough as a first solution. |
Hi @nscuro we would like to discuss our approach to tackle this issue.
|
Why not to use some internal Dependency-Track id (e.g. INT-1234) as a main identifier for vulnerabilities and put identifiers from public vulnerability databases in the alias section from the very begining? |
Hey @fatcatnoregret, Thank you for your suggestion about using internal IDs as the main identifier for vulnerabilities and adding other identifiers in the alias section. It's a great idea! However, we might still face the challenge of deciding which information to display when users click on a vulnerability. This could be similar to the issue we're trying to address. |
Is there a way this problem can be solved without discarding the duplicated findings? One of my use cases for DT is generating VEX documents that can be distributed to customers, and while I agree that it's frustrating having to analyse the same vulnerability three times, I still want a response for all three identifiers to appear in the exported VEX. I'd like to propose an approach where instead of de-duplicating findings by blocking/removing them, there was a "de-duplicated view" where related findings are presented as a group, so they can be analysed as a single item, and a response set as a single action. That would simplify the process of handling duplicate findings without any loss of information. |
Current Behavior:
#1642 introduced tracking of vulnerability aliases. We now know which vulnerabilities describe the same issue, but we don't yet use this data to reduce the overall noise of findings. Clients may perform de-duplication based on their specific needs (e.g., always preferring GHSA over CVE), but we should offer a canonical solution from the server-side.
Proposed Behavior:
There should be a mechanism to de-duplicate vulnerabilities. In order to stay backwards-compatible, new API endpoints or opt-in parameters should be introduced.
Note that the intention is not to de-duplicate during vulnerability data ingestion! We still want to keep the data from all sources.
There are multiple constraints that need to be considered. Steve mentioned a few of them in #1912 (comment):
(There will be more constraints than this)
The text was updated successfully, but these errors were encountered: