Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rejected CVEs are still displaying as Vulnerabilities in Dependency Track #2247

Open
2 tasks done
rajatkumardev opened this issue Dec 7, 2022 · 4 comments
Open
2 tasks done

Rejected CVEs are still displaying as Vulnerabilities in Dependency Track #2247

rajatkumardev opened this issue Dec 7, 2022 · 4 comments
Labels
defect Something isn't working in triage

Comments

@rajatkumardev
Copy link

Current Behavior

This is screen shot form a project as of today
image

And this is rejected on NVD
https://nvd.nist.gov/vuln/detail/CVE-2022-41852
https://nvd.nist.gov/vuln/detail/CVE-2022-40157

Steps to Reproduce

1.Showing Rejected vulnerabilities in DependencyTrack
image

Expected Behavior

Should not display it as vulnerable

Dependency-Track Version

4.5.x

Dependency-Track Distribution

Container Image

Database Server

Microsoft SQL Server

Database Server Version

No response

Browser

Google Chrome

Checklist
@rajatkumardev rajatkumardev added defect Something isn't working in triage labels Dec 7, 2022
@stevespringett
Copy link
Member

Are there any occurrences where a CNA, often times a software vendor themselves, rejected the CVE themselves?

For implementation, I think it would be best if this was a configurable option. We can exclude them by default, but if an org wants them enabled for some reason, the platform should provide that.

@rajatkumardev
Copy link
Author

Are there any occurrences where a CNA, often times a software vendor themselves, rejected the CVE themselves?

For implementation, I think it would be best if this was a configurable option. We can exclude them by default, but if an org wants them enabled for some reason, the platform should provide that.

Agree 👍

@msymons
Copy link
Member

msymons commented Dec 14, 2022

This seems to be a duplicate of #1693.

I believe that, however DT handles such vulns, it should be in a way that has VEX as a basis. Thus, I logged logged CycloneDX/specification#168 to request an enhancement to the CycloneDX specification for VEX.

@mum-viadee
Copy link

mum-viadee commented Dec 2, 2024
edited
Loading

Any progress on this one? CycloneDX/specification#168 was closed over a year ago...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working in triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stevespringett @msymons @mum-viadee @rajatkumardev