Issue description being changed to different CVE on repeated runs #682
Comments
|
Could you please provide the log output. |
|
Please let me know if any other logs or information is needed. Thank you. |
|
Some additional info: I noticed that all of the issues were associated to one line in the POM in SonarQube, because they were all Spring managed transitive dependencies. When I broke them out and explicitly listed each dependency, each of the issues corresponded to the line that the dependency they were associated with was listed on, as expected. I then updated some of the libraries in a way that would address some of the vulnerabilities for that dependency, but not all of them. The result was that the issues that were associated with dependencies that weren't updated remained correct. However, the ones associated with updated libraries were mixed up, but only among themselves. For example, issues associated with spring-core and tomcat-embed-core were mixed up, but the CVEs that were mixed up for spring-core remained associated with spring-core, and the same for tomcat-embed-core. Looking at the fix for #55 in #61, it seems like the plugin matches issues based on the line it's on, but if multiple issues are associated with the same line, then there's no guarantee that the issues will be updated in the correct order. |
That logs are from the SonarQube-Process. I need the debug log of the SonarQube-Agent. The plugin does not resolve the transitive dependencies from your project file. To do this, you would have to ship Maven, Gradle, NPM, etc. inside the jar. This is simply unrealistic. I will be on vacation for the next three weeks, so I will not be able to continue working on your issue until after that. |
|
SonarScanner Debug First Scan.txt Sorry about that, I believe these are the correct logs.
Yes, this seems to be it. To summarize my current understanding: since a single library can have multiple vulnerabilities, there's the potential for multiple issues to be linked to the same line. When there are, if the order changes for some reason, such as one of the vulnerabilities being resolved and no longer appearing in the dependency-check report, the vulnerabilities might be updated to the wrong issues. |
|
My two cents, SonarQube uses ruleKey to match existing issues (https://docs.sonarqube.org/latest/user-guide/issues/#header-3, https://github.com/SonarSource/sonarqube/blob/9.5.0.56709/sonar-core/src/main/java/org/sonar/core/issue/tracking/AbstractTracker.java), so I think one of the ways to solve this would be to use ExternalIssues, similarly as Each vulnerability could be created with different AdHocRule, with ruleId/ruleKey set to e.g. CVE ID, which should allow SonarQube to correctly match existing issues. However this also have drawbacks, for example it is not possible to set ExternalIssue as False Positive within SonarQube, also background tasks may take a longer time (e.g. due to 'Persist new ad hoc Rules' step). |
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
github-actions
bot
added
the
lifecycle/stale
|
I tried using ExternalIssue (https://github.com/dependency-check/dependency-check-sonar-plugin/tree/external_issue) and took a fresh look at AdhocRules, but unfortunately the functionality is limited compared to the current solution. AdHocRules have neither a tag nor a CWE nor an owasptop10 status. https://github.com/SonarSource/sonar-plugin-api/blob/master/sonar-plugin-api/src/main/java/org/sonar/api/batch/sensor/rule/AdHocRule.java |
github-actions
bot
removed
the
lifecycle/stale
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
github-actions
bot
added
the
lifecycle/stale
|
I'm also experiencing this issue with transitive dependencies in pom file, that are all associated to the file, without line number. |
github-actions
bot
removed
the
lifecycle/stale
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
github-actions
bot
added
the
lifecycle/stale
|
Using the CVE number was a good idea. The solution I came to was to use it as a line offset, so that the issue would be associated with the line, but only at the column that matches the CVE number, so that the potential for collisions on the same line is reduced. I've only been able to test it on a Maven project, so I'm not sure if these changes would affect the Gradle or NPM scanners in any way, but it at least seems to be working correctly there. |
github-actions
bot
removed
the
lifecycle/stale
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
github-actions
bot
added
the
lifecycle/stale
Reamer
added
lifecycle/frozen
|
We are also experiencing this issue. After running the analysis for the second time a lot of issues have been closed by SonarQube, but the vulnerabilities are still there, only new issues have been created. For example CVE-2023-2976, a Guava vulnerability, was first created on line x. After running the analysis again a new issue about the same Guava vulnerability has been created on line y and the first one has been closed. The line number was removed. According to the HTML report the Guava dependency is a transitive dependency of the following dependencies that are listed in our Report:
However after running the analysis again, the order in the report has changed. I think this is the cause of issues being closed and recreated. Versions
Update 14-02-2024: also with OWASP dependency check version 9.0.9 we have this issue. |
Describe the bug
After addressing vulnerabilities in a previous analysis' report, some vulnerability issues within SonarQube are having their descriptions updated with the descriptions of other vulnerabilities that are present in the report. In some cases, issues that had been manually marked with a resolution had the resolution removed, making them appear as if they had never been resolved. Comments, tags, and other features that are managed directly by SonarQube remain the same, only the description and severity are changed to that of another issue.
To Reproduce
Current behavior
SonarQube vulnerability issue descriptions and severities are being mixed up on subsequent analyses.
Expected behavior
Each issue's description and severity should remain the same once the issue has been created.
Screenshots
I used comments to track the issues, by commenting the CVE that the issue was for after the first analysis. After the second analysis, it had changed from the one in the comment to the one in the description.
Versions (please complete the following information):
Additional context
This appears to be similar to #55.
The text was updated successfully, but these errors were encountered: