Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set vulnerability as rejected for empty snyk records to suppress it in apiserver #1621

Closed
wants to merge 1 commit into from
Closed

Set vulnerability as rejected for empty snyk records to suppress it in apiserver #1621

wants to merge 1 commit into from

Conversation

sahibamittal
Copy link
Collaborator

@sahibamittal sahibamittal commented Jan 14, 2025
edited
Loading

Description

When SNYK sends records with empty data, they need to be reported to apiserver so that such component vulnerabilities can be suppressed.

Addressed Issue

Closes #1620

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have updated the migration changelog accordingly
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@codacy-production Codacy Production
Copy link

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+18.36% (target: -1.00%) 100.00% (target: 70.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (8f1dd4c) 201 132 65.67%
Head commit (1f4c4fe) 6901 (+6700) 5799 (+5667) 84.03% (+18.36%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#1621) 5 5 100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more

@sahibamittal sahibamittal marked this pull request as ready for review January 15, 2025 17:14
nscuro
nscuro requested changes Jan 16, 2025
View reviewed changes
...zer/src/main/java/org/dependencytrack/vulnanalyzer/processor/scanner/snyk/SnykProcessor.java
Comment on lines +221 to +224
// Setting vulnerability rejected timestamp for records with empty data, to suppress them in apiserver.
var bomToBeSuppressed = Bom.newBuilder()
.addVulnerabilities(Vulnerability.newBuilder()
.setRejected(Timestamp.newBuilder().setSeconds(Instant.now().getEpochSecond()).build()).build());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a safe assumption to make here? The comment above reads:

[...] there is no way for us to differentiate between "no vulnerabilities" and "unable to correlate".

Also, a vulnerability record without ID and source doesn't make sense to be rejected. My understanding was that Snyk still returned the ID, but no content for it. But this makes me think they don't return it at all anymore?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No they don't send any data i.e. "data": []

...src/test/java/org/dependencytrack/vulnanalyzer/processor/scanner/snyk/SnykProcessorTest.java
@@ -151,7 +151,9 @@ void testNoResults() throws Exception {
assertThat(outputRecord.getValue().getStatus()).isEqualTo(ScanStatus.SCAN_STATUS_SUCCESSFUL);
assertThat(outputRecord.getValue().hasFailureReason()).isFalse();
assertThat(outputRecord.getValue().getScanner()).isEqualTo(Scanner.SCANNER_SNYK);
assertThat(outputRecord.getValue().getBom().getVulnerabilitiesCount()).isZero();
assertThat(outputRecord.getValue().getBom().getVulnerabilitiesList()).satisfiesExactlyInAnyOrder(
vulnerability -> assertThat(vulnerability.getRejected()).isNotNull()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there are legitimately no results, the rejection status doesn't make sense.

@sahibamittal sahibamittal marked this pull request as draft January 20, 2025 10:24
@sahibamittal
Copy link
Collaborator Author

Closing PR, no changes needed at Hyades end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nscuro nscuro nscuro requested changes

Assignees
No one assigned
Labels
domain/vuln-analysis enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Suppress 'no longer vulnerable' vulnerabilities reported by Snyk
2 participants
@sahibamittal @nscuro