-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Defined artefact version in the hints file is ignored #5812
Comments
Similar behavior with dotnet-hosting-6.0.15-win.exe which can be downloaded here: https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/runtime-aspnetcore-6.0.15-windows-hosting-bundle-installer Version of dependency-check used Steps to reproduce the behavior: Expected: |
@bondarei no need for further examples... root-cause is already identified. ODC will fail to honour any version info from hints if there is only one version identified in the initial evidence gathering. |
@aikebah Thanks for your fast response! In the second example, the evidence type="product" source="hint analyzer" name="product" value=".net" confidence="HIGHEST" is also ignored, the report contains only cpe:2.3:a:microsoft:.net_framework:6.0.15 but I would expect also follow cpe:2.3 |
@bondarei That second example is a different issue, with a yet unknown, but different cause. I've opened a secondary ticket for that, so that we can resolve the issues individually. |
Ensure that HintAnalyzer runs before VersionFilterAnalyzer as HintAnalyzer may add versions that are not yet present in the evidences. VersionFilterAnalyzer may otherwise wrongly set an explicit version for the dependency if the collected evidences converge to a single version but the hints add a new and different version. Also add an implementation note on the AnalysisPhase to document which analyzers are bound to which phase. Introduces 2 additional POST_INFORMATION_COLLECTION phases so that DependencyMergingAnalyzer is guaranteed to run before HintAnalyzer which in its turn is guaranteed to run before VersionFilterAnalyzer
Ensure that HintAnalyzer runs before VersionFilterAnalyzer as HintAnalyzer may add versions that are not yet present in the evidences. VersionFilterAnalyzer may otherwise wrongly set an explicit version for the dependency if the collected evidences converge to a single version but the hints add a new and different version. Also add an implementation note on the AnalysisPhase to document which analyzers are bound to which phase. Introduces 2 additional POST_INFORMATION_COLLECTION phases so that DependencyMergingAnalyzer is guaranteed to run before HintAnalyzer which in its turn is guaranteed to run before VersionFilterAnalyzer
This issue appears to have been closed with #5818. |
Describe the bug
A defined version 3.4.11 for the avcodec-vsdk-57.dll in the hints file doesn't appear in the report as part of a cpe. The report contains only
[cpe:2.3:a:ffmpeg:ffmpeg:57:::::::*] (Confidence:Highest)
cpe:2.3:a:ffmpeg-sdk_project:ffmpeg-sdk:57:::::::*
Version of dependency-check used
The problem occurs using dependency-check version: 8.0.1 of the cli.
To Reproduce
Steps to reproduce the behavior:
Execute scan with cli tool of the attached assembly with the attached hints file and verify the report.
Expected behavior
expected something like this:
cpe:2.3:a:ffmpeg:ffmpeg:3.4.11:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:57:::::::*
Additional context
hints.zip
avcodec-vsdk-57.zip
The text was updated successfully, but these errors were encountered: