Sonatype OSS Index

[kmoens]

Hello guys,

We are currently using the OSS Index, but based on the credits they will give we'll have to either start using their enterprise plan, or look for alternatives, due to our extimated usage of the credits.

We currently have NVD, Google OSV, GitHub Advisories and OSS Index enabled. For our projects we don't see the Sonatype reported vulnerabilities, only the CVEs, but looking at the API calls, they are found by means of the OSS Index.

From what I see, most of these vulnerabilities also have aliases in the GitHub Advisories, and they are nicely added.

Do I expect to loose information if we disable the OSS Index? Our ecosystem is mainly Java and TypeScript.

Thanks!

[ahmadalfy]

@kmoens I came to ask a very similar question to yours. This is how our credit utilization look like

And all I see in the vulnerabilities we have are mostly ones tagged with "NVD". Nothing having "OSSINDEX" like the screenshot in the documentation

[agnieszka-gados-skidata]

Hi @ahmadalfy, how does your monthly credit usage translates to the size of projects/components you have in DependencyTrack? Unfortunately we're missing historical data usage and I'm trying to estimate what it could be for us

[ahmadalfy]

@agnieszka-gados-skidata I have around 250 projects in my system.

[kmoens]

In our case we see a lot of vulnerabilities which are marked as "NVD" in the vulnerability column, but with "OSS Index" as analyzer:

Based on some random checks, many will be covered by the GHSA database, but we have numerous examples which only come from OSS Index.

[nigellh]

@nscuro Are you aware of an alternative analyser that can be used? Our usage is even higher than above. I have tried the Trivy one previously, but it generates a very different set of results. Our usage averages 95k/month!!!!

[nigellh]

Hi @nscuro. Currently as we have bust our limit on Sonatype (Average 95k per month!!!!) Why is DT not showing any vulnerabilities from NVD? Thanks

[nscuro]

https://docs.dependencytrack.org/analysis-types/known-vulnerabilities/#internal-analyzer

Matching against data from the NVD requires components to have a valid CPE.

Enable GitHub Advisories or OSV, or use Trivy if your components use PURLs and not CPEs.

[nigellh]

Thanks, just enabled the OSV will work on getting CPEs automatically generated.

Trivy gives a very different set of results. But I am aware that ALL the vulnerability databases can give very different reports

[jmbergland]

@nscuro - if an SBOM were to have valid PURLs, and CPEs added in hopes to pull in NVD data, how does DT handle that? For example, can you have both PURLs and CPEs and will that work for NVD?

[nscuro]

CPE- and PURL-based matching happens independently, based on what is available. If a component has both, both will be used for matching. In other words, you'd get the sum of matches across both identifiers. Here's the relevant code for reference:

dependency-track/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java

Lines 71 to 78 in b527e08

	if (targetCpe != null) {
	analyzeCpeVersionRange(qm, vsList, targetCpe, component, vulnerabilityAnalysisLevel);
	ran = true;
	}
	if (targetPURL != null) {
	analyzePurlVersionRange(qm, vsList, targetPURL, component, vulnerabilityAnalysisLevel);
	ran = true;
	}