Same vulnerability is reported several times

[lsoumille]

Current Behavior

In our DependencyTrack instance for some components, we have duplicates vulnerability reports. See associated screenshots.

After digging in DependencyTrack databases we can several entries in the table COMPONENTS_VULNERABILITIES but we don't understand how that's possible.

This is issue as we are using these thresholds in build gates.

Steps to Reproduce

1. We were not able to reproduce it for distinct components, it seems to appear in a non deterministic way.

Expected Behavior

I want to have only one entry per vulnerability in DependencyTrack report

Dependency-Track Version

4.5.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

10.18

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

After digging in DependencyTrack databases we can several entries in the table COMPONENTS_VULNERABILITIES but we don't understand how that's possible.

Would it be possible to share what exactly you saw there?

Technically the same vulnerability being reported for the "same" component can happen when there are duplicate components in the projects being analyzed. But if the same vulnerability is assigned multiple times to the same component (as in, same database ID), that should definitely not happen.

[lsoumille]

Hi @nscuro

Thanks for your answer. I have double checked and for case we have:

• For a vulnerability a unique entry in vulnerability table
• For the corresponding project, we have a unique component in the table and in the BOM
• We have 2 entries in COMPONENT_VULNERABILITIES
• We see 4 times the vulnerability reported in DependencyTrack UI

We might have consistency issue in our database issue. Do you know how we can return in normal state ?

[nscuro]

We will want a similar treatment as #4837 for the COMPONENT_VULNERABILITIES table:

• Clean up duplicates prior to upgrade.
• After / during upgrade, create a primary key to prevent future dupes on the database level.
• Use Sets rather than Lists in Java code to enforce uniqueness in the application as well.

[et11581]

I am also seeing duplicates entries. I am using Dependency Track 4.13.5. The duplicates are only occurring in the module "linux_kernel" where I updated the version number and then changed it back. On each version change I also selected “Reanalyze”. I have 4 duplicates of CVEs for this component. Perhaps both the change and reanalyze caused duplicate entries.
All 4 entries list "analyzerIdentity": "INTERNAL_ANALYZER". But the dates vary. All other fields are identical.
"attributedOn": 1764803670784
"attributedOn": 1764803670784
"attributedOn": 1764803671386
"attributedOn": 1764803671386

Using the API “api/v1/vulnerability/project/{project['uuid']}" only gives one copy of the CVE.
Using the API “api/v1/finding/project/{currentProject}" gives 4 copies of the CVE.
The UI display gives 4 copies of the CVE.

Details of CVE entry
{
"component": {
"uuid": "2a48dc7a-e163-4b97-addf-a30f98fbe90c",
"name": "linux_kernel",
"group": "linux",
"version": "6.6.88",
"cpe": "cpe:2.3:o:linux:linux_kernel:6.6.88:::::::*",
"project": "bbc15549-49a9-4c5b-8c64-41f6cc62aa07"
},
"vulnerability": {
"uuid": "42f08788-bb0b-4ffd-aed9-bb452edb3599",
"source": "NVD",
"vulnId": "CVE-2024-57898",
… (skip)
"attribution": {
"analyzerIdentity": "INTERNAL_ANALYZER",
"attributedOn": 1764803671386
},
"matrix": "bbc15549-49a9-4c5b-8c64-41f6cc62aa07:2a48dc7a-e163-4b97-addf-a30f98fbe90c:42f08788-bb0b-4ffd-aed9-bb452edb3599"
},

[DaBalt]

We have the same issue, exactly the same vulnerability assigned to the same one component.