Duplicate dependencies reported under projects #134
Comments
|
Thanks for the report. This is likely related (but not identical) to #123 |
|
Sure thing, thanks for creating/working on this project! |
|
Can you provide dependency-check-report.xml? If (for privacy reasons) you cannot attach to ticket, send to steve.springett@owasp.org. Have you noticed this occurring with all components or just specific ones like jersey-guava? |
|
It happens with many of my dependencies though not all of them. I've seen it return the same result two times and three times like the example above. Some other libraries where it occurs are guava and antlr. One where it doesn't occur is byte-buddy. Perhaps the application is searching in multiple places and doesn't create a set out of the aggregated search results but rather a list? Or perhaps internally the entries have different ids that are not visible in the application. I noticed that the component name is not necessarily the artifact id. For example bsh:2.0b4 is named bsh (it's artifact is named bsh) and bsh:2.0b6 is named beanshell (though it's artifact is also named bsh) - they do have different groups though. The duplicates I've noted above are exactly the same though, right down to the MD5 hash. |
|
When resolving components from a dependency-check scan, the md5 and sha1 file hashes are exclusively used. I don't think the issue could be there as you've indicated the hashes are consistent. More than likely, multiple dependency relationships are being created that bind the component to the project. This would explain why the same component is showing up multiple times. If you could, please run the following SQL script against the database. The script is designed to find duplicates. The expected behavior is to return 0 rows. If results are returned, this is where the error is coming from. SELECT PROJECT_ID, COMPONENT_ID, COUNT(*)
FROM DEPENDENCY
GROUP BY PROJECT_ID, COMPONENT_ID
HAVING COUNT(*) > 1;I'm adding logic which will be in the next release that will ensure duplicates are not created and deletes existing duplicates if they exist. |
|
This should be resolved in v3.0.3 released today. |
|
Thanks for the fast response! This appears to have helped resolve some duplicates but not all of them. This might be related to an issue that I've just noticed. Under the project I can view components that the project does not actually depend on. If I click on the component and go to the project tab then the project where I found the component is not listed and only the projects that actually depend on the component are listed. #135 |
…nt the possibility of duplicate dependencies. #134
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
First off, thanks for this project!
Issue Description
When looking at dependencies under a project, the same dependency is shown multiple times.
Environment
Dependency-Track: v3.0.2
Dependency-Check Core: v3.1.1
Jenkins: 2.89.2
Jenkins OWASP Dependency-Check Plugin: 3.1.2
Dependency-Check is running in a docker container with default settings, h2 database, etc, as specified in the documentation.
Jenkins is setup to push dependency-check-report.xml to Dependency-Track.
Results
Dependencies are duplicated under projects.
Expected Results
Only one component should be shown.
Additional Info
Only one component is shown when looking under the Components section.
The text was updated successfully, but these errors were encountered: