audit vulnerabilities tab empty

[quimicefa]

Current Behavior

Certain projects show the "audit vulnerabilities" empty despite have thousands of impacted vulnerabilities.

This seems to happen when some components references a vulnerability with a very rich description like: GHSA-m7jm-9gc2-mpf2 or GHSA-v2v4-37r5-5v8g. Those vulnerabilities description has code samples with javascript / SQL and the api server fail to render a proper JSON parseable by the frontend.

When keeping an eye with F12/chrome looks like the JSON is being partially formed until the mentioned vulnerabilities are reached then the JSON is broken.

Navigating from the vulnerabilities browser also show severity, affected projects ... empty.

likely related: #3229

dummy_sbom.json

Steps to Reproduce

1. create a project and upload the provided BOM

Expected Behavior

It should display the "audit vulnerabilities" section with all the information about the vulnerabilities.

Dependency-Track Version

4.13.5

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

When keeping an eye with F12/chrome looks like the JSON is being partially formed until the mentioned vulnerabilities are reached then the JSON is broken.

@quimicefa Would it be possible to show a screenshot of this happening?

[quimicefa]

@nscuro Sure, from F12 and some manual curls mimicking the same call, browser identifies this as connection reset.

[nscuro]

This looks like a genuine network issue, not an application-side problem (at least not beyond #3229 (comment), which I would rule out given your request takes <1s).

Can you please check the logs of your DT instance and see if you can spot related errors?

Otherwise, could it be that some corporate proxy / endpoint detection tool deployed by your organization is blocking traffic because it confuses code snippets in vuln descriptions with actual malware being downloaded?

[quimicefa]

nothing meaningful in logs, and there is no proxy between my laptop and this environment.
also the error is "magically" fixed if I change the vulnerability description via database SQL update, then suddenly the curl works and returns a proper formatted JSON.

[nscuro]

Ok, I'll try to reproduce this. Can you share what portion of the vulnerability description(s) you're removing that make it work again in your case? That could help narrow down what the issue is.

[quimicefa]

sure,
the problematic part is the 3rd point in this list (GHSA-v2v4-37r5-5v8g):

GHSA-v2v4-37r5-5v8g

I also removed all ', ", ( , { ... but it didn't worked until the 3rd item has been replaced by asterisks

[nscuro]

Tested with the BOM you provided, and a manually created component that matches GHSA-v2v4-37r5-5v8g. I'm afraid I can't reproduce this.

[quimicefa]

Ok, not sure what's going on at this point. The same SBOM is failing to load in our environment. The only differences I'm aware are:
v4.13.5 and postgres installed in a external cluster (probably UTF8 charset instead of the settings in docker-compose?)
We are facing the same issue with another vulnerability and its description: GHSA-r5fr-rjxr-66jc

Allow us some days to figure out whats the difference