Skip to content

API returns wrong vex rules on dependency risks page #1870

Closed
Closed
API returns wrong vex rules on dependency risks page#1870
Assignees
Dboy0ZDev
Labels
bugSomething isn't workingcomponent/devguard-apiAPI Relatedcomponent/devguard-webWeb View Relatedpriority:high
@timbastin

Description

@timbastin
timbastin
opened on Apr 10, 2026

Checkout the vex rules listed right here: https://main.devguard.org/l3montree-cybersecurity/projects/devguard/assets/devguard/refs/main/dependency-risks/78502244-8e7d-9811-2d08-3b7cfa5d8acc

It contains completly unrelated vex rules.

{
    "pageSize": 10,
    "page": 1,
    "total": 3,
    "data": [
        {
            "id": "69800a1b97c7ffd3d7b4716574921f10f35b1cb4a9d961ab416d5a6bf919e5a6",
            "assetId": "e1f24270-6e68-4571-9168-9c151c639c97",
            "cveId": "GHSA-4wp2-8rm2-jgmh",
            "vexSource": "manual",
            "justification": "Marked as false positive via dependency graph: No Vulnerable Code",
            "mechanicalJustification": "vulnerable_code_not_present",
            "eventType": "falsePositive",
            "pathPattern": [
                "*",
                "pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58",
                "*"
            ],
            "createdById": "51b923bc-b8c4-4ff5-9965-496470259d5d",
            "createdAt": "2026-04-08T13:38:54Z",
            "updatedAt": "2026-04-08T13:38:54Z",
            "appliesToAmountOfDependencyVulns": 3
        },
        {
            "id": "4be5ff408163a046ec6926e8ab143a53ce22aef8dc20baad0f63cb458f7602d6",
            "assetId": "e1f24270-6e68-4571-9168-9c151c639c97",
            "cveId": "GHSA-p436-gjf2-799p",
            "vexSource": "manual",
            "justification": "Marked as false positive via dependency graph: Does Not Call Vulnerable Function",
            "mechanicalJustification": "vulnerable_code_not_in_execute_path",
            "eventType": "falsePositive",
            "pathPattern": [
                "ROOT",
                "*"
            ],
            "createdById": "51b923bc-b8c4-4ff5-9965-496470259d5d",
            "createdAt": "2026-03-13T08:06:06Z",
            "updatedAt": "2026-03-13T08:06:06Z",
            "appliesToAmountOfDependencyVulns": 1
        },
        {
            "id": "84db6bf5d0c5a18d69826da7ac588ef1df979625c0128a4d42364b57b8e8db56",
            "assetId": "e1f24270-6e68-4571-9168-9c151c639c97",
            "cveId": "GHSA-4wp2-8rm2-jgmh",
            "vexSource": "manual",
            "justification": "Marked as false positive via dependency graph: No Vulnerable Code",
            "mechanicalJustification": "vulnerable_code_not_present",
            "eventType": "falsePositive",
            "pathPattern": [
                "pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58",
                "*"
            ],
            "createdById": "51b923bc-b8c4-4ff5-9965-496470259d5d",
            "createdAt": "2026-02-10T18:27:00Z",
            "updatedAt": "2026-02-10T18:27:00Z",
            "appliesToAmountOfDependencyVulns": 3
        }
    ]
}

The cve id does not even match

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingcomponent/devguard-apiAPI Relatedcomponent/devguard-webWeb View Relatedpriority:high

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions