Chapter 4. Known issues


Resolved known issues for this release of Red Hat Trusted Profile Analyzer (RHTPA):

A list of known issues found in this release:

The bombastic-collector does not handle special characters in the id field

Uploading a software bill of materials (SBOM) file that contains special characters in the id field fails to ingest properly when running RHTPA on Amazon Web Services (AWS) infrastructure. This causes missing data on the vulnerabilities page. To workaround this issue, make sure no special characters are in the id field before uploading the SBOM.

The Dependency Analytics report gives a storage error when uploading an SBOM file

When uploading a software bill of materials (SBOM) file, 200 MB or larger, the Dependency Analytics report shows an error message about reaching a size limitation. The Dependency Analytics server has a file size limitation for uploaded SBOMs. Currently, there is no workaround for this issue.

The collector-osv fails to ingest vulnerabilities with a CVSS_V4 severity

Vulnerability data available from the OpenSource Vulnerability (OSV) service fails to associate vulnerabilities with a CVSS_V4 score to the packages that they impact. Because of this, fewer vulnerabilities might be associated to packages and software bill of materials (SBOM) that have been ingested into RHTPA. Currently there is no workaround for this issue.

The collector-osv gives a GraphQL error

When the collector-osv sends data to the Graph for Understanding Artifact Composition (GUAC) API without complying to the GraphQL GUAC schema, the default values are not applied for some optional fields, for example, a namespace for a package. GUAC returns the following error message: pq: insert or update on table package_versions violates foreign key constraint package_versions_package_names_versions. This causes the ingestion of OpenSource Vulnerability (OSV) data to fail, and as a consequence some packages could have fewer vulnerabilities reported than expected. Currently there is no workaround for this issue.

Package version mismatch between the API response and the HTML report for Red Hat Dependency Analytics

Opening a manifest file for analysis in Visual Studio Code or IntelliJ, can give you a different package version number between the Red Hat Dependency Analytics (RHDA) HTML report and an API client response. Before analyzing the manifest file, the API client compares package versions in the manifest file to the installed package versions within the client’s environment. When there is a difference in package version, you receive an error message containing the first package version mismatch. To workaround this issue, you can disable the Match Manifest Versions option of RHDA extension in your integrated development environment (IDE).

Inconsistencies between the total number of CVEs displayed on the dashboard and the CVE tab

The total number of Common Vulnerabilities and Exposures (CVE) uses different filters between the RHTPA home page dashboard and the CVE tab on the search results page, causing the discrepancy between the two values. Currently, there is no workaround for this known issue.

Data migration fails when upgrading from Trusted Profile Analyzer 1.1.2 to 1.2

The bombastic and vexation collector pods crash when there is no space left on the persistent volume claim (PVC) for the PostgreSQL instance. To workaround this potential issue, increase the size of the PVC by 10 GB.

SBOM data does not load properly when uploading a large SBOM

When uploading a large software bill of materials (SBOM) documents, for example an SBOM that includes 50,000 packages, the RHTPA dashboard does not load properly. This happens because of Keycloak’s access token expiring before the SBOM can finish uploading its data. To workaround this issue, you can increase the lifespan of Keycloak’s access token, and then redeploy Keycloak:

  1. Log in to the OpenShift cluster from the command-line interface.
  2. Find Keycloak’s URL string:

    echo https://$(oc get route keycloak -n keycloak-system | tail -n 1 | awk '{print $2}')/auth
  3. Copy and paste the URL string from the earlier step into a web browser, and go to the authentication page.
  4. Log in to the Keycloak Administration Console.

    Note

    You can find the user credentials in the OpenShift web console by expanding the Workloads menu, click Secrets, and click your Keycloak instance name.

  5. On the home page, click Realm Settings, and select the Tokens tab.
  6. Change the Access Token Lifespan value from the default of 5 minutes, to 60 minutes, and save the change.
  7. Redeploy Keycloak:

    oc scale deployment/keycloak-postgresql --replicas=0
    oc scale deployment/rhsso-operator --replicas=0
    
    oc scale deployment/keycloak-postgresql --replicas=1
    oc scale deployment/rhsso-operator --replicas=1
  8. Try uploading your SBOM again.

An API error on the package details page

In the RHTPA console, when navigating from the Vulnerabilities page to the package details page, clicking the affected dependencies link gives you the following error message:

API error: Error contacting GUAC (Guac) - Client error: Cannot find an SBOM for PackageUrl

Currently, there is no workaround for this known issue.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.