Rejected CVEs are still displaying as Vulnerabilities in Dependency Track

[rajatkumardev]

Current Behavior

This is screen shot form a project as of today

And this is rejected on NVD https://nvd.nist.gov/vuln/detail/CVE-2022-41852 https://nvd.nist.gov/vuln/detail/CVE-2022-40157

Steps to Reproduce

1.Showing Rejected vulnerabilities in DependencyTrack

Expected Behavior

Should not display it as vulnerable

Dependency-Track Version

4.5.x

Dependency-Track Distribution

Container Image

Database Server

Microsoft SQL Server

Database Server Version

No response

Browser

Google Chrome

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[stevespringett]

Are there any occurrences where a CNA, often times a software vendor themselves, rejected the CVE themselves?

For implementation, I think it would be best if this was a configurable option. We can exclude them by default, but if an org wants them enabled for some reason, the platform should provide that.

[rajatkumardev]

Are there any occurrences where a CNA, often times a software vendor themselves, rejected the CVE themselves?

For implementation, I think it would be best if this was a configurable option. We can exclude them by default, but if an org wants them enabled for some reason, the platform should provide that.

Agree 👍

[msymons]

This seems to be a duplicate of #1693.

I believe that, however DT handles such vulns, it should be in a way that has VEX as a basis. Thus, I logged logged https://github.com/CycloneDX/specification/issues/168 to request an enhancement to the CycloneDX specification for VEX.