Open evyaroshevich opened 2 months ago
Which analyzer was the vulnerability attributed to? You can find this info in the Analyzer column of the Audit Vulnerabilities tab.
Hi @evyaroshevich,
how do you generate the .sbom file for dependency track?
@nscuro
Analyzer NVD
Hi @ostannar I'm using a universal generator CycloneDX/cdxgen
Current Behavior
While scanning the Flutter project, I discovered a false positive. DependencyTrack incorrectly identified the package pkg:pub/build@2.4.1 as belonging to the npm repository and issued the vulnerability CVE-2020-28423. Upon visiting the NIST NVD website to view the details, I found that it has cpe:2.3:a:monorepo-build_project:monorepo-build::::::node.js::*. Although in the actual bom file, the cpe is absent altogether.![image](https://github.com/DependencyTrack/dependency-track/assets/42962140/ee07062f-a9ee-4f6b-bca2-548401bbd572)
Steps to Reproduce
Expected Behavior
the vulnerability should not appear on this component
Dependency-Track Version
4.11.0-SNAPSHOT
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist