valentijnscholten
commented
3 months ago Looks like you're project is using PURLs and not CPEs? https://docs.dependencytrack.org/analysis-types/known-vulnerabilities/
Open andreeaButerchi opened 3 months ago
valentijnscholten
commented
3 months ago Looks like you're project is using PURLs and not CPEs? https://docs.dependencytrack.org/analysis-types/known-vulnerabilities/
andreeaButerchi
commented
3 months ago Hello,
Thank you very much for your quick answer :)
We checked our configuration...we have both OSS Index & the internal one activated within DT.
We also found that it's the OSS Index responsibility to match/convert between PURL & CPE.
We also checked and noticed that we have other projects having the PURL within the SBOM -> and on which the CVE is being found:
So we can see that's the being com.ibm.mq ▸ com.ibm.mq.allclient flagged, while the CPE is larger than the allclient lib.
Thank you very much for your help.
Current Behavior
Hello,
We're currently migrating from OWASP Dependency Check to Dependency Track and during our tests we noticed that the CVE-2020-4682 (https://nvd.nist.gov/vuln/detail/CVE-2020-4682) is returned for a project having a dependency on IBM MQ 8.0, but the CVE is not present in the DT report. DC:
DT does see the dependency...but no trace of the CVE:
Other CVEs are being returned for the project so I don't think there's an issue with the scan itself The CPE for CVE-2020-4682 seems pretty clear and covers our project's dependency version So I must admit that I have no other ideas on why DT is not returning it :(
Thank you very much for your help! Best regards, Andreea
Steps to Reproduce
Expected Behavior
I would expect to see the CVE-2020-4682 linked to IBM MQ 8.0.0.6 (this is just an example...for this version the patched was applied starting with version 8.0.0.15)
Dependency-Track Version
4.11.3
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
15
Browser
Google Chrome
Checklist