For a project having a dependency with several versions within its dependencies SBOM section, when ODT scan is performed we find several times the same CVE present within the vulnerabilities section.
The only variable part is the affects bom-ref -> each CVE entry references a different dependency/component.
Current Behavior
For a project having a dependency with several versions within its dependencies SBOM section, when ODT scan is performed we find several times the same CVE present within the vulnerabilities section. The only variable part is the affects bom-ref -> each CVE entry references a different dependency/component.
Proposed Behavior
As we already have a list for affected components at the level of each vulnerability -> we could avoid data duplication and have each unique CVE only once and refference each vulnerable component within the affects list. Ticket created following the discussion: https://github.com/DependencyTrack/dependency-track/discussions/3904#discussioncomment-9924921
Checklist