Component not linking to Vulnerability

[alexpugna]

We currently use Dependency-Check and I am trialling Dependancy-Track. I have deployed the Executable WAR and imported a cyclonedx BOM. Dependancy-Track is incorrectly reporting that the project has no vulnerabilities. I have focused on only one vulnerability as an example below.

Current Behavior:

CVE-2016-6809 (for Apache Tika before 1.14) is in the vulnerability list however it shows no affected projects. The following component has no vulnerabilities listed:

Steps to Reproduce:

• java -Xmx4G -jar dependency-track-embedded.war -port 9999
• Change Admin password
• Create new project
• Import cyclonedx BOM containing: -- java maven org.apache.tika tika-core 1.6-20160727-alfresco-patched

Expected Behavior:

org.apache.tika tika-core 1.6-20160727-alfresco-patched should be linked to CVE-2016-6809

Environment:

• Dependency-Track Version: 3.7.0
• Distribution: Executable WAR
• BOM Format & Version:

      <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>1.5.1</version>
      </plugin>

• Database Server: H2
• Browser: Firefox

Additional Details:

No stack-traces in logs or obviously related error messages.

[stevespringett]

According to OSS Index, it's vulnerable. https://ossindex.sonatype.org/component/pkg:maven/org.apache.tika/tika-core@1.6-20160727-alfresco-patched

So either OSS Index is not enabled in Dependency-Track or there's connectivity issues, in which case you may want to check the logs.

Refer to: https://docs.dependencytrack.org/analysis-types/known-vulnerabilities/ https://docs.dependencytrack.org/datasources/ossindex/

[alexpugna]

OSS Index was not enabled in Dependency-Track Thanks for your help

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.