Similiar to #4843 : Some CVEs are not reported to NVD or are added very late.
We previously used to scan for CVEs only using the NVD database, but a lot of our customers used the OSS index and fairly frequently reported some CVEs back to us that our scan failed to pick up due to it missing in the NVD database. Since then we have changed our CVE scans to use both databases and have not had that issue since.
Since we are now moving our projects to Github and would love to use Dependabot it would be great to not have that issue come back up again.
Similiar to #4843 : Some CVEs are not reported to NVD or are added very late. We previously used to scan for CVEs only using the NVD database, but a lot of our customers used the OSS index and fairly frequently reported some CVEs back to us that our scan failed to pick up due to it missing in the NVD database. Since then we have changed our CVE scans to use both databases and have not had that issue since. Since we are now moving our projects to Github and would love to use Dependabot it would be great to not have that issue come back up again.