No vulnerability reported

[skpandarge]

Hi,

As a part of initial analysis tried Dependency check v12.1.3 to analyze SBOM containing both Purl and CPE but no vulnerability reported by the Dependency check tool.
However, there are vulnerabilities exists in the components used in the SBOM which are confirmed using other SCA tools.

Release Version 12.1.3 · dependency-check/DependencyCheck

Can you help with the reason or anything missing here.

Below is the command used to analyze sbom file on windows machine.

dependency-check.bat --out Output --nvdApiKey 6112232-a123-45c6-aff2-123b28d275c7 --scan test.json

[jeremylong]

It is not very easy to help with such a detailed question - which also exposes your NVD API Key (you probably want to get a new one)....

• Are you scanning a Maven or Gradle project?
  • If yes, you should use the respective plugin instead of the CLI.
• What are the components?
• What are the vulnerabilities that are not reported?
  • Are the CVEs still in the "awaiting analysis" in the NVD?
  • Are the vulnerabilities only in the vendors private vulnerability database?

[skpandarge]

Hi Jeremy,

Thanks for quick response. The NVD API key mentioned above is dummy (not the actual).

I am trying to scan the below SBOM file using Dependency Check cli, this SBOM has vulnerabilities which are detected using other SCA tools -

https://github.com/CycloneDX/bom-examples/blob/master/SBOM/proton-bridge/proton-bridge-v1.8.0.bom.json

[jeremylong]

You cannot scan an SBOM with dependency-check. Consider loading the SBOM into dependency-track - a platform better suited to your needs.