No vulns found for pkg:github/gruntjs/[email protected], expected 3 vulns #3335
-
|
I created a project to test github purls. The project has two components, both only have a purl identifier:
Here's the BOM file to reproduce: grunt-bom.json The grunt version 1.2.1 is outdated and contains three known security vulnerabilities, which also can be found on NVD using CPE DependencyTrack lists all three findings for the component with purl My expectation would be that the component with github purl also lists three findings. What's wrong with the component? Grunt is hosted on Github and provides releases: https://github.com/gruntjs/grunt/releases EDIT:
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
Could anyone please explain why components with github purls are not showing any vulns? |
Beta Was this translation helpful? Give feedback.
-
|
@muellerst-hg try enabling OSV. |
Beta Was this translation helpful? Give feedback.
-
|
@riteshnoronha It was already enabled |
Beta Was this translation helpful? Give feedback.
-
|
interesting .. i tested this on 4.10.1 and it works. Wondering if its not download vulns information from nvd or osv. Do u see the vulnerability tab on the left, and if u search any of your expected vulns do u find them?
|
Beta Was this translation helpful? Give feedback.
-
|
Did you test using |
Beta Was this translation helpful? Give feedback.
-
|
DT doesn't have an internal mechanism to convert PURL to CPE; it relies on external services like the OSS Sonatype Analyzer and OSV for this purpose. These services need to map packages like The current mapping only associates the npm package PURL with vulnerabilities. While this aligns with the logic that most vulnerabilities discovered are filed against the package manager hosting the code, it can be confusing for end-users since, logically, they represent the same component. AFAIK DT can't address this without independently building and maintaining the mapping or if Sonatype and OSV need to incorporate it. |
Beta Was this translation helpful? Give feedback.
DT doesn't have an internal mechanism to convert PURL to CPE; it relies on external services like the OSS Sonatype Analyzer and OSV for this purpose. These services need to map packages like
pkg:github/gruntjs/[email protected] to cpe:2.3:a:gruntjs:grunt:1.2.1:*:*:*:*:node.js:*:*andpkg:npm/[email protected] to cpe:2.3:a:gruntjs:grunt:1.2.1:*:*:*:*:node.js:*:*.The current mapping only associates the npm package PURL with vulnerabilities. While this aligns with the logic that most vulnerabilities discovered are filed against the package manager hosting the code, it can be confusing for end-users since, logically, they represent the same component.
AFAIK DT can't address this without independently bu…