Have the convert from CSV to CDX SBOM create the necessary Purls to allow vulnerabilities to be identified

[nigellh]

I can create a CSV that the tool will convert into a valid SBOM and that will import into dependency track.

Unfortunately, if it is just the name and version of the package, DT does not find the vulnerability as it does not have the Unique Purl ID to be able to check for it.

Most Purls follow a specific format. If the CSV has a 'technology' common and the technology is listed in that column, then the conversion process can create the Purl based on the name, version and technology columns.

The suggestion is to have this column and if it is populated with the correct technology, the purl is added.