inspire from owasp dependency-check to include CPEs in BOM

[redaabdellah21]

Hi,

i have worked with dependency track and the Cyclonedx maven plugin to list component vulnerabilities in my project. Now i am discovering dependency check, i have found that it is able to generate reports with both PURL and CPE (doesn't always work), is there a way to inspire from them to include CPE in the BOM?

i am making this suggestion because i compared dependency track+cyclonedx and dependency check using same project, and found out that dependency check was able to identify vulnerabilities where dependency track couldn't.

eg: NVD is able to find a vulnerability in component using :cpe:2.3:a:apache:commons_net:1.15:*:*:*:*:*:*:*

SONATYPE INDEX can't find it in same component using : pkg:maven/commons-codec/[email protected]