DependencyTrack
NVD of composer dependencies identified with internal analyser
Current Behavior:
A project using php's composer and depending on a package with vulnerabilities:
phpmailer/phpmailer:5.2.8
concerned with
https://nvd.nist.gov/vuln/detail/CVE-2021-3603 (for versions < 6.4.1)
https://nvd.nist.gov/vuln/detail/CVE-2021-34551 (for versions < 6.5.0 )
https://nvd.nist.gov/vuln/detail/CVE-2020-13625 (for versions < 6.1.6)
BOM file generated with cyclonedx/cyclonedx-php-composer:3.10.0, including package's PURL
BOM file uploaded in dependency-track the component "phpmailer/phpmailer` does show up in the project in dependency-track the 3 CVE are listed in dependency-track's vulnerability databases
but the link is not established between these, there's no vulnerability listed for the project nor it's package :(
Could it be because the CVE are identified by CPE whereas the BOM file only list PURL for each package?
Steps to Reproduce:
Here is a test projects with composer json & lock, and the produced BOM file. https://github.com/ryden54/php-dependency-track-sample-1 Issue reproduced with the default docker-compose documented
Expected Behavior:
Using the internal scanner, vulnerabilities documented at NIST of packagist's package mentionned in BOM should show up in the project's of dependency-track
Environment:
- Dependency-Track Version: 4.5.0
- Distribution: Docker
- BOM Format & Version: 1.3
- Database Server: docker's default?
- Browser: Chrome 102
