dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

CVE-2025-48882 not detected

Open george1604 opened this issue 7 months ago • 5 comments

Current Behavior

The CVE-2025-48882 vulnerability is not detected in BOMs with phpoffice/math v0.2.0 with internal analyzer or Trivy analyzer.

Steps to Reproduce

  1. Activate internal analyzer and/or Trivy analyzer.
  2. Upload the attached BOM: phpoffice_example.json
  3. See that there are no vulnerabilities

Expected Behavior

  1. Dtrack should detect CVE-2025-48882 in the uploaded BOM, as Trivy does when performing the scan outside Dtrack.

Dependency-Track Version

4.13.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

17

Browser

Google Chrome

Checklist

george1604 avatar Jun 02 '25 12:06 george1604

I'm seeing similar issues for many CVEs...most likely related to #4707

pblankenship avatar Jun 04 '25 21:06 pblankenship

@pblankenship Can you please explain how this is related to #4707 ? I might have a similar problem as described above:

  • I can scan a SBOM file with either Trivy outside DT or inside DT with internal and OSS Index Analyzer
  • Trivy finds three vulnerabilities: CVE-2025-31650, CVE-2025-31651, CVE-2025-46701
  • Dependency Track finds none of them associated with the component

Maybe I have a lack of understanding, how the internal scan mechanisms work in DT. In my imagination, DT takes the pURL of a component, request the string via OSS Index API and tries to match it with its knowledge about components and vulnerabilities. But it seems strange that Trivy finds the vulnerability for component org.apache.tomcat.embed:tomcat-embed-core, while DependencyTrack (or OSS Index Analyzer) does not find anything for pkg:maven/org.apache.tomcat.embed/[email protected].

A good explanation would maybe help - also the connection to the issue of #4707

SpiritCrusherKern avatar Jun 12 '25 07:06 SpiritCrusherKern

Hi @SpiritCrusherKern We have a similar problem where the three CVEs you mentioned (among others) are not assigned to the correct dependency, tomcat-embed-core. Did you find a solution in the meantime?

Alwinius avatar Jul 15 '25 09:07 Alwinius

I’m experiencing a similar issue with CVE-2023-45853 (and others), in debian:bookworm-slim docker image. Using Trivy CLI, the CVE is detected, but DependencyTrack (with Trivy server) does not report it.

In the DT Vulnerability List it appears as PURL:

pkg:deb/debian/zlib?arch=source

But in the BOM it is written as:

pkg:deb/debian/zlib1g@1%3A1.2.13.dfsg-1?arch=amd64&distro=debian-12&upstream=zlib

Could the 1g suffix be causing the mismatch?

fabiocastagnino avatar Aug 24 '25 12:08 fabiocastagnino

I am observing a possibly related problem regarding tomcat-embed-core <=10.1.43. Having internal and OSS analyzer enabled, DT reports no vulnerability for this library, although NVD reports CVE-2025-48989. This CVE is also existing in OSS index, but does not show for the matching component version! I was wondering whether OSS is preferred over NVD/ internal when matching components and vulnerabilities? Or is the fuzzy CPE matching simply not able to find the component for NVD?

Is this a problem with OSS or DT?

hoeller avatar Oct 27 '25 13:10 hoeller