cve-bin-tool icon indicating copy to clipboard operation
cve-bin-tool copied to clipboard
verified publisher icon intel

bug: inconsistent CVE findings when using SBOM generated for the same software as input file

Open jni2000 opened this issue 1 month ago • 1 comments

Description

I did a number of tests to compare the CVE findings in the following two cases:

  1. run cve-bin-tool against the software package directly
  2. run cve-bin-tool against the SBOM file generated using cve-bin-tool against the same software package

I found discrepancies in the number of CVEs found using the above two methods. Any explanations on such discrepancies?

Thanks

jni2000 avatar Nov 15 '25 01:11 jni2000

@jni2000 You'd need to be more specific to get better answers. Below are some points worth elaborating:

  1. Which software package was that (links, versions)?
  2. What were the specific results obtained through those two approaches? Posting the outputs and the SBOM would be helpful.

alex-ter avatar Nov 17 '25 08:11 alex-ter