Niklas
Niklas
This appears to be a change in what Trivy includes in the SBOM. However it's not something we can deal with on our end.
Can you share the BOM you uploaded, so we can reproduce? Of course, please redact any internal or confidential information beforehand. Also, did you check the logs of the Dependency-Track...
@gelexgaray What version of the API server are you running? The behavior you're describing strongly suggests you're using an outdated version that does not support CycloneDX 1.4.
v4.11.0 will ship some related improvements. We will validate uploaded BOMs against the CycloneDX schema *synchronously*, and return a `HTTP 400` response when said validation failed: * https://github.com/DependencyTrack/dependency-track/pull/3522 * https://github.com/DependencyTrack/frontend/pull/762...
Still unable to reproduce. The XML BOMs generated by the .NET tool contain byte-order-marks, but we already have handling in place for those. I tried uploading the BOMs provided in...
Good catch @muellerst-hg! Could you please raise a separate issue for that, since the problem described in this issue is related to matching once a VEX is already parsed.
Thanks for the suggestion @setchy! I feel this might be a duplicate of https://github.com/DependencyTrack/dependency-track/issues/2267. Would you mind checking if that issue captures what you're asking for?
Makes sense. Although #2267 also mentions policies: > Once the data is included, I would request a policy to identify vulnerabilities outside of the KEV remediation timeline. But yeah, overall...
Superseded by #4031. Thanks for your work on this @sebD, I made sure to include you as co-author of the new change.
That means you need to whitelist the **frontend**'s host (as in, the origin of the GET request) in your IdP. I don't know the specific IdP you're using, but in...