syalioune

> I think there are two things required here: > > 1. Make the scans interval configurable > 2. Make the ComponentAnalysisCache configurable > 2.1 Separate out repository from vulnerability...

Great, it will surely benefit to the overall performance of DT.

Hello, The specs does indeed only reference `maven` as a known purl type but the lib [packageurl-java](https://github.com/package-url/packageurl-java) sucessfully parse purl with gradle type. Since, Gradle and Maven target the same...

> Was wondering though, do we want to kick off the various analysis tasks we have, or do we just import the data? I would personally expect the analysis tasks...

@mveck There was an issue (c.f #2240) preventing component with CPE having a N/A update value (like cpe:2.3:windriver:vxworks:7.0:**-**::::::) being correctly matched against VULNERABLE_SOFTWARE. It is now fixed in v4.7. That...

@clemlesne You can add or remove project tags programatically using ```shell curl --location '.../api/v1/project' \ --header 'X-API-Key: ' \ --header 'Content-Type: application/json' \ --data '{ "uuid": "", "name": "", "version":...

DT supports external references at project level since 4.7 (PR #2251 and https://github.com/DependencyTrack/frontend/pull/347). It is now a matter of including the relevant information into the SBOM meta component. Such task...

At the very least, an external reference of type build-system with the appropriate URL can help deduce the origin of the SBOM. For example, with a tool like `cyclonedx-maven-plugin`, a...

My understanding of VDR is that #1550 & #1800 are indeed duplicates and that VDR cover the use case here.

What is important for reproduction will be to have : - Same number of components - Same nested component hierarchy - Consistent : if you replace componentA by some string,...