Dependency Track not resolving the CVE Severity #4340
Comments
|
I've been informed that DT uses NVD for Severity.... and most are 'under reanalysis', so is it possible to pull the Severity from OSSIndex if unable to resolve the severity from NVD (priority order) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current Behavior
We have recently performed SBOM analysis and Dependency Track is not assigning the severity for many CVEs, even though the OSSIndex has it assigned.
Example.. (many more if you need them)
Purl = pkg:maven/org.apache.avro/avro@1.11.3
Link to OSSIndex = https://ossindex.sonatype.org/vulnerability/CVE-2024-47561?component-type=maven&component-name=org.apache.avro%2Favro&utm_source=dependency-track&utm_medium=integration&utm_content=v4.11.5
Steps to Reproduce
1.Create new DT project
2. Add component 'pkg:maven/org.apache.avro/avro@1.11.3'
3. See DT resolve with CVE, but not assign severity
4. Link to OSSIndex = https://ossindex.sonatype.org/vulnerability/CVE-2024-47561?component-type=maven&component-name=org.apache.avro%2Favro&utm_source=dependency-track&utm_medium=integration&utm_content=v4.11.5
Expected Behavior
Resolve severity
Dependency-Track Version
4.11.x
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: