Risk Score and CVEs exploding after re-import of SBOM

[dassjan]

First steps for me, using Dependency Track (DT) - v4.8.2

I am working with an externally generated CycloneDX v1.4 sBOM file.
This has been imported into a project generated in DT for this purpose. The findings look reasonable.
When I export the sBOM from the project and re-import it in a different (newly created) project, the risk score and CVEs found go way up. Any idea why?
I cannot rule out that the solution which created the Cyclone DX file is w/o flaws but upon export I would think that I have a DT generated one, that should not cause issues on re-import.

[nscuro]

Are you able to share the BOM so we can reproduce this issue?

If not, are the findings raised in the second import wrong? Is the first import missing findings? What tool was used to generate the BOM? Is the number of components in both projects identical?

[dassjan]

The initial findings look to be the correct ones as the second time around (on re-import) the CPE filter does not seem to work properly and all CVEs associated with a component, regardless of version and environment are pulled in.

A Digicert threat detection tool was used to create the BOM file.
At this time I cannot share it but let me see if I can shrink it down and related it to a single / very few components, making it more generic.
Alternatively, I can probably scan a generic project as well.

[nscuro]

Great. If you prefer to share the samples in private, you can DM me on the OWASP Slack (username is nscur0), or shoot me an email (address is in my GitHub profile).