Analyzers showing CVEs from Base Image OR Software Dependencies

[larsriehn]

I create an SBOM with Trivy from an image and upload it to Dependency Track.
What I recognized is:

• The "OSS Index" analyzer shows only CVEs of Software Dependencies (e.g. log4j)
• The Trivy analyzer (great new feature by the way) shows only CVEs from the base image (e.g. zlib1g)

I tested this with only one of the analyzers in an active stat, a fresh project and uploaded using the GUI.
The imported SBOM shows this structure in Dependency Track:

I wonder why it is like this. Combining both analyzers gives me the result I expect. But either of them (especially trivy) should be able to show the full findings.

[nscuro]

What version of Dependency-Track and Trivy are you running? There was a breaking change in Trivy 0.51.2's server API that caused false negatives for libraries (#3737). DT was fixed to accommodate for that in v4.11.3 (#3738).

[nscuro]

Also the coverage of OSS Index for OS packages is not all too great. Debian for example is not covered at all: https://ossindex.sonatype.org/ecosystems

[larsriehn]

Thanks for your answer!
I had v4.11.1 so the versions didn't match. After an update everything looks fine.