DT 4.12.1 does not display vulnerabilities for OSV for ecosystem OSS-FUZZ packages with PURL identifiers: scheme:type/name.

[Cheeb]

DT 4.12.1 (Docker Container) does not display vulnerabilities for OSV for ecosystem OSS-FUZZ packages with PURL identifiers: scheme:type/name.

There are no errors in the Docker Compose logs.

I assume that the error connected with the vulnerabilities that don`t have a version in the PURL identifier.

What we do:

1. Enable osv datasource oss-fuzz and internal analyzer.
2. Upload bom containing components

{
  "components": [
    {
      "name": "h3",
      "purl": "pkg:generic/h3",
      "type": "library",
      "version": "4.2.0"
    },
    {
      "name": "kamailio",
      "purl": "pkg:generic/kamailio",
      "type": "library",
      "version": "5.6.0"
    },
    {
      "name": "ndpi",
      "purl": "pkg:generic/ndpi",
      "type": "library",
      "version": "3.4.0"
    },
    {
      "name": "pcre2",
      "purl": "pkg:generic/pcre2",
      "type": "library",
      "version": "10.41"
    }
  ]
}

3. Checks the list of vulnerabilies.

Deptrack should show vulns for oss-fuzz packages, for example:
OSV-2024-1241
OSV-2024-1244
OSV-2024-1326
OSV-2024-1261

But nothing in project..

What's wrong?

Thanks a lot for your help