Replies: 2 comments
-
|
The OSS Index analyzer works by PURL. So if you're components have a PURL, they will get analyzed by OSS Index Analyzer. The Internal analyzer can work with PURL and CPE. With OSS Index disabled, the NVD vulnerabilities will show up when your components have CPEs as the NVD only matches vulnerabilities to CPEs. |
Beta Was this translation helpful? Give feedback.
-
|
Where possible, if the information is available for the component, our SBOMs will be generated with a Purl. If I read what you are saying correctly, if there is a Purl Sonatype is used for that component, if not then it will try NVD? If Trivy is added into the mix, does the component get checked against each DB or only one if the data is there that matches what that DB needs to check if the component has a vulnerability and the others are skipped? Thanks! |
Beta Was this translation helpful? Give feedback.
-
We have the NVD and Sonatype analysers running on our DT instance. We were getting invalid vulnerabilities being listed, so I wanted to see which one it might be.
I created a project uploaded and uploaded an SBOM and with both analysers on, extracted the results.
I repeated the above with Sonatype switched off and then the NVD one off and extracted the results the results in each case.
With Sonatype off and NVD on, I showed 0 vulnerabilities where with Sonatype on and for both on it showed 268 vulnerabilities.
When I switched both analysers on again. The 'nvd only one' did eventually show 268, but I am guessing from the Sonatype analyser.
I created a new DT instance and did not enable the Sonatype one at all, just the NVD (internal) one.
Created a project, imported the same SBOM and no vulnerabilities were found. Does the internal one not work?
Just trying to understand why. Thanks, N
Beta Was this translation helpful? Give feedback.
All reactions