Analyzers return very old CVEs

[tesence]

Current Behavior

Hello,

In some cases, very old CVEs are identified while they don't seem to actually affect the project. In my case I generate an CycloneDX 1.6 SBOM using trivy for the following image: quay.io/jetstack/cert-manager-cainjector:v1.12.3

When I import it in Dependency-Track, the analyzers return CVEs from 2007 while analyzers like trivy don't.

Steps to Reproduce

1. Generate the image SBOM using trivy 0.57.1: trivy image quay.io/jetstack/cert-manager-cainjector:v1.12.3 --format cyclonedx --scanners vuln -o sbom.json.
2. Upload it to a Dependency Track project.

Expected Behavior

Dependency-Track should only return CVEs affecting the project.

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.5

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Can you please give a few examples of which vulnerabilities are erroneously reported for which components, and why you believe they are not valid? It would also help if you could attach the SBOM you used to the issue.

[tesence]

Hello, sure here is a full use case.

• I generate a BOM using the tool trivy (0.57.1) for the image quay.io/jetstack/cert-manager-controller:v1.12.13 (that is 4 months old https://quay.io/repository/jetstack/cert-manager-controller?tab=tags). See the file as attachment: cert-manager-controller_v1.12.13.json

trivy image quay.io/jetstack/cert-manager-controller:v1.12.13 --scanners vuln --format cyclonedx -o cert-manager-controller_v1.12.13.json

Note that I include the vulnerabilities in the report here. I usually don't since I'm using Dependency Track for that purpose but I'll use them as a comparison.

• I extract all the vulnerabilities from that report, and I get the following result

$ jq -r '.vulnerabilities[] | .id ' cert-manager-controller_v1.12.13.json
CVE-2024-34155
CVE-2024-34156
CVE-2024-34158
CVE-2024-51744

• I upload the BOM to a Dependency Track project and when I extract all the unique vulnerabilities affecting that project, this is what I get (218 items)

$ curl -s -k -X GET "https://dependency-track.local/api/v1/vulnerability/project/${PROJECT_ID}" -H  "accept: application/json" -H  "X-Api-Key: ${API_KEY}" | jq -r '[.[].vulnId] | unique | sort | .[]'
CVE-2003-1111
CVE-2007-2435
CVE-2007-3504
CVE-2007-3922
CVE-2007-4381
CVE-2007-5274
CVE-2007-5689
CVE-2008-1187
CVE-2008-2086
CVE-2008-3107
CVE-2008-3114
CVE-2008-5339
CVE-2008-5340
CVE-2008-5341
CVE-2008-5342
CVE-2008-5343
CVE-2008-5344
CVE-2008-5348
CVE-2008-5350
CVE-2008-5351
CVE-2008-5353
CVE-2008-5354
CVE-2008-5355
CVE-2008-5356
CVE-2009-1093
CVE-2009-1094
CVE-2009-1098
CVE-2009-2676
CVE-2010-0082
CVE-2010-0084
CVE-2010-0085
CVE-2010-0087
CVE-2010-0088
CVE-2010-0089
CVE-2010-0091
CVE-2010-0093
CVE-2010-0095
CVE-2010-0839
CVE-2010-0841
CVE-2010-0842
CVE-2010-0844
CVE-2010-0846
CVE-2010-0847
CVE-2010-0848
CVE-2010-0849
CVE-2010-0850
CVE-2010-3541
CVE-2010-3548
CVE-2010-3549
CVE-2010-3551
CVE-2010-3553
CVE-2010-3554
CVE-2010-3556
CVE-2010-3557
CVE-2010-3559
CVE-2010-3562
CVE-2010-3565
CVE-2010-3568
CVE-2010-3569
CVE-2010-3571
CVE-2010-3572
CVE-2010-3574
CVE-2010-4447
CVE-2010-4448
CVE-2010-4450
CVE-2010-4454
CVE-2010-4462
CVE-2010-4465
CVE-2010-4466
CVE-2010-4469
CVE-2010-4473
CVE-2010-4475
CVE-2010-4476
CVE-2011-0766
CVE-2013-4184
CVE-2014-4715
CVE-2014-5169
CVE-2015-5237
CVE-2015-5723
CVE-2015-5739
CVE-2015-5740
CVE-2015-5741
CVE-2016-3956
CVE-2016-3959
CVE-2016-5386
CVE-2017-1000097
CVE-2017-1000098
CVE-2017-1289
CVE-2017-15041
CVE-2017-15042
CVE-2017-3204
CVE-2017-8932
CVE-2018-16873
CVE-2018-16874
CVE-2018-16875
CVE-2018-17075
CVE-2018-17142
CVE-2018-17143
CVE-2018-17846
CVE-2018-17847
CVE-2018-17848
CVE-2018-6574
CVE-2018-6892
CVE-2018-7187
CVE-2019-11840
CVE-2019-11888
CVE-2019-14809
CVE-2019-16276
CVE-2019-20191
CVE-2019-6486
CVE-2019-9634
CVE-2020-14039
CVE-2020-14040
CVE-2020-15586
CVE-2020-16845
CVE-2020-24553
CVE-2020-28362
CVE-2020-28366
CVE-2020-28367
CVE-2020-28852
CVE-2020-29509
CVE-2020-29510
CVE-2020-29511
CVE-2020-8561
CVE-2021-22570
CVE-2021-23807
CVE-2021-27918
CVE-2021-29923
CVE-2021-3114
CVE-2021-3115
CVE-2021-31525
CVE-2021-33194
CVE-2021-33195
CVE-2021-33196
CVE-2021-33197
CVE-2021-33198
CVE-2021-34558
CVE-2021-36221
CVE-2021-38297
CVE-2021-38561
CVE-2021-39293
CVE-2021-41771
CVE-2021-41772
CVE-2021-41817
CVE-2021-4235
CVE-2021-44716
CVE-2021-44717
CVE-2021-46827
CVE-2022-0915
CVE-2022-1705
CVE-2022-1962
CVE-2022-23772
CVE-2022-23773
CVE-2022-23806
CVE-2022-24675
CVE-2022-24921
CVE-2022-27664
CVE-2022-28131
CVE-2022-28327
CVE-2022-2879
CVE-2022-2880
CVE-2022-29526
CVE-2022-29804
CVE-2022-30580
CVE-2022-30629
CVE-2022-30630
CVE-2022-30631
CVE-2022-30632
CVE-2022-30633
CVE-2022-30634
CVE-2022-30635
CVE-2022-3064
CVE-2022-3172
CVE-2022-32148
CVE-2022-32149
CVE-2022-32189
CVE-2022-40609
CVE-2022-41715
CVE-2022-41716
CVE-2022-41717
CVE-2022-41720
CVE-2022-41722
CVE-2022-41723
CVE-2022-41724
CVE-2022-41725
CVE-2023-24532
CVE-2023-24534
CVE-2023-24536
CVE-2023-24537
CVE-2023-24538
CVE-2023-24539
CVE-2023-24540
CVE-2023-26559
CVE-2023-28015
CVE-2023-28115
CVE-2023-29400
CVE-2023-29402
CVE-2023-29403
CVE-2023-29404
CVE-2023-29405
CVE-2023-29406
CVE-2023-29409
CVE-2023-31999
CVE-2023-39318
CVE-2023-39319
CVE-2023-39323
CVE-2023-39326
CVE-2023-41330
CVE-2023-44487
CVE-2023-45283
CVE-2023-45284
CVE-2023-45285
CVE-2023-45287
CVE-2023-49292
CVE-2024-24789
CVE-2024-24790
CVE-2024-2660
CVE-2024-51744
CVE-2024-9341

I do not explain the very old vulnerabilities before 2024. I also do not retrieve the same vulnerabilities as I do with Trivy.

[tesence]

Turns out that it was due to all the fuzzy matching being enabled by default, disabling them solved the issue.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.