CPE vs PURL

[mdouble]

Today we got aware of CVEs in "Telerik UI for WPF" (e.g. CVE-2024-8316, CVE-2024-75756) . We tried to monitor the component via Dependency Track.

In the uploaded SBOM the components have a Package URL as recommended (https://docs.dependencytrack.org/datasources/routing/) e.g.

• "purl": "pkg:nuget/[email protected]".
• "purl": "pkg:nuget/Telerik.Windows.Controls.FixedDocumentViewers.for.Wpf@2023.3.1010"
• "purl": "pkg:nuget/Telerik.Windows.Controls.FixedDocumentViewersUI.for.Wpf@2023.3.1010"
• "purl": "pkg:nuget/[email protected]"
• "purl": "pkg:nuget/[email protected]"
• "purl": "pkg:nuget/[email protected]"

etc.

In the JSON for the CVE the affected component is listed with the cpe ""cpe:2.3:a:telerik:ui_for_wpf::::::::"".

Although there are Vulnerabilities in the component we did not get a notification. Somehow I was expecting the internal analyzer to match PURLs to CPEs. Is this expectation wrong?