Vulnerabilities for NPM Packages not populating

[rohit-chaurasia]

I've tried uploading a BOM using both v1.2 and v1.1 of CycloneDX however, I havent been able to get DependencyTrack to populate the vulnerabilities associated to the packages.(screenshot attached)

I'm running this out of a Docker Instance and have attached a few docker logs which I found relevant as well and was hoping you can help me figure this out.

06:42:14.344 INFO [OssIndexAnalysisTask] Analyzing 100 component(s)
06:42:15.112 INFO [NpmAdvisoryMirrorTask] Updating datasource with NPM advisories
06:42:15.266 INFO [NpmAdvisoryMirrorTask] Retrieving NPM advisories from https://registry.npmjs.org/-/npm/v1/security/advisories?perPage=20&page=69
06:42:16.437 INFO [NpmAdvisoryMirrorTask] Updating datasource with NPM advisories
06:42:16.575 INFO [NpmAdvisoryMirrorTask] Retrieving NPM advisories from https://registry.npmjs.org/-/npm/v1/security/advisories?perPage=20&page=70
06:42:17.703 INFO [NpmAdvisoryMirrorTask] Updating datasource with NPM advisories
06:42:17.969 INFO [NpmAdvisoryMirrorTask] Retrieving NPM advisories from https://registry.npmjs.org/-/npm/v1/security/advisories?perPage=20&page=71
06:42:19.081 INFO [NpmAdvisoryMirrorTask] Updating datasource with NPM advisories
06:42:19.289 INFO [NpmAdvisoryMirrorTask] Retrieving NPM advisories from https://registry.npmjs.org/-/npm/v1/security/advisories?perPage=20&page=72
06:42:20.123 INFO [OssIndexAnalysisTask] Analyzing 7 component(s)
06:42:20.403 INFO [NpmAdvisoryMirrorTask] Updating datasource with NPM advisories
06:42:20.578 INFO [NpmAdvisoryMirrorTask] NPM advisory mirroring complete
06:42:25.125 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete

Screenshot:

[stevespringett]

According to OSS Index and NPM Audit, the components listed are not vulnerable. If you believe there are false negatives, you'll need to report them to OSS Index and the Node.js security working group.

Also, note that CycloneDX v1.2 is not supported in DT 3.8.0 and prior. Support for CycloneDX v1.2 has been added in DT 4.0.

[rohit-chaurasia]

Thanks Steve, I ended up using CycloneDX v1.0 for the BOM. I'll run a NPMAudit of the libraries manually and reverify (I have a few more than the ones listed)