CycloneDX Scan May Report More Vulnerabilities Than CLI

Question

Why may scanning a CycloneDX BOM produce more vulnerabilities than a scan using the CLI?

Explanation

When you scan a CycloneDX BOM of an application you may see vulnerabilities reported for files that are not present in your application. The BOM scan result includes the vulnerabilities for all files included in the packages listed in the BOM. In some cases this may include dependent components which might not actually be present in the scanned application.

Scanning with the CLI only reports vulnerabilities that are associated with files scanned in your application. This may produce a more precise result.

When you scan by BOM, the match goes against the entire package, so all files in it are considered. When you scan by CLI only the files actually scanned are considered.

References

https://help.sonatype.com/iqserver/analysis/cyclonedx-application-analysis
https://help.sonatype.com/iqserver/automating/rest-apis/cyclonedx-rest-api---v2

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.