Problem
A SBOM file contains vulnerabilities being referenced correctly by the components in the file but after importing the file to SBOM manager, the SBOM Bill of Material View shows no vulnerabilities for any of the components.
Possible causes
Vulnerabilities section in the SBOM file may not have all the required fields needed for SBOM manager to show the details.
Solution
Check if the "purl" of the component match the format of the ecosystem supported by
Sonatype Component Identifiers as shown in the examples: https://help.sonatype.com/en/package-url-and-component-identifiers.html
If yes, then there might be issue import during the import. Check the clm-server.log to see if there is any error or reach out to Sonatype Support for additional assistant.
If no, check the Vulnerabilities section of the SBOM file includes at least 'source' and 'ratings' details like the example below
"vulnerabilities": [
{
"id": "CVE-2022-42003",
"source": {
"name": "NVD",
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003"
},
"ratings": [
{
"source": {
"name": "NVD"
},
"score": 7.5,
"severity": "critical",
"method": "CVSSv3",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes": [
502
],
"analysis": {
"state": "resolved_with_pedigree",
"justification": "requires_environment",
"response": [
"workaround_available",
"update"
],
"detail": "Analysis Detail"
},
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4?type=jar"
}
]
}
See Missing Vulnerabilities in Imported SBOMs documentation for details.