Skip to content

Add package's CPE to BOM #224

Description

@ryden54

Is your feature request related to a problem? Please describe.

OWASP's Dependency track internal analyser uses only CPE (not PURL) to match components with NVD vulnerabilities.
The current version of this package does not seem to include CPE in the generated BOM file
When uploaded to dependency track, the default analyser fails to match any php dependency to known vulnerabilities.

Describe the solution you'd like

In the generated bom in cyclonedx format, include the CPE of all packages

Describe alternatives you've considered

Dependency track can be configured to user other scanners, which can handle the provided packages PURLs
But it would be better to be able to benefit also from the https://nvd.nist.gov/vuln

Packagist is also integrating nist's NVDs, but having all the information centralised in the dependency track application would be great

Additional context

With the example of https://nvd.nist.gov/vuln/detail/CVE-2021-3603
the expected CPE is cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:* ( |<=6.4.1 )

Looking at the composer.json file, there's no mention of phpmailer_project, neither on packagist's page
https://packagist.org/packages/phpmailer/phpmailer#v5.2.26
I don't know how it should be built with the available composer's data...?

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions