Is your feature request related to a problem? Please describe.
OWASP's Dependency track internal analyser uses only CPE (not PURL) to match components with NVD vulnerabilities.
The current version of this package does not seem to include CPE in the generated BOM file
When uploaded to dependency track, the default analyser fails to match any php dependency to known vulnerabilities.
Describe the solution you'd like
In the generated bom in cyclonedx format, include the CPE of all packages
Describe alternatives you've considered
Dependency track can be configured to user other scanners, which can handle the provided packages PURLs
But it would be better to be able to benefit also from the https://nvd.nist.gov/vuln
Packagist is also integrating nist's NVDs, but having all the information centralised in the dependency track application would be great
Additional context
With the example of https://nvd.nist.gov/vuln/detail/CVE-2021-3603
the expected CPE is cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:* ( |<=6.4.1 )
Looking at the composer.json file, there's no mention of phpmailer_project, neither on packagist's page
https://packagist.org/packages/phpmailer/phpmailer#v5.2.26
I don't know how it should be built with the available composer's data...?
Is your feature request related to a problem? Please describe.
OWASP's Dependency track internal analyser uses only CPE (not PURL) to match components with NVD vulnerabilities.
The current version of this package does not seem to include CPE in the generated BOM file
When uploaded to dependency track, the default analyser fails to match any php dependency to known vulnerabilities.
Describe the solution you'd like
In the generated bom in cyclonedx format, include the CPE of all packages
Describe alternatives you've considered
Dependency track can be configured to user other scanners, which can handle the provided packages PURLs
But it would be better to be able to benefit also from the https://nvd.nist.gov/vuln
Packagist is also integrating nist's NVDs, but having all the information centralised in the dependency track application would be great
Additional context
With the example of https://nvd.nist.gov/vuln/detail/CVE-2021-3603
the expected CPE is
cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:* ( |<=6.4.1 )Looking at the composer.json file, there's no mention of
phpmailer_project, neither on packagist's pagehttps://packagist.org/packages/phpmailer/phpmailer#v5.2.26
I don't know how it should be built with the available composer's data...?