No vulnerabilities found for cyclones generated with dotnet CycloneDX

[rogerfar]

I have a dotnet 10 project, which gives this error on build:

Warning As Error: Package 'KubernetesClient' 15.0.1 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-w7r3-mgwf-4mqq

This is an indirect dependency, when I generate the Cyclone file I do:

dotnet CycloneDX MySolution.sln

I get this SBOM:

<?xml version="1.0" encoding="utf-8"?>
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:f2919a2c-8d47-4168-aac1-a0af466cff9b" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
  <metadata>
    <timestamp>2025-11-12T16:28:01.5241355Z</timestamp>
    <tools>
      <tool>
        <vendor>CycloneDX</vendor>
        <name>CycloneDX module for .NET</name>
        <version>5.5.0.0</version>
      </tool>
    </tools>
    <component type="application" bom-ref="App@0.0.0">
      <name>App</name>
      <version>0.0.0</version>
    </component>
  </metadata>
  <components>
    <component type="library" bom-ref="pkg:nuget/KubernetesClient@15.0.1">
      <authors>
        <author>
          <name>The Kubernetes Project Authors</name>
        </author>
      </authors>
      <name>KubernetesClient</name>
      <version>15.0.1</version>
      <description>Client library for the Kubernetes open source container orchestrator.</description>
      <scope>required</scope>
      <hashes>
        <hash alg="SHA-512">909E20250E26B072053E5468F30915908D95202ACCD18C05F5A486F1BC4D6CA907B3C328EACE395CCAE0DB37D8AFF7F17568F6662388644833DB9C33E3730562</hash>
      </hashes>
      <licenses>
        <license>
          <id>Apache-2.0</id>
        </license>
      </licenses>
      <copyright>2017 The Kubernetes Project Authors</copyright>
      <purl>pkg:nuget/KubernetesClient@15.0.1</purl>
      <externalReferences>
        <reference type="website">
          <url>https://github.com/kubernetes-client/csharp</url>
        </reference>
        <reference type="vcs">
          <url>https://github.com/kubernetes-client/csharp</url>
        </reference>
      </externalReferences>
    </component>
</bom>

I then import this, and I see that it is used:

But there are no vulnerabilities marked, even though it does have the CVE:

But why aren't they linked?

[savek-cc]

Because NVD is lagging behind on populating the cpe fields, see https://nvd.nist.gov/vuln/detail/CVE-2025-9708 "This CVE record has been marked for NVD enrichment efforts." so it can't be mapped to anything yet.
If you would enable additional data sources (such as Sonatype OSS Index), you might get information from there: https://ossindex.sonatype.org/component/pkg:nuget/KubernetesClient@15.0.1