Current Behavior

When using Dependency-Track with Trivy as the analyzer, vulnerabilities that were previously reported by Trivy remain associated with components even after Trivy no longer reports them in subsequent scans.

This leads to stale / false-positive findings persisting indefinitely, despite being resolved or reverted in the upstream Trivy vulnerability database.

Steps to Reproduce

1. Upload a BOM containing component C
2. Trivy reports vulnerability V (e.g. CVE-2025-15467) for component C
   → Dependency-Track creates:
   • Vulnerability record
   • Finding attribution linking C ↔ V
3. Later, Trivy vulnerability DB updates and V is no longer reported for component C
   (e.g. false positive reverted, advisory withdrawn)
4. Re-upload the same BOM (or updated BOM still containing component C)
5. Dependency-Track runs Trivy analysis again
6. Finding attribution for C ↔ V remains active

The following components previously had a critical vulnerability reported by Trivy, which was later reverted upstream:

• openssl-provider-legacy 3.5.4-1~deb13u1
• libcrypto3 3.5.4-r0
• CVE-2025-15467

After Trivy stopped reporting this CVE, Dependency-Track continued to show it as active.

Expected Behavior

Dependency-Track should reconcile analyzer results per scan:

• If an analyzer (Trivy) no longer reports a vulnerability for a component, the existing finding should be:
  • Removed from the component’s active findings

This reconciliation should be scoped by:

• Component
• Analyzer
• Scan run

The vulnerability record itself can remain, but the association must reflect current analyzer output.

Dependency-Track Version

4.13.6

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported