Exported VEX cannot be resolved against the originally imported BOM

[AenganZ]

Current Behavior

I found a BOM-VEX round-trip target resolvability issue while conducting research on BOM-VEX validation.

When I upload original_cdx.json to Dependency-Track and export a VEX from the same project as dependency-track_vex.json, the exported VEX cannot be resolved against the originally imported BOM.

My validator reports:

CROSS-001 Target Resolvability ERROR
VEX product '4a73ff63-0c06-4b6b-9758-1fcb8b66814d' (vuln: CVE-2023-4016) cannot be resolved to any BOM component.

I attached:

• original_cdx.json
• dependency-track_vex.json

From these files, it appears that the exported VEX uses generated target identifiers that do not exist in the originally imported BOM.

dependency-track_vex.json
original_cdx.json

Steps to Reproduce

1. Upload original_cdx.json to Dependency-Track.
2. Export the project VEX as dependency-track_vex.json.
3. Compare original_cdx.json and dependency-track_vex.json.
4. Observe that the exported VEX contains target identifiers that cannot be resolved against the original BOM.

Expected Behavior

The exported VEX should remain resolvable against the originally imported BOM.

If a BOM is imported and a VEX is exported from that same project, the exported VEX should preserve target identity in a way that allows direct resolution against the original BOM.

Dependency-Track Version

4.14.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported