why it cant analysis when inport a sbom file?

[chenjianquan7]

Current Behavior

我生成的sbom文件没有cpe数据，但是有版本信息，为什么无法解析呢？cpe需要怎么生成？不能自动匹配吗

Steps to Reproduce

The SBOM file I generated does not have CPE data, but it has version information. Why cannot it be parsed? How does CPE need to be generated? Can't it be automatically matched

Expected Behavior

The imported SBOM file does not have CPE data and can be used normally

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Trying to guess a CPE is extremely error-prone and plain not a good idea, which is why Dependency-Track does not do it by default. I recommend reading https://owasp.org/blog/2022/09/13/sbom-forum-recommends-improvements-to-nvd for some background information.

You can enable fuzzy analysis in the settings and see if that satisfies your needs: