Inconsistent Vulnerabilities Reported for the Same CPE Across Project Versions

[FabioRighe]

Current Behavior

I am experiencing a discrepancy in the number of vulnerabilities reported for the same component across two different versions of my project.

Component Details:

• component name: g++-8
• version 8.3.0-6
• CPE: cpe:2.3:a:g++-8:g++-8:8.3.0-6:::::::*
• PURL: pkg:deb/debian/g%20%[email protected]?arch=amd64&distro=debian-10&upstream=gcc-8

Issue:
I have two versions of my project, and the reported vulnerabilities for this component vary significantly:

• Version 1: Reports 1,772 vulnerabilities associated with the CPE.
• Version 2: Reports 0 vulnerabilities for the same CPE.

Steps Taken:

• Check that the reported analyzer is NVD
• I performed a "reanalyze" action, but the vulnerability count remained unchanged in both versions.
• I downloaded the BOM with vulnerabilities for each version and found that the vulnerabilities listed in both versions align with the data in the report.

Screenshots:
Version 1 (1772 vulnerabilities):

Version 2 (0 vulnerabilities):

Questions:

• Could this be an issue with how the CPE is being matched?
• Is there a known bug or an inconsistency in how NVD is handling this package?
• Are there any debugging steps I can take to further investigate this discrepancy?

Steps to Reproduce

1. I'm not sure if this scenario can be reproduced easily

Expected Behavior

The vulnerability analysis should be consistent across project versions for the same CPE ad PURL

Dependency-Track Version

4.12.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported