You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have configured the cve and osv-github importers. After the import process completed, I observed some inconsistencies regarding PURLs and the resulting "Packages" view.
Vulnerabilities with missing purls field
I noticed that a significant number of imported vulnerabilities have an empty purls field.
I would say that most of them have no purls field. IMPORTANT: This was only determined by randomly picking imported vulnerabilities and checking the purls field.
You can see an example of such a vulnerability here:
Vulnerability without purls field
{
"normative": true,
"identifier": "CVE-2024-22880",
"title": "Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component.",
"description": "Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component.",
"reserved": "2024-01-11T00:00:00Z",
"published": "2025-03-13T00:00:00Z",
"modified": "2025-03-19T18:39:37.455Z",
"withdrawn": null,
"discovered": null,
"released": null,
"cwes": [],
"average_severity": "medium",
"average_score": 4.7,
"advisories": [
{
"uuid": "urn:uuid:28867ff2-5135-4084-9a3a-fa656ce3d41a",
"identifier": "GHSA-rgfv-pm9m-qwf8",
"document_id": "GHSA-rgfv-pm9m-qwf8",
"issuer": null,
"published": "2025-03-13T15:32:58Z",
"modified": "2025-03-19T21:30:46Z",
"withdrawn": null,
"title": null,
"labels": {
"importer": "osv-github",
"source": "https://github.com/github/advisory-database",
"file": "unreviewed/2025/03/GHSA-rgfv-pm9m-qwf8/GHSA-rgfv-pm9m-qwf8.json",
"type": "osv"
},
"severity": "medium",
"score": 4.7,
"cvss3_scores": [
"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
],
"purls": {},
"sboms": [],
"number_of_vulnerabilities": 1
},
{
"uuid": "urn:uuid:19d52a0f-6a75-4a24-b50f-0724782d2950",
"identifier": "CVE-2024-22880",
"document_id": "CVE-2024-22880",
"issuer": {
"id": "3207d1e1-7d2b-4ef2-8fe5-21c05c745375",
"name": "mitre",
"cpe_key": null,
"website": null
},
"published": "2025-03-13T00:00:00Z",
"modified": "2025-03-19T18:39:37.455Z",
"withdrawn": null,
"title": "Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component.",
"labels": {
"type": "cve",
"importer": "cve",
"source": "https://github.com/CVEProject/cvelistV5",
"file": "2024/22xxx/CVE-2024-22880.json"
},
"severity": "medium",
"score": 4.7,
"cvss3_scores": [
"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
],
"purls": {},
"sboms": [],
"number_of_vulnerabilities": 1
}
]
}
Vulnerability with purls field
There are some cases where the purls field isn't empty:
Vulnerability with purls field
{
"normative": true,
"identifier": "CVE-2024-39323",
"title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account",
"description": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.\n",
"reserved": "2024-06-21T18:15:22.263Z",
"published": "2024-07-02T16:03:03.253Z",
"modified": "2024-08-02T04:19:20.645Z",
"withdrawn": null,
"discovered": null,
"released": null,
"cwes": [
"CWE-1220",
"CWE-863"
],
"average_severity": "high",
"average_score": 7.1,
"advisories": [
{
"uuid": "urn:uuid:27b9825f-0c39-435b-8f1a-a3ba12f71152",
"identifier": "GHSA-vc7j-99jw-jrqm",
"document_id": "GHSA-vc7j-99jw-jrqm",
"issuer": null,
"published": "2024-07-02T21:20:33Z",
"modified": "2024-07-05T17:54:36Z",
"withdrawn": null,
"title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account",
"labels": {
"file": "github-reviewed/2024/07/GHSA-vc7j-99jw-jrqm/GHSA-vc7j-99jw-jrqm.json",
"importer": "osv-github",
"type": "osv",
"source": "https://github.com/github/advisory-database"
},
"severity": "high",
"score": 8.2,
"cvss3_scores": [
"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"
],
"purls": {
"fixed": [
{
"base_purl": {
"uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
"purl": "pkg:composer/aimeos/ai-admin-graphql"
},
"version": "2024.04.6",
"context": null
},
{
"base_purl": {
"uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
"purl": "pkg:composer/aimeos/ai-admin-graphql"
},
"version": "2023.10.6",
"context": null
},
{
"base_purl": {
"uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
"purl": "pkg:composer/aimeos/ai-admin-graphql"
},
"version": "2022.10.10",
"context": null
}
],
"affected": [
{
"base_purl": {
"uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
"purl": "pkg:composer/aimeos/ai-admin-graphql"
},
"version": "[2024.04.1,2024.04.6)",
"context": null
},
{
"base_purl": {
"uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
"purl": "pkg:composer/aimeos/ai-admin-graphql"
},
"version": "[2023.04.1,2023.10.6)",
"context": null
},
{
"base_purl": {
"uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
"purl": "pkg:composer/aimeos/ai-admin-graphql"
},
"version": "[2022.04.1,2022.10.10)",
"context": null
}
]
},
"sboms": [],
"number_of_vulnerabilities": 1
},
{
"uuid": "urn:uuid:d98041c9-afef-4585-ae95-2105189b3850",
"identifier": "CVE-2024-39323",
"document_id": "CVE-2024-39323",
"issuer": {
"id": "916ae1b9-aa83-4af5-9a16-f40daa26fb40",
"name": "GitHub_M",
"cpe_key": null,
"website": null
},
"published": "2024-07-02T16:03:03.253Z",
"modified": "2024-08-02T04:19:20.645Z",
"withdrawn": null,
"title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account",
"labels": {
"importer": "cve",
"file": "2024/39xxx/CVE-2024-39323.json",
"type": "cve",
"source": "https://github.com/CVEProject/cvelistV5"
},
"severity": "high",
"score": 7.1,
"cvss3_scores": [
"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"
],
"purls": {},
"sboms": [],
"number_of_vulnerabilities": 1
}
]
}
Imported packages
After the importers finished, the "Packages" view was populated with a many entries.
Many packages appear to have been created by the importer but contain no associated vulnerabilities.
It is currently difficult to distinguish between packages that originated from an uploaded SBOM and packages created as part of the importer process. (You have to click on a package and check the "SBOMs using package" tab).
Questions
Regarding Matching:
Is it expected that osv-github and cve importers frequently result in empty purls?
Is the purls field a hard requirement for Trustify to match vulnerabilities to packages in SBOMs?
If the purls field is empty, how does Trustify match the vulnerabilities?
Are there other vulnerability sources that are compatible/tested/recommended to be used with Trustify?
Regarding Packages
Why do importers create Package entries that have no vulnerabilities attached to them?
Is there a method to filter for packages that are in SBOMs and not such ones that were created by the importer?
Description
I have configured the
cveandosv-githubimporters. After the import process completed, I observed some inconsistencies regarding PURLs and the resulting "Packages" view.Vulnerabilities with missing
purlsfieldI noticed that a significant number of imported vulnerabilities have an empty
purlsfield.I would say that most of them have no
purlsfield. IMPORTANT: This was only determined by randomly picking imported vulnerabilities and checking thepurlsfield.You can see an example of such a vulnerability here:
Vulnerability without purls field
{ "normative": true, "identifier": "CVE-2024-22880", "title": "Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component.", "description": "Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component.", "reserved": "2024-01-11T00:00:00Z", "published": "2025-03-13T00:00:00Z", "modified": "2025-03-19T18:39:37.455Z", "withdrawn": null, "discovered": null, "released": null, "cwes": [], "average_severity": "medium", "average_score": 4.7, "advisories": [ { "uuid": "urn:uuid:28867ff2-5135-4084-9a3a-fa656ce3d41a", "identifier": "GHSA-rgfv-pm9m-qwf8", "document_id": "GHSA-rgfv-pm9m-qwf8", "issuer": null, "published": "2025-03-13T15:32:58Z", "modified": "2025-03-19T21:30:46Z", "withdrawn": null, "title": null, "labels": { "importer": "osv-github", "source": "https://github.com/github/advisory-database", "file": "unreviewed/2025/03/GHSA-rgfv-pm9m-qwf8/GHSA-rgfv-pm9m-qwf8.json", "type": "osv" }, "severity": "medium", "score": 4.7, "cvss3_scores": [ "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" ], "purls": {}, "sboms": [], "number_of_vulnerabilities": 1 }, { "uuid": "urn:uuid:19d52a0f-6a75-4a24-b50f-0724782d2950", "identifier": "CVE-2024-22880", "document_id": "CVE-2024-22880", "issuer": { "id": "3207d1e1-7d2b-4ef2-8fe5-21c05c745375", "name": "mitre", "cpe_key": null, "website": null }, "published": "2025-03-13T00:00:00Z", "modified": "2025-03-19T18:39:37.455Z", "withdrawn": null, "title": "Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component.", "labels": { "type": "cve", "importer": "cve", "source": "https://github.com/CVEProject/cvelistV5", "file": "2024/22xxx/CVE-2024-22880.json" }, "severity": "medium", "score": 4.7, "cvss3_scores": [ "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" ], "purls": {}, "sboms": [], "number_of_vulnerabilities": 1 } ] }Vulnerability with
purlsfieldThere are some cases where the purls field isn't empty:
Vulnerability with purls field
{ "normative": true, "identifier": "CVE-2024-39323", "title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account", "description": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.\n", "reserved": "2024-06-21T18:15:22.263Z", "published": "2024-07-02T16:03:03.253Z", "modified": "2024-08-02T04:19:20.645Z", "withdrawn": null, "discovered": null, "released": null, "cwes": [ "CWE-1220", "CWE-863" ], "average_severity": "high", "average_score": 7.1, "advisories": [ { "uuid": "urn:uuid:27b9825f-0c39-435b-8f1a-a3ba12f71152", "identifier": "GHSA-vc7j-99jw-jrqm", "document_id": "GHSA-vc7j-99jw-jrqm", "issuer": null, "published": "2024-07-02T21:20:33Z", "modified": "2024-07-05T17:54:36Z", "withdrawn": null, "title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account", "labels": { "file": "github-reviewed/2024/07/GHSA-vc7j-99jw-jrqm/GHSA-vc7j-99jw-jrqm.json", "importer": "osv-github", "type": "osv", "source": "https://github.com/github/advisory-database" }, "severity": "high", "score": 8.2, "cvss3_scores": [ "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" ], "purls": { "fixed": [ { "base_purl": { "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8", "purl": "pkg:composer/aimeos/ai-admin-graphql" }, "version": "2024.04.6", "context": null }, { "base_purl": { "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8", "purl": "pkg:composer/aimeos/ai-admin-graphql" }, "version": "2023.10.6", "context": null }, { "base_purl": { "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8", "purl": "pkg:composer/aimeos/ai-admin-graphql" }, "version": "2022.10.10", "context": null } ], "affected": [ { "base_purl": { "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8", "purl": "pkg:composer/aimeos/ai-admin-graphql" }, "version": "[2024.04.1,2024.04.6)", "context": null }, { "base_purl": { "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8", "purl": "pkg:composer/aimeos/ai-admin-graphql" }, "version": "[2023.04.1,2023.10.6)", "context": null }, { "base_purl": { "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8", "purl": "pkg:composer/aimeos/ai-admin-graphql" }, "version": "[2022.04.1,2022.10.10)", "context": null } ] }, "sboms": [], "number_of_vulnerabilities": 1 }, { "uuid": "urn:uuid:d98041c9-afef-4585-ae95-2105189b3850", "identifier": "CVE-2024-39323", "document_id": "CVE-2024-39323", "issuer": { "id": "916ae1b9-aa83-4af5-9a16-f40daa26fb40", "name": "GitHub_M", "cpe_key": null, "website": null }, "published": "2024-07-02T16:03:03.253Z", "modified": "2024-08-02T04:19:20.645Z", "withdrawn": null, "title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account", "labels": { "importer": "cve", "file": "2024/39xxx/CVE-2024-39323.json", "type": "cve", "source": "https://github.com/CVEProject/cvelistV5" }, "severity": "high", "score": 7.1, "cvss3_scores": [ "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" ], "purls": {}, "sboms": [], "number_of_vulnerabilities": 1 } ] }Imported packages
After the importers finished, the "Packages" view was populated with a many entries.
Questions
Regarding Matching:
osv-githubandcveimporters frequently result in empty purls?purlsfield a hard requirement for Trustify to match vulnerabilities to packages in SBOMs?purlsfield is empty, how does Trustify match the vulnerabilities?Regarding Packages
Importer config
get /api/v2/importer
[ { "name": "cve", "heartbeat": 1763394920705011000, "configuration": { "cve": { "disabled": false, "period": "1day", "description": "CVE list v5", "source": "https://github.com/CVEProject/cvelistV5" } }, "state": "waiting", "lastChange": "2025-11-17T15:55:20.580487Z", "lastSuccess": "2025-11-17T15:55:10.70635Z", "lastRun": "2025-11-17T15:55:10.70635Z", "progress": {}, "continuation": "4772e2f14e6ce50e2b8cbc6523a3d16e11a3f63d" }, { "name": "osv-github", "heartbeat": 1763467500704317400, "configuration": { "osv": { "disabled": false, "period": "1day", "description": "GitHub Advisory Database", "source": "https://github.com/github/advisory-database", "path": "advisories" } }, "state": "waiting", "lastChange": "2025-11-18T12:05:00.276299Z", "lastSuccess": "2025-11-18T12:04:20.706296Z", "lastRun": "2025-11-18T12:04:20.706296Z", "progress": {}, "continuation": "f1fbd2d59262f3f2e21238d98b071fe2649065a0" }, { "name": "redhat-csaf", "heartbeat": null, "configuration": { "csaf": { "disabled": true, "period": "1day", "description": "All Red Hat CSAF data", "source": "redhat.com", "v3Signatures": false, "fetchRetries": 50 } }, "state": "waiting", "lastChange": "2025-11-10T11:01:03.627442Z", "progress": {} } ]Thank you very much for your inputs and help!