Trying to figure out if there is a way to use this offline

[FearTheBadger]

I have BoM's that are created in the cycloneDX format (I've tried 1.1 &1.2 if that matters), which contain all the of the vulnerability reports I need for what I am working on.

In the example xml file, found below, I get 48 findings when running the current external checks. When I turn all those external checks off to try and get the single reported finding, I get zero findings. Which tells me that when this file is ingested the vulnerabilities section is ignored.

I understand this is not ideal (especially with this super old file), but I have a need to maintain a moment in history recording of these findings in an offline environment.

Is it possible to get DT to understand this BoM and report just the findings reported in the file?

Thanks,
Brock

example BoM:

<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
     xmlns="http://cyclonedx.org/schema/bom/1.1"
     xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0">
  <components>
    <component type="library" bom-ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
      <group>com.fasterxml.jackson.core</group>
      <name>jackson-databind</name>
      <version>2.9.9</version>
      <purl>pkg:maven/com.fasterxml.jackson.core/[email protected]</purl>
      <v:vulnerabilities>
        <v:vulnerability ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
          <v:id>CVE-2018-7489</v:id>
          <v:source name="NVD">
            <v:url>https://nvd.nist.gov/vuln/detail/CVE-2018-7489</v:url>
          </v:source>
          <v:ratings>
            <v:rating>
              <v:score>
                <v:base>9.8</v:base>
                <v:impact>5.9</v:impact>
                <v:exploitability>3.0</v:exploitability>
              </v:score>
              <v:severity>Critical</v:severity>
              <v:method>CVSSv3</v:method>
              <v:vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</v:vector>
            </v:rating>
          </v:ratings>
          <v:cwes>
            <v:cwe>184</v:cwe>
            <v:cwe>502</v:cwe>
          </v:cwes>
          <v:description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</v:description>
          <v:recommendations>
            <v:recommendation>Upgrade</v:recommendation>
          </v:recommendations>
          <v:advisories>
            <v:advisory>https://github.com/FasterXML/jackson-databind/issues/1931</v:advisory>
            <v:advisory>http://www.securityfocus.com/bid/103203</v:advisory>
            <v:advisory>http://www.securitytracker.com/id/1040693</v:advisory>
            <v:advisory>http://www.securitytracker.com/id/1041890</v:advisory>
          </v:advisories>
        </v:vulnerability>
      </v:vulnerabilities>
    </component>
  </components>
</bom>

[stevespringett]

Dependency-Track does not currently support the parsing and processing of the vulnerability extension. This is an optional capability of CycloneDX and is not part of the core specification.

If this capability is required, I would recommend creating a PR that implements the functionality.

[FearTheBadger]

Thanks, I expected as much but wanted to make sure.