If npm audit shows vulnerabilities, shouldn't DependencyTrack also show them?

[rkg-mm]

I am introducing this into our projects, and on the first project I am wondering:
Running npm audit on the project shows:

found 45 vulnerabilities (2 low, 41 moderate, 2 high) in 1638 scanned packages
41 vulnerabilities require semver-major dependency updates.
4 vulnerabilities require manual review. See the full report for details.

I then ran cyclonedx and uploaded the bom to dependency Track.

• First of all, I only see 92 components in Dtrack (though, the 1638 packages scanned by npm audit would seem a bit high to me anyway, 92 seems more realistic).
• And second, It shows 0 vulnerabilities. It does show a lot of these components as outdated on UI, but no vulnerability for any.

I do have Internal, Sonatype and NPM analyzers active, and since licenses and version updates are resolved well, I think recognition of the package should be fine.
(Version is 4.3.6)

[stevespringett]

All due to breaking changes made by GitHub. Refer to #1225 for full explanations and details about where NPM support is at.

[nil4]

I only see 92 components in Dtrack (though, the 1638 packages scanned by npm audit would seem a bit high to me anyway, 92 seems more realistic).

This is likely because cyclonedx-bom does not include NPM devDependencies in the bom by default, per https://github.com/CycloneDX/cyclonedx-node-module#getting-help

To get coverage similar to npm audit from Dependency Track, try using cyclonedx-bom --include-dev

[rkg-mm]

Thank you both, that explains it. Then i'll wait patently for the next release :)