Hello, I'm in the process of switching from Dependency-check [1] to Dependency-track [2] to analyse vulnerabilities on my dependencies. I analyze a classic spring boot webapp depending upon org.apache.tomcat.embed:tomcat-embed-core. Dependency Check who uses a kind of fuzzy logic detects (correctly ?) CVEs (such as CVE-2023-28709 or CVE-2023-41080). Dependency-track uses exact matching with the artifact identifiers and does not detect those CVE. I imagine (not totally sure) that those CVE are also affecting tomcat-embed-core and not only apache:tomcat, but it seems like they are not targeting this "by product" of the classic Tomcat.
What is or should be the correct process ? Should the Tomcat team declare those CVE as also affecting tomcat-embed-core ? Should the CVE people do the job by themselves ? I've just found out that I'm not the only one having those questions: https://stackoverflow.com/questions/74886946/vulnerablities-for-tomcat-embed-core-in-owasp-dependencytrack but still looking for advice/guidance. Best regards Francois [1] - https://owasp.org/www-project-dependency-check/ [2] - https://dependencytrack.org/
