Flutter packages (pub) get vulnerability from npm

[evyaroshevich]

Current Behavior

While scanning the Flutter project, I discovered a false positive. DependencyTrack incorrectly identified the package pkg:pub/build@2.4.1 as belonging to the npm repository and issued the vulnerability CVE-2020-28423. Upon visiting the NIST NVD website to view the details, I found that it has cpe:2.3:a:monorepo-build_project:monorepo-build::::::node.js::*. Although in the actual bom file, the cpe is absent altogether.

Steps to Reproduce

1. git clone any flutter project with pub/build@2.4.1
2. generate bom file
3. upload bom file to dependencytrack server

Expected Behavior

the vulnerability should not appear on this component

Dependency-Track Version

4.11.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Which analyzer was the vulnerability attributed to? You can find this info in the Analyzer column of the Audit Vulnerabilities tab.

[ostannar]

Hi @evyaroshevich,

how do you generate the .sbom file for dependency track?