Same component and version in different projects shows different CVE results #5633
Description
Current Behavior
We have two versions of same project that has same components and versions. But both of them reports different CVEs
Steps to Reproduce
- Create two seperate projects
- Run CDXGEN and import same components into two projects
- Run ReAnalyse
- Same components would show two different CVEs, even though they have same version
8c03a6ee-d20a-4ba3-a1e8-caf14f361991-withVulnerabilities.cdx.json
9e4e596d-953e-4cf4-914f-cfafa30a7516-withVulnerabilities.cdx.json
Expected Behavior
Same component and version should have same vulnerabilities.
Dependency-Track Version
4.13.4
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported