Analyze vulnerabilities for rpm packages in RedHat or CentOS operating systems

[qiaozhi199]

Current Behavior

I collected the sbom of all rpm packages in the CentOS system through the syft(https://github.com/anchore/syft) tool, the format of the sbom file is cyclonedx-json, then I upload the sbom file to the Dependency-Track.
I found that Dependency Track could only analyze very few vulnerabilities on individual rpm packages.

However, I used the grype(https://github.com/anchore/grype) tool to perform vulnerability scanning locally and was able to scan over 10,000 vulnerabilities.
# grype sbom:./only-rpm-sbom-by-syft.json -o cyclonedx-json --file rpm-vulnerabilities.json ✔ Vulnerability DB [updated] ✔ Scanned for vulnerabilities [15862 vulnerability matches] ├── by severity: 11 critical, 724 high, 9902 medium, 6470 low, 0 negligible (49 unknown) └── by status: 5934 fixed, 11222 not-fixed, 1294 ignored

I found the following vulnerability databases supported by grype:

https://github.com/anchore/grype?tab=readme-ov-file#grypes-database

Dependency-Track whether it supports distributions such as RedHat, or planned to be supported?

Proposed Behavior

I hope that Dependency Track can analyze more vulnerabilities for rpm packages like grype did.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[DavidJuanes]

FWIW, I achieved similar scanning requirements by using Trivy analyser.