It is seen that CVEs are not shown on some sub-components while they are displayed for other sub-components of the same component group in the BOM.
Details
Note that this won't impact the CVE count as the count is the distinct number of CVE IDs.
For more details please refer CAST HIGHLIGHT - SCA - Software Composition Tab - Security Vulnerabilities tile counts of an application do not match the counts shown in the list of components table nor the details when you click on the tile
Zendesk Ticket Number
# 22062
Related Article
Software Composition in Highlight: How Open Source component detection works
Comments