I included dependency track in my build-pipeline with:
mvn cyclonedx:makeAggregateBom dependency-track:upload-bom
My maven project is configured like this:
<plugin>
<groupId>io.github.pmckeown</groupId>
<artifactId>dependency-track-maven-plugin</artifactId>
<version>1.5.0</version>
<configuration>
<dependencyTrackBaseUrl>https://dependency-track.<my-company.com></dependencyTrackBaseUrl>
<apiKey>${env.DEPENDENCY_TRACK_API_KEY}</apiKey>
<failOnError>true</failOnError>
<pollingConfig>
<pause>2</pause>
<attempts>30</attempts>
</pollingConfig>
</configuration>
</plugin>
This all works fine and I get the analysis results in dependency-track.
Now I suppress some found vulnerabilities in dependency-track, because they do not affect my project.
Some time later (I think not immediately) dependency-track seems to forget some of the suppressions and shows the vulnerabilities again.
This in particular happens with the spring-security-web:5.7.8
dependency:
Is there something wrong with how I call dependency-track? Or is it more likely misconfigured?
I had a similar problem. I use the same tool as you (cdxgen) to generate the SBOM and then pass this SBOM to Dependency Track. In my case, all these steps are jobs in a pipeline which is run frequently. I tried to troubleshoot the issue and this was the scenario that lead to it:
I opened this issue and looks like it is fixed now, just upgrade to the latest version.