What is the difference between "Last Vulnerability Analysis" and "Last Measurement"?

[savek-cc]

Looking at a project in DT, it gives three lines of data in the overview directly under "Project Vulnerabilities"

• Last BOM Import (this is clear)
• Last Vulnerability Analysis (some time in the past - maybe even a month ago but a year after "last BOM Import")
• Last Measurement (this one is within the last 24h(?) - and can be refreshed)

The issue we're facing is that the data of the last vulnerability analysis is quite old and while requesting a refresh on the Measurement does not change the list of vulnerabilities in the project, going via "Re-Analyze" in the "Audit Vulnerabilities" tab DOES then change/update/extend the list of known vulnerabilities in this project.

So: What triggers this "Vulnerability Analysis" (I thought it would be once every 24h - but that's apparently only true for the "Measurement" part) - and what might cause it to not get updated for a month resulting in missing vulnerability notifications on several projects? (They are all active, none are archived)

I'm a little lost here.

[stohrendorf]

The last vulnerability analysis timestamp is the time when the project was scanned/analyzed for vulnerabilities last. The last measurement timestamp indicates when metrics like total vulnerabilities or components were last calculated and aggregated. You can change the intervals for both individually in the settings. If the analysis timestamp does not update, this seems to indicate an error, can you check the backend logs maybe?

[savek-cc]

So - back at it again. So we have ~6000 SBOMs in the system and apparently the automated vulnerability analysis task never completes. There might be a couple of issues that might have caused this (load too high, restarts before the analysis managed to check all projects etc.) - so I'll be looking at the logs very carefully (and probably report one or the other unrelated bug).
Thanks for the hint :)