Using Private Vulnerability Repository

[grimsell]

I am currently using Dependency-Track to manage third-party vulnerabilities. I would like to use a single tool for both third-party and first-party vulnerabilities as well.

I discovered the Private Vulnerability Repository, which seems like a good fit for this use case. However, when testing it, I am unable to get internal vulnerabilities to be picked up by Dependency-Track’s vulnerability scanner. I have tried identifying affected components using both package URL and CPE, without success.

Is there a plan for a more intuitive way to model first-party vulnerabilities in Dependency-Track? For example, would it make sense to associate vulnerabilities directly with projects and versions rather than relying solely on PURL or CPE matching?

I am also unsure how internal vulnerabilities are intended to be managed day to day. As far as I can tell, they are only accessible through the Vulnerabilities view, but that view feels quite limited. For example, it seems to only search by vulnerability ID and does not allow filtering or sorting by severity or other useful attributes.

I am using Dependency-Track version 4.13.3.

[grimsell]

If this is in line with the vision of this project I would be interested in providing a patch to improve the functionality for private vulnerability repos.