dependency-track: Vulnerabilities not detected

Current Behavior:

A new Dependency Track project was created (using the jenkins plugin). The BOM file is the same as a another project. The other project shows 22 vulnerabilities (NPM, NVD, OSSIndex) but the newly created version has no vulnerabilities.

The original upload (when the project was also automatically created) happened 20h ago. The analyzer should have done it’s analyzing (1) when the BOM was uploaded and (2) every 6h.

I tried manually re-uploading the BOM file but without success. The logs of that attempt can be found below.

Steps to Reproduce:

Not sure what makes my setup reproduce this issue.

Expected Behavior:

The project should show the same amount of vulnerabilities.

Environment:

• Dependency-Track Version: 4.4.2
• Distribution: Docker
• BOM Format & Version: XML Schema v1.3
• Database Server: PostgreSQL
• Browser: Chrome

Additional Details:

2022-04-14 13:20:30,809 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,545 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,581 INFO [BomUploadProcessingTask] Processed 18 components and 0 services uploaded to project 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:31,963 INFO [InternalAnalysisTask] Starting internal analysis task
2022-04-14 13:20:32,037 INFO [InternalAnalysisTask] Internal analysis complete
2022-04-14 13:20:32,041 INFO [PolicyEngine] Evaluating 18 component(s) against applicable policies
2022-04-14 13:20:32,144 INFO [PolicyEngine] Policy analysis complete
2022-04-14 13:20:32,146 INFO [MetricsUpdateTask] Executing metrics update for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534
2022-04-14 13:20:32,551 INFO [MetricsUpdateTask] Completed metrics update for project: 1307707d-9ce7-4e64-b4c7-d63e29a50534