Private Vulnerability Repository¶
The private vulnerability repository stores internally managed vulnerabilities. It behaves identically to other vulnerability sources -- findings are raised, audit trails are maintained, and notifications fire -- but the data is entirely user-managed.
For use cases and step-by-step creation instructions, see Managing private vulnerabilities.
Vulnerability IDs¶
Every vulnerability in the private repository requires a unique ID within the
INTERNAL source. By default, Dependency-Track generates IDs using the prefix INT
followed by three blocks of four alphanumeric characters (for example, INT-td11-7hzm-qzot).
Any prefix meaningful to your organisation may be used (for example, ACME-, INT-,
SEC-). The only constraint is uniqueness within the INTERNAL source.
Severity and Risk Ratings¶
Severity can be set explicitly or derived from a risk score:
| Rating | Description |
|---|---|
| Explicit severity | Choose directly: CRITICAL, HIGH, MEDIUM, LOW, or INFO. |
| CVSSv2 / CVSSv3 | Enter a CVSS vector; Dependency-Track calculates the base score and derives severity. |
| OWASP Risk Rating | Enter likelihood and impact factors; Dependency-Track calculates severity. |
When multiple ratings are provided, CVSSv3 takes precedence over CVSSv2, and the rating with the higher severity is preferred over OWASP Risk Rating.
Description Fields¶
| Field | Purpose |
|---|---|
| Title | Short summary shown in finding lists. |
| Description | High-level overview of the vulnerability and its risk. Supports Markdown. |
| Details | In-depth description, such as root cause analysis. Supports Markdown. |
| Recommendation | Remediation or mitigation instructions. Supports Markdown. |
| References | List of external links (changelogs, advisories, blog posts, etc.). |
Affected Components¶
For a vulnerability to be matched against components, Affected Components must be configured. Each entry specifies an identifier (PURL or CPE) and either an exact version or a version range.
Version ranges use lower and/or upper bounds:
| Operator | Meaning |
|---|---|
> |
Greater than (exclusive lower bound) |
>= |
Greater than or equal (inclusive lower bound) |
< |
Less than (exclusive upper bound) |
<= |
Less than or equal (inclusive upper bound) |
A range with only a lower bound matches all versions above it; a range with only an upper bound matches all versions below it.
Tip
Dependency-Track does not convert between PURL and CPE. Use the same identifier type that your SBOM generator produces. Most modern generators emit PURLs.
Finding Behaviour¶
Internal vulnerabilities are matched by the internal analyzer during regular vulnerability analysis. Findings appear identically to those from public sources and support the same triage workflow (analysis states, suppression, VEX export).