What happened:

When using grype to check a CycloneDX SBOM not produced by syft, Java vulnerabilities were not detected.

What you expected to happen:

Vulnerabilities should be found by language when there is no CPE and no syft metadata

How to reproduce it (as minimally and precisely as possible):

Using a CycloneDX SBOM with minimal component info and known CVEs such as:

{
  "name" : "log4j-core",
  "version" : "2.13.3",
  "purl" : "pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3?type=jar",
  "type" : "library",
  "bom-ref" : "pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3?type=jar"
},

Running grype will not find any CVEs.

Anything else we need to know?:

PR coming shortly...

Environment:

• Output of syft version: v0.42.4
• OS (e.g: cat /etc/os-release or similar): any