Firebird vulnerabilities not reported #5277
Description
Current Behavior
We are using the Firebird database component in our project (version 4.0.5), and recently two vulnerabilities were published:
- [CVE-2025-24975](https://nvd.nist.gov/vuln/detail/CVE-2025-24975)
- [CVE-2025-54989](https://nvd.nist.gov/vuln/detail/CVE-2025-54989)
Both vulnerabilities affect our version of Firebird. The corresponding CPE we are using is:
cpe:2.3:a:firebirdsql:firebird:4.0.5:*:*:*:*:*:*:*
However, Dependency-Track is not detecting or reporting either of these vulnerabilities. Other components in our project (e.g., Apache server) are being scanned correctly, and known vulnerabilities are properly flagged, so the issue appears specific to Firebird.
We’ve reviewed our configuration and tried to troubleshoot this, but haven’t been able to determine the root cause. If we call GET https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:firebirdsql:firebird:4.0.5:*:*:*:*:*:*:* it correctly returns both vulnerabilities.
Question:
Is there something we might be missing in the way Firebird or its CPE is defined that would prevent Dependency-Track from recognizing the associated vulnerabilities?
Steps to Reproduce
Minimal sbom example to reproduce the issue:
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:1e872b2a-ac0d-450f-8852-37aca26af39f",
"version": 1,
"components": [
{
"type": "application",
"bom-ref": "Firebird@4.0.5.3140",
"name": "Firebird",
"version": "4.0.5",
"licenses": [
{
"license": {
"id": "Interbase-1.0"
}
}
],
"cpe": "cpe:2.3:a:firebirdsql:firebird:4.0.5:*:*:*:*:*:*:*"
}
]
}
}
Expected Behavior
Both vulnerabilities are reported.
Dependency-Track Version
4.13.4
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Mozilla Firefox
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported