Identify and classify unknown components

[malice00]

Current Behavior

We have a project that uses React Native, where the base dependencies are NPM. Inside them are Gradle and CocoaPods modules which are referenced inside the respective builds. These modules are correctly handled by the respective SBOM generators we use and are imported into DT. So far so good. Now, when these components get validated by OSS Index (and I assume the other tools as well, we only have OSSI active), they are shown in DT as having no vulnerabilities. In reality, when I check the component manually in OSSI, it tells me it doesn't know this component. I would like to request an enhancement in DT that actually shows me that a component is unknown and perhaps even give it a certain severity & risk. Even if they turn out not to have any vulnerabilities, I think it is incorrect to simply give them a risk score of 0 and say they have no vulns because they are not known by any of the sources!

An easy way to actually test this behavior is to not configure your internal components, because these should also be shown as 0 risk even though they are unknown.

Proposed Behavior

I would suggest to have unknown components classified either as an existing classification (personally I feel >= 'high' would be good), a completely new classification or maybe even make its severity configurable.

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested