Does disabling 'OSS Index analyzer' breake the analysis for components like golang.org/x/crypto

[whiteninja76]

Hi, re recently turned of teh OSS Index analyzer as its now needs a api token . which is just abit of extra config i havent sorted out yet.
I have a sbom that we upload for a project about 2 months ago thats marked the package golang.org/x/crypto as high. I have recently reload the sbom with the same details in it but a new project version number. expecting it to highlight the same findings.
ITs not showing any isssues with the sbom even thou i know its a high ...
In short
For the type of component/package golang.org/x/crypto do i have to have OSS Index analyzer enabled and configure for it to hightlight that its a vunerability ( the standard nvd source is still enabled)

[savek-cc]

NVD only provides mapping to cpe-strings. Your components probably only have a PURL. OSS Index is thus used to map from PURL to CVEs.
If you disable that (or only use NVD) you will only get vulnerabilities for components that are specified with a cpe identifier.