bug: inconsistent CVE findings when using SBOM generated for the same software as input file

[jni2000]

Description

I did a number of tests to compare the CVE findings in the following two cases:

1. run cve-bin-tool against the software package directly
2. run cve-bin-tool against the SBOM file generated using cve-bin-tool against the same software package

I found discrepancies in the number of CVEs found using the above two methods. Any explanations on such discrepancies?

Thanks

[alex-ter]

@jni2000 You'd need to be more specific to get better answers. Below are some points worth elaborating:

1. Which software package was that (links, versions)?
2. What were the specific results obtained through those two approaches? Posting the outputs and the SBOM would be helpful.