DepScan on conan packages not picking up known vulnerabilities?

[Forgh]

I've been trying to setup depscan on a few of my projects which have a few conan and npm dependencies.

While npm dependencies are correctly scanned and vulnerabilities are correctly found, it seems I cannot get any result for conan packages.
They always end up with an empty vulnerability report and a "No oss vulnerabilities detected ✅" message.

I've tried with isolated conanfile.py, conanfile.txt, conan.lock. Out of curiosity, I've even tried with purl search on packages with known CVE:

depscan --purl  pkg:conan/xz_utils/5.6.0
INFO [2025-02-06 15:23:28,435] No oss vulnerabilities detected ✅

depscan --purl pkg:conan/openssl/1.1.1h
INFO [2025-02-06 15:56:48,131] No oss vulnerabilities detected

depscan --purl pkg:conan/libpng/1.6.37
INFO [2025-02-06 16:18:01,886] No oss vulnerabilities detected ✅

Using the VDB6 holds the same results:

VDB_DATABASE_URL="ghcr.io/appthreat/vdbgz:v6" depscan --purl pkg:conan/libpng/1.6.37
INFO [2025-02-06 16:18:01,886] No oss vulnerabilities detected ✅

Am I doing something wrong?

Another question: we're using a proxy repository for our conan packages (for safety purposes). Currently our conanfiles reference packages with the same version numbers / package names but different user/channel references. These then appears in the purl in the sbom:

        {
            "group": "",
            "name": "gtest",
            "version": "1.10.0",
            "purl": "pkg:conan/[email protected]?channel=stable&user=deps%2Bots",
            "type": "library",
            "bom-ref": "pkg:conan/[email protected]?channel=stable&user=deps+ots"
        },

Are user/channel references actually used for the dependency scan or are the version numbers/package names the only references considered during the scan?

[prabhu]

Does pkg:generic work with vdb6? Could you troubleshoot by inspecting the sqlite databases as well as creating this issue on the vulnerability-db repo?