I expect to see vulnerable components but I don’t
Most common reason: You have yet to enable the Sonatype OSS Index Analyzer. It is not enabled by default but is necessary to scan dependencies represented by Package URLs.
Why is Sonatype OSS Index Analyzer disabled by default?
For Dependency-Track v3.0 - v3.8, Sonatype OSS Index Analyzer is disabled and requires an account. See Sonatype OSS Index Analyzer. For Dependency-Track v4.0 and higher, OSS Index is enabled by default and does not require an account.