False Positive on Oracle JDBC drivers(detects Oracle Database)

[wolframhaussig]

In 2020, the coordinates of the Oracle JDBC libraries changed: https://medium.com/oracledevs/all-in-and-new-groupids-oracle-jdbc-drivers-on-maven-central-a76d545954c6

When using the new coordinates the ojdbc library and its dependencies are recognised as Oracle Database which breaks our builds. Currently, we are using ojdbc8 12.2.0.1: https://mvnrepository.com/artifact/com.oracle.database.jdbc/ojdbc8/12.2.0.1

Example

False positive on library ojdbc8-12.2.0.1.jar - reported as:

• cpe:2.3:a:oracle:database:12.2.0.1:::::::*
• cpe:2.3:a:oracle:jdbc:12.2.0.1:::::::* <-- correct
• cpe:2.3:a:oracle:oracle_database:12.2.0.1:::::::*

      <dependency>
          <groupId>com.oracle.database.jdbc</groupId>
          <artifactId>ojdbc8</artifactId>
          <version>12.2.0.1</version>
      </dependency>

This also affects the dependencies of ojdbc:

[jeremylong]

Thanks for the report. In the meantime you can use a local suppression file: https://jeremylong.github.io/DependencyCheck/general/suppression.html

Also, consider providing a PR to resolve the FP.