The CPE that is believed to be false positive: cpe:2.3:a:apache:log4j:1.7.32
False positive on library log4j-over-slf4j-1.7.32.jar - reported as cpe:2.3:a:apache:log4j:1.7.32:::::::*
org.slf4jlog4j-over-slf4j1.7.32
In parent pom of log4j-over-slf4j there is reference to log4j 1.7.32 however it is in of parent pom file while not referenced directly in child pom, this is why it is not added to the build - and as a result IMHO this is not affecting log4j-over-slf4j.
should have been fixed by 6f1879dce8fc43f364a5f2a8b9f27b28e1b70643, but you have failed to provide important diagnostic info such as version of ODC used
False positive on library log4j-over-slf4j-1.7.32.jar - reported as cpe:2.3:a:apache:log4j:1.7.32:::::::*
In parent pom of log4j-over-slf4j there is reference to log4j 1.7.32 however it is in of parent pom file while not referenced directly in child pom, this is why it is not added to the build - and as a result IMHO this is not affecting log4j-over-slf4j.