Closed slawekjaranowski closed 1 week ago
Maven Coordinates
<dependency>
<groupId>commons-discovery</groupId>
<artifactId>commons-discovery</artifactId>
<version>0.2</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6839
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-discovery/commons-discovery@.*$</packageUrl>
<cpe>cpe:/a:spirit-project:spirit</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941750630
approved
@slawekjaranowski It's not about ignoring groupId/artifactId, It's about no CVE being registered against commons-discovery yet and therefor an improper CPE match is found to be 'best matching CPE' for the combination of evidences gathered from the dependency and the CPEs found in the NVD CVE data. If there had been a CVE registered against commons-discovery that would've resulted in a much better match.
Suppress rule has been added to the generatedSuppressions
branch.
Package URl
pkg:maven/commons-discovery/commons-discovery@0.2
CPE
cpe:2.3:a:spirit-project:spirit:0.2:::::::*
CVE
No response
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.2
Description
Looks like only version is used, but groupId and artifactId are ignored. It can be more general problem