-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: groupId and artifactId are ignored #6839
Comments
Maven Coordinates <dependency>
<groupId>commons-discovery</groupId>
<artifactId>commons-discovery</artifactId>
<version>0.2</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6839
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-discovery/commons-discovery@.*$</packageUrl>
<cpe>cpe:/a:spirit-project:spirit</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941750630 |
approved @slawekjaranowski It's not about ignoring groupId/artifactId, It's about no CVE being registered against commons-discovery yet and therefor an improper CPE match is found to be 'best matching CPE' for the combination of evidences gathered from the dependency and the CPEs found in the NVD CVE data. If there had been a CVE registered against commons-discovery that would've resulted in a much better match. |
Suppress rule has been added to the |
Package URl
pkg:maven/commons-discovery/[email protected]
CPE
cpe:2.3:a:spirit-project:spirit:0.2:::::::*
CVE
No response
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.2
Description
Looks like only version is used, but groupId and artifactId are ignored.
It can be more general problem
The text was updated successfully, but these errors were encountered: