[FP]: groupId and artifactId are ignored #6839
Comments
|
Maven Coordinates <dependency>
<groupId>commons-discovery</groupId>
<artifactId>commons-discovery</artifactId>
<version>0.2</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6839
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-discovery/commons-discovery@.*$</packageUrl>
<cpe>cpe:/a:spirit-project:spirit</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941750630 |
|
approved @slawekjaranowski It's not about ignoring groupId/artifactId, It's about no CVE being registered against commons-discovery yet and therefor an improper CPE match is found to be 'best matching CPE' for the combination of evidences gathered from the dependency and the CPEs found in the NVD CVE data. If there had been a CVE registered against commons-discovery that would've resulted in a much better match. |
|
Suppress rule has been added to the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/commons-discovery/[email protected]
CPE
cpe:2.3:a:spirit-project:spirit:0.2:::::::*
CVE
No response
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.2
Description
Looks like only version is used, but groupId and artifactId are ignored.
It can be more general problem
The text was updated successfully, but these errors were encountered: