Potential issue with jackson-databind 2.9.9.x

[AnEmortalKid]

[CVE-2019-14379](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14379

Is being flagged for jackson-databind-xml:

cpe: cpe:/a:fasterxml:jackson:2.9.9  Confidence:Low  suppress
maven: com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.9.9  Confidence:Highest
cpe: cpe:/a:fasterxml:jackson-databind:2.9.9  Confidence:Highest  suppress

jackson-dataformat-xml-2.9.9.jar (cpe:/a:fasterxml:jackson:2.9.9, com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.9.9, cpe:/a:fasterxml:jackson-databind:2.9.9) : CVE-2019-14379, CVE-2019-12814

The CVE's were assessed and fixed in the jackson-databind module and not databind-xml: FasterXML/jackson-dataformat-xml#349
FasterXML/jackson-databind#2387

I wasn't entirely sure if this fell under the false positive/negative category or there's something missing that would help associate the 2.9.9.x versions as fixed.

Plugin Version in use:

dependency-check-maven:4.0.2:check

[jeremylong]

The referenced CVE is not fixed in 2.9.9 - it is fixed in 2.9.9.2. Using ODC 5.2.1 these are correctly reported.