[FP]: java-cfenv detected as Spring Framework

[mehradn7]

Package URl

pkg:maven/io.pivotal.cfenv/java-cfenv@3.1.3

CPE

cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*

CVE

CVE-2022-22965

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

9.0.9

Description

Hello,
The following Maven packages
pkg:maven/io.pivotal.cfenv/java-cfenv@3.1.3
pkg:maven/io.pivotal.cfenv/java-cfenv-jdbc@3.1.3
pkg:maven/io.pivotal.cfenv/java-cfenv-boot@3.1.3

are wrongly assigned to CPE cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:* probably because of some evidences related to Pivotal and Spring:

The 3rd listed package pkg:maven/io.pivotal.cfenv/java-cfenv-boot@3.1.3 is also wrongly assigned to CPE cpe:2.3:a:vmware:spring_boot:3.1.3:*:*:*:*:*:*:*

Thanks.

Regards,

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.pivotal.cfenv</groupId>
   <artifactId>java-cfenv</artifactId>
   <version>3.1.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6415
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.pivotal\.cfenv/java-cfenv@.*$</packageUrl>
   <cpe>cpe:/a:vmware:spring_framework</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7613784102

[thibaut129]

Hi,
Can you provide in some update about this ticket ?
Thanks a lot

[aikebah]

approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.