False Positive on Custom Library

[mcresswell]

False positive on custom built library ST-1.0.0-SNAPSHOT.jar - reported as cpe:/a:shadow_project:shadow:4.4
The library is named "Shadow Test" and being identified as "shadow". The CVE reported belongs to "shadow".

<!-- Custom Library Unavailable in Maven Central -->
<dependency>
   <groupId>com.test</groupId>
   <artifactId>ST</artifactId>
   <version>1.0.0-SNAPSHOT</version>
</dependency>

Sample jar, pom, & reports included in zip:
FalsePositive.zip

Originally reported under the Jenkins Dependency Check OWASP plugin but was redirected to the core DependencyCheck module:
https://issues.jenkins-ci.org/browse/JENKINS-47845

[stevespringett]

Original report: https://issues.jenkins-ci.org/browse/JENKINS-47845

[jeremylong]

Thank you for the report. However, as this is a custom library specific to your environment you will need to include the suppression rule in a suppression file maintained within your organization. Please see the article on suppressing false positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.