Scanner results on tomcat very verbose

[tasso94]

I'm using the following maven coordinate to assembly a custom Tomcat distribution:

<dependency>
  <groupId>org.apache.tomcat</groupId>
  <artifactId>tomcat</artifactId>
  <version>${version.tomcat}</version>
  <type>tar.gz</type>
</dependency>

... and I'm receiving the following scanner results:

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
tomcat-9.0.85.tar.gz: tomcat-9.0.85.tar: el-api.jar	cpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:* cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.85:*:*:*:*:*:*:*		HIGH	30	Medium	20
tomcat-9.0.85.tar.gz: tomcat-9.0.85.tar: servlet-api.jar	cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.85:*:*:*:*:*:*:*		HIGH	29	Medium	41

My guess is the CPE's cpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:* and cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:* would need to be suppressed. I could do this on my own with something along the lines:

<suppress>
   <notes><![CDATA[
   file name: tomcat-9.0.85.tar.gz: tomcat-9.0.85.tar: el-api.jar
   ]]></notes>
   <sha1>b5d6802eeb8729da4d43ea4402b7da61a528b449</sha1>
   <cpe>cpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:*</cpe>
</suppress>

However, could you also do this and roll this out to everybody? I might not be the only one having this problem.

[OrangeDog]

Not only are they a false positive for Tomcat, they're also false negatives for the API jars they actually are. Though I haven't checked if they all actually have registered CPEs.

A general suppression might be this, but I don't know if it makes sense to be built-in.

<suppress>
    <filePath regex="true">.*apache-tomcat-.*[/\\]lib[/\\].*</filePath>
    <cpe>cpe:/a:apache:tomcat</cpe>
</suppress>