[FP]: Custom package openapi-generator-templates != openapi_generator

[DennisHartrampf]

Package URl

pkg:maven/de.bvv.asteroid/openapi-generator-templates@3.2.2

CPE

cpe:2.3:a:openapi-generator:openapi_generator:3.2.2:*:*:*:*:*:*:*

CVE

CVE-2023-27162, CVE-2019-11405, CVE-2021-21428, CVE-2021-21430, CVE-2021-21429

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

9.0.10

Description

Please note that the dependency de.bvv.asteroid/openapi-generator-templates@3.2.2 is not to be found in any public Maven registry as it is an internal dependency owned by the company I work for.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9064806481

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9064866742

[OrangeDog]

As it's a private internal dependency, there's not much point publishing a suppression, as you're the only person who needs it.

[DennisHartrampf]

I agree to that point - we can generate the suppresion ourselves.
I'm just wondering why there is even a match on that cpe. Our package name is openapi-generator-templates, the cpe is cpe:2.3:a:openapi-generator:openapi_generator:3.2.2:*:*:*:*:*:*:*. To me it looks like the matching is done with a prefix-match like the cpe was cpe:2.3:a:openapi-generator:openapi_generator*:3.2.2:*:*:*:*:*:*:* (note the asterisk after the package name). Isn't that a bug in the dependency check?

[OrangeDog]

Isn't that a bug

No: #6658

[DennisHartrampf]

Alright, thanks for your fast response and for the reference. I'll close this issue then.