False positives for purl based npm packages

[routinesharp]

Dependency Track is identifying large numbers of false positive vulnerability reports for purl based npm packages.

We have a company hosted dependency track instance which predominantly uses the NVD vulnerability datasource, but is also configured to use Google OSV. An example set of false positives if for the npm progress library, which has 23 critical and 40 high vulnerabilities identified against it, which look to be related to the Progress suite of products. It looks as though dependency track is trying to do some kind of name based matching for npm packages against the NVD source and therefore identifying these false positives.

I'm almost certain this is a configuration issue, but the team running it have tried the below avenues with no success. Could someone point us in the right direction please?

1. Enabled the Google OSV vulnerability source but it appears NVD is the vuln source used every time
2. Disabled "Enable fuzzy CPE matching on components that have a Package URL (PURL) defined"
3. Following https://docs.dependencytrack.org/datasources/repositories/ ensured npm is selected for npm packages

Further info: cyclonedx is being used to generate sboms.

Many thanks