[FP]: False positive for cve-2017-7658 in apache-jsp

[jnuttall-hpt]

Package URl

pkg:maven/org.mortbay.jasper/apache-jsp@8.5.100

CPE

I cannot determine this from the JSON report

CVE

cve-2017-7658

ODC Integration

None

ODC Version

12.1.2

Description

This just started appearing last night on an old product whose dependencies have not changed, and the CVE has not been updated in 7 months. Apache-jsp is not itself the Eclipse Jetty server, it is a repackaging of a tomcat library so this is a false positive.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.mortbay.jasper</groupId>
   <artifactId>apache-jsp</artifactId>
   <version>8.5.100</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7846
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache-jsp@.*$</packageUrl>
   <cpe>cpe:/a:undefined:undefined</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/16648291407

[chadlwilson]

Sorry, we need the CPE data or we can't evaluate the suppression - it's too time consuming otherwise. Please use a different report type to determine this and update or open a new one.