[FP]: False positive for CVE-2022-29583 in tomcat-embed-el-10.1.40

[nefethael]

Package URl

pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@10.1.40

CPE

cpe:2.3:a:service_project:service:10.1.40:::::::*

CVE

CVE-2022-29583

ODC Integration

None

ODC Version

N/A

Description

kardianos service go program is not related to tomcat I guess?

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.apache.tomcat.embed</groupId>
   <artifactId>tomcat-embed-el</artifactId>
   <version>10.1.40</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7911
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-el@.*$</packageUrl>
   <cpe>cpe:/a:service_project:service</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/17496474600

[aikebah]

Neither our github pipeline nor a local attempt is surfacing this FP. Doublecheck your configuration and job-output for errors that break proper identification of this library.