[FP]: CVE-2021-4277 is reported as false positive

[va699]

Package URl

/kafka/3.9.0/1/fast/libs/kafka-streams-test-utils-3.9.0.jar

CPE

cpe:2.3:a:utils_project:utils:3.9.0:::::::*

CVE

CVE-2021-4277

ODC Integration

{"label" => "Docker"}

ODC Version

12.1.0

Description

Hi Team,

We are getting vulnerability CVE-2021-4277 in Dependency Checker Tool findings, although as per our analysis we consider it as false positive.

Kindly check and get it fixed in Dependency Checker tool. So, this false positive does not appear in scan report.

Dependency Checker tool is scanning below mentioned path
File Path : /kafka/3.9.0/1/fast/libs/kafka-streams-test-utils-3.9.0.jar

[github-actions]

Error parsing package url: /kafka/3.9.0/1/fast/libs/kafka-streams-test-utils-3.9.0.jar.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/17527755381

[marcelstoer]

@va699 you need to update the issue (→ Edit) as per the bot's feedback.

[chadlwilson]

There appear to be a bunch of people potentially from the same org creating issues with a template that cannot really be addressed. I'm probably going to start closing these a bit more aggressively unless told otherwise, as they take time to evaluate and nothing can be done about suppressions to random jars without package information.

Kindly check and get it fixed in Dependency Checker tool.