[FP]: CVE-2019-14822 is flagged falsely in JARs due to a naming conflict with Linux "ibus" framework #7974
Description
Package URl
pkg:maven/com.internal/[email protected]
CPE
cpe:2.3:a:ibus_project:ibus:1.0.0:::::::*
CVE
ODC Integration
{"label" => "CLI"}
ODC Version
12.1.3
Description
This issue was previously reported in #7823, which was closed with the suggestion to use the suppression rule provided in the HTML report. Apologies for the delayed follow-up. I am reopening this issue because the problem persists.
We already maintain an internal suppression file that is intended to suppress any false-positive findings for artifacts originating from the com.internal.* package. However, in this particular scenario, the rule does not seem to apply, likely due to the presence of the ibus string in our artifact name. We would like to avoid updating our internal suppression file, which currently works effectively for all other internal artifacts, solely because of this one artifact name. Our preference is to keep our suppression rules simple and broadly applicable, without needing special exceptions for individual cases like this one. The issue was also explained in detail in #7821
I have uploaded a dummy JAR file which can be used to reproduce the issue locally. I'd appreciate any guidance on this DepCheck issue.