[FN]: False negative CPE Java elastic-apm-agent should be elastic:apm_java_agent

[OrangeDog]

Precondition

• I checked the issues list for existing open or closed reports of the same problem.

Describe the bug
NVD has assigned elastic:apm_agent to CVEs in the Python and Ruby versions of the software, but elastic:apm_java_agent for the Java version.

A hint like this resolves it:

<hint>
    <given>
        <evidence type="product" source="pom" name="groupid" value="co.elastic.apm" confidence="HIGHEST"/>
        <evidence type="product" source="pom" name="artifactid" value="elastic-apm-agent" confidence="HIGHEST"/>
    </given>
    <add>
        <evidence type="product" source="hint analyzer" name="product" value="apm_java_agent" confidence="HIGHEST"/>
    </add>
</hint>

Alternatively the group co.elastic.apm would cover all components of the agent.

[chadlwilson]

Putting aside merits of the hint (I have no opinion right now and not familiar with hint practices) if you'd like to PR there is https://github.com/dependency-check/DependencyCheck/blob/main/core/src/main/resources/dependencycheck-base-hint.xml

[Umesh042005]

Hi @OrangeDog @chadlwilson Thanks for the clarification.

I’m new to Dependency-Check and still trying to understand how CPE
mapping and hints work in this case.
From my understanding, the issue is that the Java Elastic APM agent
is being identified as the generic elastic:apm_agent instead of
elastic:apm_java_agent, which causes Java-specific CVEs to be missed.
I’ll first review the existing patterns in dependencycheck-base-hint.xml
to better understand the current hint practices before attempting
any changes.

[jeremylong]

Hints simply add evidence to the dependency. To understand how evidence is used see https://dependency-check.github.io/DependencyCheck/general/internals.html

[jeremylong]

@OrangeDog a PR with the hint would be great.

[Umesh042005]

Thank you for the suggestion, I understand how hints add extra evidence and how this can help in this case.
I’m still a beginner and taking some time to understand the internals, but I’m
going through the documentation to learn it properly.