[FP]: CVE-2025-1948 is not applicable for jetty-security-12.0.16.jar

[githubuserVenkat]

Package URl

pkg:maven/org.eclipse.jetty/jetty-security@12.0.16

CPE

cpe:2.3:a:eclipse:jetty:12.0.16:::::::*

CVE

CVE-2025-1948

ODC Integration

None

ODC Version

12.1.9

Description

Here the vulnerable component is Jetty’s HTTP/2 module but here it is reported for jetty-security-12.0.16

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jetty</groupId>
   <artifactId>jetty-security</artifactId>
   <version>12.0.16</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8154
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty-security@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/19729773740

[chadlwilson]

CVEs in the NVD are not tracked at component level for Jetty so they can't be matched by ODC against specific parts of Jetty.

If you want to suppress for that component based on your own review of the individual CVEs you'll have to maintain those suppressions yourself.