[FP]: CVE-2008-7271 incorrectly reported by Dependency Checker

[MohammedSuhaibT]

Package URl

pkg:maven/org.eclipse.angus/angus-activation@2.0.2

CPE

cpe:2.3:a:eclipse:eclipse_ide:3.3.2:::::::*

CVE

CVE-2008-7271

ODC Integration

None

ODC Version

12.1.3

Description

Dependency-Check reports CVE-2008-7271 (XSS in Eclipse IDE Help Server) for the dependency angus-activation 2.0.2 in our application.

This is a false positive.

Reason:

• Our application does not use Eclipse IDE or Help Server components.
• The vulnerable files (help/advanced/searchView.jsp and help/advanced/workingSetManager.jsp) do not exist in the application.
• The only Eclipse-related library is angus-activation 2.0.2, which does not include any web UI or JSP components.
• Dependency-Check incorrectly maps the CVE due to manifest metadata containing “eclipse”.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.angus</groupId>
   <artifactId>angus-activation</artifactId>
   <version>2.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8172
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.angus/angus-activation@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:eclipse_ide</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/19921355012