[FP]: False positive finding in apache commons logging jar

[ashu4]

Package URl

/opt/sign/EABss7024/lib/commons-logging-1.1.jar

CPE

cpe:2.3:a:apache:commons_net:1.1:::::::*

CVE

CVE-2021-37533

ODC Integration

{"label" => "Docker"}

ODC Version

12.1.3

Description

CVE-2021-37533 is specific to apache commons net 3pp. Although product includes apache commons logging jar at system path /opt/sign/EABss7024/lib/commons-logging-1.1.jar.
Dependency checker is incorrectly showing apache commons net vulnerability for apache commons logging jar.

[github-actions]

Error parsing package url: /opt/sign/EABss7024/lib/commons-logging-1.1.jar.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/19924932885

[chadlwilson]

#7857 (comment)