[FP]: OSGi Jetty bundle version misinterpreted as incorrect Jetty implementation version

[cmrohila]

Package URl

org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710

CPE

cpe:2.3:a:eclipse:equinox:3.9.200:20241218::::::, cpe:2.3:a:eclipse:jetty:3.9.200:20241218::::::, cpe:2.3:a:jetty:jetty:3.9.200:20241218::::::

CVE

CVE-2009-5045 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2017-9735 CVE-2020-27216 CVE-2021-41033 CVE-2022-2048 CVE-2009-5046 CVE-2021-28169 CVE-2021-34428 CVE-2022-2047 CVE-2023-26048 CVE-2023-26049 CVE-2023-36479 CVE-2023-41900 CVE-2025-41242

ODC Integration

None

ODC Version

12.1.0

Description

Dependency Checker is misinterpreting the org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710 bundle to be the installed Jetty version and reporting following vulnerabilities.
CVE-2009-5045
CVE-2017-7656
CVE-2017-7657
CVE-2017-7658
CVE-2017-9735
CVE-2020-27216
CVE-2021-41033
CVE-2022-2048
CVE-2009-5046
CVE-2021-28169
CVE-2021-34428
CVE-2022-2047
CVE-2023-26048
CVE-2023-26049
CVE-2023-36479
CVE-2023-41900
CVE-2025-41242

Please fix this FP.

[github-actions]

Error parsing package url: org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/20002514410

[chadlwilson]

You need to fill in the fields with a single CPE and an actual package URL (from the ODC report as it is) as the comments above say. Suppressions cannot be made against arbitrary jars, only packages.

Also,.you are not using the latest ODC. Use latest before reporting issues

Will re-open if corrected and OP responds.