[FP]: False positive findings in Dependency Checker for angus-activation.jar

[ashu4]

Package URl

pkg:maven/org.eclipse.angus/angus-activation@2.0.2

CPE

cpe:2.3:a:eclipse:angus_mail:2.0.2:::::::*

CVE

CVE-2025-7962

ODC Integration

{"label" => "Docker"}

ODC Version

12.1.9

Description

Hi Team,

We are getting following CVE in Dependency Checker Tool findings, although as per our analysis we consider this as false positive.
CVE details and our justification for false positive for CVE is mentioned below.
Kindly check and get it fixed in Dependency Checker tool. So this false positive does not appear in scan report.

CVE-2025-7962
Justification: This vulnerability is related to Jakarta/Angus Mail.
Product includes angus-activation.jar only although vulnerability is in the SMTP/mail component (Jakarta Mail/Angus Mail,), not in the activation library. Scanner is falsely identifying this vulnerability on angus-activation.jar. Hence considering it as false positive.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.angus</groupId>
   <artifactId>angus-activation</artifactId>
   <version>2.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8211
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.angus/angus-activation@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:angus_mail</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/20652595434

[chadlwilson]

There is already a suppression for this. See #8130 (comment)

I suspect there are a bunch of you from the same org here and you keep raising FPs for the same things without addressing the likely root cause for your problems.