Merge pull request #1158 from microsoft/trask/improve-cve-matching

Improve CVE matching

Author: trask

agent/dependency-check-suppressions.xml

@@ -1,11 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
-        <notes><![CDATA[
-      file name: instrumentation-logback-0.14.2.jar
-      This is logback instrumentation, not the logback library itself.
-      ]]></notes>
+        <notes>org.glowroot.instrumentation:instrumentation-logback should not be matched to logback:logback</notes>
         <packageUrl regex="true">^pkg:maven/org\.glowroot\.instrumentation/instrumentation\-logback@.*$</packageUrl>
-        <cve>CVE-2017-5929</cve>
+        <cpe>cpe:/a:logback:logback</cpe>
     </suppress>
-</suppressions>
+</suppressions>