[FP]: camel-reactive-executor-tomcat-4.0.1.jar causes false positives about Tomcat 4.x

[thomass4t]

Package URl

pkg:maven/org.apache.camel/[email protected]

CPE

cpe:2.3:a:apache_tomcat:apache_tomcat:4.0.1:::::::*

CVE

CVE-2002-2272, CVE-2020-8022, CVE-2002-1394, CVE-2009-3548, CVE-2013-2185 etc.

ODC Integration

{"label"=>"Ant Task"}

ODC Version

9.0.6

Description

Maybe the package name camel-reactive-executor-tomcat-4.0.1.jar triggers the old CVEs for Tomcat 4.x.

[github-actions]

Error parsing package url: pkg:maven/org.apache.camel/[email protected], cpe:2.3:a:apache:camel:4.0.1:::::::, cpe:2.3:a:apache:tomcat:4.0.1:::::::, cpe:2.3:a:apache_tomcat:apache_tomcat:4.0.1:::::::*.

Error: Error: Invalid purl: version must be percent-encoded

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7223164337

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.apache.camel</groupId>
   <artifactId>camel-reactive-executor-tomcat</artifactId>
   <version>4.0.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6313
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-reactive-executor-tomcat@.*$</packageUrl>
   <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7223170934

[aikebah]

approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.