[FP]: osgi-resource-locator detected as eclipse glassfish

[davidmstirn]

Package URl

pkg:maven/org.glassfish.hk2/[email protected]

CPE

cpe:2.3:a:eclipse:glassfish:1.0.3:*:*:*:*:*:*:*

CVE

CVE-2024-9329

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

10.0.1

Description

Another dependency under the glassfish org is being detected as eclipse glassfish, which recently had a published CVE released.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.glassfish.hk2</groupId>
   <artifactId>osgi-resource-locator</artifactId>
   <version>1.0.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7022
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.glassfish\.hk2/osgi-resource-locator@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:glassfish</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11241118161

[chadlwilson]

Dupe of #7015, already fixed in #7016 but needs another "automated" FP report to be merged before it gets published.