[FP]: False positive from recent scan results

[cmrohila]

Package URl

mutliple packages

CPE

NA

CVE

CVE-2011-5034 CVE-2013-4235 CVE-2015-2156 CVE-2015-4035 CVE-2015-5237 CVE-2015-8559 CVE-2017-1000034 CVE-2017-15288 CVE-2017-3162 CVE-2017-5645 CVE-2017-5929 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2017-9735 CVE-2018-17190 CVE-2019-16869 CVE-2019-20444 CVE-2019-20445 CVE-2020-13949 CVE-2020-27216 CVE-2020-27225 CVE-2020-7907 CVE-2021-34538 CVE-2021-37136 CVE-2021-37137 CVE-2021-4048 CVE-2021-41033 CVE-2021-44228 CVE-2021-45046 CVE-2022-1271 CVE-2022-1471 CVE-2022-2048 CVE-2022-25857 CVE-2022-26612 CVE-2022-3171 CVE-2022-36944 CVE-2022-41137 CVE-2022-41881 CVE-2022-42003 CVE-2022-42004 CVE-2023-2976 CVE-2023-37475 CVE-2023-6378 CVE-2023-6481 CVE-2024-7254 CVE-2025-24970 CVE-2025-47273 CVE-2025-48431 CVE-2025-7962 CVE-2026-2586 CVE-2026-2587

ODC Integration

{"label" => "CLI"}

ODC Version

12.2.2

Description

CVE-2011-5034 org.apache.geronimo.specs.geronimo-jta_1.1_spec_1.1.1.jar
CVE-2013-4235 pkg:rpm/sles/login_defs@4.8.1-150600.17.9.1?arch=noarch&distro=sles-15.7
CVE-2015-2156 "io.netty.tcnative-boringssl-static_2.0.74.Final.jar
io.netty.tcnative-classes_2.0.74.Final.jar"
CVE-2015-4035 org.tukaani.xz_1.10.jar
CVE-2015-5237 com.google.protobuf.nano_3.1.0.jar
CVE-2015-8559 "chef.config_1.4.4.SNAPSHOT.jar/META-INF/maven/chef/config/pom.xml
chef.config.jmx_1.4.4.SNAPSHOT.jar/META-INF/maven/chef/config.jmx/pom.xml
chef.service_1.4.4.SNAPSHOT.jar
chef.service_1.4.4.SNAPSHOT.jar/META-INF/maven/chef/service/pom.xml
chef.config_1.4.4.SNAPSHOT.jar"
CVE-2017-1000034 "org.scala-lang.modules.scala-xml_2.4.0.jar
spark_5.0.4.DEV-SNAPSHOT.jar/scala-parallel-collections_2.13-1.2.0.jar"
CVE-2017-15288 "org.scala-lang.modules.scala-xml_2.4.0.jar
scala-collection-compat_2.13-2.8.0.jar
scala-parallel-collections_2.13-1.2.0.jar"
CVE-2017-3162 spark_5.0.4.DEV-SNAPSHOT.jar/hadoop-client-runtime-3.4.2.jar/META-INF/maven/org.apache.hadoop.thirdparty/hadoop-shaded-protobuf_3_25/pom.xml
CVE-2017-5645 log4j.over.slf4j_2.0.17.jar
CVE-2017-5929 des.decryption.utility-0.0.1.jar
CVE-2017-7656 org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710-E003.jar
CVE-2017-7657 org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710-E003.jar
CVE-2017-7658 org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710-E003.jar
CVE-2017-9735 org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710-E003.jar
CVE-2018-17190 "spark_5.0.4.DEV-SNAPSHOT.jarspark-core_2.13-4.1.1.jar
spark_5.0.4.DEV-SNAPSHOT.jarspark-sql_2.13-4.1.1.jar"
CVE-2019-16869 "io.netty.tcnative-boringssl-static_2.0.74.Final.jar
io.netty.tcnative-classes_2.0.74.Final.jar"
CVE-2019-20444 "io.netty.tcnative-boringssl-static_2.0.74.Final.jar
io.netty.tcnative-classes_2.0.74.Final.jar"
CVE-2019-20445 "io.netty.tcnative-boringssl-static_2.0.74.Final.jar
io.netty.tcnative-classes_2.0.74.Final.jar"
CVE-2020-13949 pkg:maven/org.apache.hive/hive-exec@2.3.10
CVE-2020-27216 org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710-E003.jar
CVE-2020-27225 "org.eclipse.osgi.services_3.12.100.v20240327-0645.jar
org.eclipse.equinox.http.service.api_1.2.2.v20231218-2126.jar
org.eclipse.equinox.common_3.19.100.v20240524-2011.jar
org.eclipse.equinox.http.servlet_1.8.200.v20240321-1445.jar
org.eclipse.equinox.event_1.7.100.v20240321-1445.jar
org.eclipse.equinox.cm_1.6.100.v20240329-0940.jar
org.eclipse.equinox.console_1.4.800.v20240513-1104.jar
org.eclipse.equinox.metatype_1.6.600.v20240513-1104.jar
org.eclipse.osgi.util_3.7.300.v20231104-1118.jar"
CVE-2020-7907 pkg:maven/ch.epfl.scala/bsp4j@2.1.1
CVE-2021-34538 "pkg:maven/org.apache.hive/hive-storage-api@2.8.1
pkg:maven/org.apache.hive/hive-exec@2.3.10"
CVE-2021-37136 "io.netty.tcnative-boringssl-static_2.0.74.Final.jar
io.netty.tcnative-classes_2.0.74.Final.jar"
CVE-2021-37137 "io.netty.tcnative-boringssl-static_2.0.74.Final.jar
io.netty.tcnative-classes_2.0.74.Final.jar"
CVE-2021-4048 pkg:maven/net.sourceforge.f2j/arpack_combined_all@0.1
CVE-2021-41033 "org.eclipse.osgi_3.24.0.v20251126-0427.jar
org.eclipse.equinox.http.service.api_1.2.2.v20231218-2126.jar
org.eclipse.equinox.common_3.19.100.v20240524-2011.jar
org.eclipse.equinox.http.servlet_1.8.200.v20240321-1445.jar
org.eclipse.equinox.event_1.7.100.v20240321-1445.jar
org.eclipse.osgi_3.21.0.v20241218-0710-E001.jar
org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710-E003.jar
org.eclipse.equinox.cm_1.6.100.v20240329-0940.jar
org.eclipse.equinox.console_1.4.800.v20240513-1104.jar
org.eclipse.equinox.metatype_1.6.600.v20240513-1104.jar"
CVE-2021-44228 log4j.over.slf4j_2.0.17.jar
CVE-2021-45046 log4j.over.slf4j_2.0.17.jar
CVE-2022-1271 org.tukaani.xz_1.10.jar
CVE-2022-1471 pkg:maven/org.yaml/snakeyaml@1.26
CVE-2022-2048 org.eclipse.equinox.http.jetty_3.9.200.v20241218-0710-E003.jar
CVE-2022-25857 pkg:maven/org.yaml/snakeyaml@1.26
CVE-2022-26612 spark_5.0.4.DEV-SNAPSHOT.jarhadoop-client-runtime-3.4.2.jarMETA-INF/maven/org.apache.hadoop.thirdparty/hadoop-shaded-protobuf_3_25/pom.xml
CVE-2022-3171 com.google.protobuf.nano_3.1.0.jar
CVE-2022-36944 scala-collection-compat_2.13-2.8.0.jar
CVE-2022-41137 pkg:maven/org.apache.hive/hive-service-rpc@4.0.0
CVE-2022-41881 "io.netty.tcnative-boringssl-static_2.0.74.Final.jar
io.netty.tcnative-classes_2.0.74.Final.jar"
CVE-2022-42003 pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2.2
CVE-2022-42004 pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2.2
CVE-2023-2976 com.google.guava.failureaccess_1.0.3.jar
CVE-2023-37475 avro-ipc_1.12.1.jar
CVE-2023-6378 pkg:maven/ch.qos.logback/logback-core@1.2.12
CVE-2023-6481 pkg:maven/ch.qos.logback/logback-core@1.2.12
CVE-2024-7254 com.google.protobuf.nano_3.1.0.jar
CVE-2025-24970 "pkg:maven/io.netty/netty-resolver@4.1.94.Final
pkg:maven/io.netty/netty-transport-classes-epoll@4.1.94.Final
pkg:maven/io.netty/netty-transport-native-unix-common@4.1.94.Final"
CVE-2025-47273 pkg:pypi/setuptools@44.1.1
CVE-2025-48431 "[/opt/spark/jars/libthrift-0.16.0.jar]
pkg:maven/org.apache.thrift/libthrift@0.16.0"
CVE-2025-7962 angus-activation_2.0.2.jar
CVE-2026-2586 org.glassfish.hk2.osgi-resource-locator_1.0.3.jar
CVE-2026-2587 org.glassfish.hk2.osgi-resource-locator_1.0.3.jar

[github-actions]

Error parsing package url: mutliple packages.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/27466903881

[chadlwilson]

We can't work with this.

I've already said exactly the same in #8393 and #8179 over the last 7 months, yet you do not respond and persist on opening new issues while ignoring guidance. Do you not understand what you are being asked? Why keep opening issues while doing nothing to change your approach? Other projects would just block you for spam/nuisance. In any case, your issues will keep being closed until you open them correctly or engage in good faith to understand how the project works.

• 1 issue per package URL and CPE combination as reported by the tool
• include 1+ example CVE from that specific pkg and CPE combination
• explain why you think it is an FP
• explain what you have already tried to resolve the FP and improve your results locally

I suggest that you probably don't understand this project or the tool well enough to be opening false positive reports if you think the above is actionable. Instead, open a discussion that share your setup instead and ask for help improving your setup and reducing FPs where you out some effort describing your configuration and what you have tried.