[FP]: org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api@2.0.0 is misidentified as a jetty 2.0.0 component

[lread]

Package URl

pkg:maven/org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api@2.0.0

CPE

cpe:2.3:a:jetty:jetty:2.0.0:*:*:*:*:*:*:*

CVE

No response

ODC Integration

None

ODC Version

10.0.1

Description

Hello! Thanks for all the hard work on DependencyCheck!

This seems similar to #6666.

The package pkg:maven/org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api@2.0.0 is being classified as a Jetty 2.0.0 package (cpe:2.3:a:eclipse:jetty:2.0.0:*:*:*:*:*:*:* andcpe:2.3:a:jetty:jetty:2.0.0:*:*:*:*:*:*:*), although it ships with Jetty 11. The package version is independent of the Jetty release version and describes the WebSocket API version.

This triggers a bunch of false positive CVEs related to older versions of Jetty:

• CVE-2017-7657
• CVE-2017-7658
• CVE-2009-5045
• CVE-2017-7656
• CVE-2017-9735
• CVE-2022-2048
• CVE-2023-44487
• CVE-2020-27216
• CVE-2009-5046
• CVE-2021-28169
• CVE-2023-26048
• CVE-2023-26049
• CVE-2021-34428
• CVE-2022-2047

Here's a link to the artifact on Sonatype, if that helps:
https://central.sonatype.com/artifact/org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api/2.0.0/versions

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jetty.toolchain</groupId>
   <artifactId>jetty-jakarta-websocket-api</artifactId>
   <version>2.0.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6798
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty-jakarta-websocket-api@.*$</packageUrl>
   <cpe>cpe:/a:jetty:jetty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9786401897

[chadlwilson]

Thx, have raised a PR to try and make the suppression more generic to avoid playing "whack-a-mole" with these.