[FP]: Jakarta.json 2.0.1 reports 3 vulnerabilities

[AndreiElvediMetro]

Package URl

pkg:maven/org.glassfish/jakarta.json@2.0.1

CPE

'cpe:2.3:a:eclipse:glassfish:2.0.1:::::::*'

CVE

CVE-2023-5072

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

2.0.1

Description

Hello,
Version 2.0.1 reports 2 extra CVEs aside from CVE-2022-45688 that was reported in a previous ticket.
Those extra ones are: CVE-2023-5072 and CVE-2024-9329.

5072 is also tied to json:java but 9329 is tied to [cpe:2.3:a:eclipse:glassfish:::::::: versions up to (excluding) 7.0.17].

I would like to confirm if these extra 2 are false positives as well.

Thanks,
Andrei

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.glassfish</groupId>
   <artifactId>jakarta.json</artifactId>
   <version>2.0.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7192
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:glassfish</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12026053594

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.glassfish</groupId>
   <artifactId>jakarta.json</artifactId>
   <version>2.0.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7192
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:glassfish</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12074761434

[aikebah]

Unreproducible... check that your ODC is current. Odc 2.0.1 is far from current (it's 11.1.0 nowadays), but I'm doubting that you'd be running such an ancient version.