Precondition
- [ x] I checked the issues list for existing open or closed reports of the same problem.
Describe the bug
A java library that contains this OSGI entry in the /META-INF/MANIFEST.MF file
Require-Bundle: com.google.guava,org.eclipse.xtext,org.eclipse.xtext.generator;resolution:=optional,org.apache.commons.logging;....
gets Evidence entries in the html report like:
Product or Vendor | Manifest | require-bundle com.google.guava ...
and therefore is detected as
cpe:2.3:a:google:guava:6.28.0:snapshot:::::: (Confidence:Low)
which is a false positive.
Version of dependency-check used
The problem occurs using version 12.1.0 of the maven plugin
Expected behavior
Java Manifest entries that describe dependencies like "Require-Bundle" should not be used as evidence for CPEs to avoid false positives.
Precondition
Describe the bug
A java library that contains this OSGI entry in the /META-INF/MANIFEST.MF file
Require-Bundle: com.google.guava,org.eclipse.xtext,org.eclipse.xtext.generator;resolution:=optional,org.apache.commons.logging;....gets Evidence entries in the html report like:
Product or Vendor | Manifest | require-bundle com.google.guava ...
and therefore is detected as
cpe:2.3:a:google:guava:6.28.0:snapshot:::::: (Confidence:Low)
which is a false positive.
Version of dependency-check used
The problem occurs using version 12.1.0 of the maven plugin
Expected behavior
Java Manifest entries that describe dependencies like "Require-Bundle" should not be used as evidence for CPEs to avoid false positives.