[FP]: old tomcat CVE incorrectly reported for latest version

[githubuserVenkat]

Package URl

pkg:maven/org.apache.tomcat/tomcat-el-api@9.0.106

CPE

cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:::::::*

CVE

CVE-2020-8022

ODC Integration

None

ODC Version

12.2.0

Description

As per NVD CVE-2020-8022 has been fixed in 9.0.35,however it is still reported even in the tomcat version 9.0.110

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.apache.tomcat</groupId>
  <artifactId>tomcat-el-api</artifactId>
  <version>9.0.106</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8283
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-el-api@.*$</packageUrl>
    <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/21706525322

[chadlwilson]

There is already a suppression for this. As I keep saying to you on almost every issue you open, the problem is most likely your scan environment not matching jars to package uris.

Please stop opening new tickets like this without addressing earlier comments.