Package URl
pkg:maven/org.apache.cxf.karaf/[email protected]
CPE
cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*
CVE
CVE-2022-40145
ODC Integration
None
ODC Version
12.2.0
Description
This CVE impacts only on "apache:karaf" packages as per cpe provided by NVD. But tool is reporting it on "org.apache.cxf.karaf/cxf-karaf-commands" jars as well, this is all together different package, which is wrong.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?
Package URl
pkg:maven/org.apache.cxf.karaf/[email protected]
CPE
cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*CVE
CVE-2022-40145
ODC Integration
None
ODC Version
12.2.0
Description
This CVE impacts only on "apache:karaf" packages as per cpe provided by NVD. But tool is reporting it on "org.apache.cxf.karaf/cxf-karaf-commands" jars as well, this is all together different package, which is wrong.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?