With 4.0.0 all our internal projects are detected as Jenkins

[TobiX]

I'm not really sure why this is suddenly an issue. All our internal artifacts have this in their MANIFEST.MF:

Implementation-URL: http://internal-jenkins.company.com/sites/groupId/artifactId/

When switching from DependencyCheck 3.3.4 to 4.0.0, all those modules are suddenly detected as cpe:/a:jenkins:jenkins.

Some projects have this in their MANIFEST.MF:

X-CI-Job-Name: group/project/release

Those are additionally detected as cpe:/a:jenkins:release...

When I look at the diff between those versions the only culprit can be the lucene update, right?

I know I can work around this issue with local suppressions, but I wonder if there is a different tweakable which would avoid these kinds of false-positives...

[Feralus]

Lot of people have this problem. As you already said it is caused by the upgrade from 3.3.4 to 4.0.0.
It looks like it's enough if version matches.

See other Issues: 1580, 1579

[TobiX]

Since this is already discussed in #1580, I'll close this issue.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.