false positive on java imageio with 4.0.1

[THausherr]

This happens when using 4.0.1, not when using 3.3.4:

jai-imageio-core-1.4.0.jar (cpe:/a:git:git:1.4.0, cpe:/a:git_project:git:1.4.0, com.github.jai-imageio:jai-imageio-core:1.4.0) : CVE-2015-7082, CVE-2017-14867, CVE-2010-2542, CVE-2008-5516, CVE-2010-3906, CVE-2015-7545, CVE-2013-0308, CVE-2014-9938
jai-imageio-jpeg2000-1.3.1-SNAPSHOT.jar (com.github.jai-imageio:jai-imageio-jpeg2000:1.3.1-SNAPSHOT, cpe:/a:git:git:1.3.1, cpe:/a:git_project:git:1.3.1) : CVE-2015-7082, CVE-2017-14867, CVE-2010-2542, CVE-2008-5516, CVE-2010-3906, CVE-2015-7545, CVE-2013-0308, CVE-2014-9938

            <dependency>
                <groupId>com.github.jai-imageio</groupId>
                <artifactId>jai-imageio-core</artifactId>
                <version>1.4.0</version>
            </dependency>
            <dependency>
                <groupId>com.github.jai-imageio</groupId>
                <artifactId>jai-imageio-jpeg2000</artifactId>
                <version>1.3.1-SNAPSHOT</version>
            </dependency>

The first two CVEs deal with git, so it has nothing to do with it.

The second jar is a snapshot, but it is mostly identical to the release.

[malejpavouk]

This is discussed in #1580

[THausherr]

Reopening, it still happens with 4.0.1.

[jeremylong]

I apologize for closing this one by mistake - the suppression rule will be included in the next release.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.