NiFi packages contain other project names, which can cause incorrect identification ^pkg:maven/org\.apache\.nifi.*$ ^cpe:.*$ Meta MX HTTP Client is incorrectly identified as Netty ^pkg:maven/com\.metamx/http\-client@.*$ cpe:/a:netty:netty Testcontainers MySQL is incorrectly identified with MySQL server ^pkg:maven/org\.testcontainers/mysql@.*$ cpe:/a:mysql:mysql StumbleUpon Async is incorrectly identified as the JavaScript Async library ^pkg:maven/com\.stumbleupon/async@.*$ CVE-2021-43138 HBase Async is incorrectly identified as the JavaScript Async library ^pkg:maven/org\.hbase/asynchbase@.*$ CVE-2021-43138 Jetty SSLEngine is incorrectly identified with Jetty Server ^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$ ^cpe:.*$ MySQL Binary Log Connector is incorrectly identified as MySQL server ^pkg:maven/com\.github\.shyiko/mysql\-binlog\-connector\-java@.*$ cpe:/a:mysql:mysql Testcontainers MariaDB is incorrectly identified with MariaDB server ^pkg:maven/org\.testcontainers/mariadb@.*$ cpe:/a:mariadb:mariadb Twill ZooKeeper is incorrectly identified with ZooKeeper server ^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$ cpe:/a:apache:zookeeper H2 1.4.200 is shaded and repackaged without vulnerable components in nifi-h2-database for migration pkg:maven/com.h2database/h2@1.4.200 ^CVE.*$ H2 2 is not vulnerable to CVE-2018-14335 ^pkg:maven/com\.h2database/h2@2.*$ CVE-2018-14335 Jetty apache-jsp is not part of Apache Tomcat server pkg:maven/org.mortbay.jasper/apache-jsp@8.5.70 cpe:/a:apache:tomcat CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later ^pkg:maven/org\.springframework/spring\-web@.*$ CVE-2016-1000027 CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later ^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$ CVE-2020-5408 Spring Security Kerberos Core is an extension of the Spring Security project ^pkg:maven/org\.springframework\.security\.kerberos/spring\-security\-kerberos.*$ cpe:/a:vmware:spring_security Servlet API 2.5 does not include Jetty Server vulnerabilities ^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$ ^cpe:.*$ Spark 2.13 used in nifi-spark-receiver is not impacted by Spark Server vulnerabilities ^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$ cpe:/a:apache:spark Apache Hive vulnerabilities do not apply to Flume Hive Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$ cpe:/a:apache:hive Apache Kafka vulnerabilities do not apply to Flume Kafka Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-kafka\-sink@.*$ cpe:/a:apache:kafka Apache Kafka vulnerabilities do not apply to Flume Kafka Source ^pkg:maven/org\.apache\.flume\.flume\-ng\-sources/flume\-kafka\-source@.*$ cpe:/a:apache:kafka Apache Kafka vulnerabilities do not apply to Flume Shared Kafka ^pkg:maven/org\.apache\.flume\.flume\-shared/flume\-shared\-kafka@.*$ cpe:/a:apache:kafka Apache HBase vulnerabilities do not apply to Flume HBase Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-hbase\-sink@.*$ cpe:/a:apache:hbase Apache Solr vulnerabilities do not apply to Flume Solr Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-morphline\-solr\-sink@.*$ cpe:/a:apache:solr CVE-2017-10355 does not apply to Xerces 2.12.2 ^pkg:maven/xerces/xercesImpl@.*$ CVE-2017-10355