NiFi packages contain other project names, which can cause incorrect identification ^pkg:maven/org\.apache\.nifi.*$ ^cpe:.*$ Jetty SSLEngine is incorrectly identified with Jetty Server ^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$ ^cpe:.*$ MySQL Binary Log Connector is incorrectly identified as MySQL server ^pkg:maven/com\.zendesk/mysql\-binlog\-connector\-java@.*$ cpe:/a:mysql:mysql Twill ZooKeeper is incorrectly identified with ZooKeeper server ^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$ cpe:/a:apache:zookeeper H2 1.4.200 is shaded and repackaged without vulnerable components in nifi-h2-database for migration pkg:maven/com.h2database/h2@1.4.200 ^CVE.*$ CVE-2022-45868 requires running H2 from a command not applicable to project references ^pkg:maven/com\.h2database/h2@2.*$ CVE-2022-45868 CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later ^pkg:maven/org\.springframework/spring\-web@.*$ CVE-2016-1000027 CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later ^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$ CVE-2020-5408 Servlet API 2.5 does not include Jetty Server vulnerabilities ^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$ ^cpe:.*$ Spark 2.13 used in nifi-spark-receiver is not impacted by Spark Server vulnerabilities ^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$ cpe:/a:apache:spark Apache Hive vulnerabilities do not apply to Flume Hive Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$ cpe:/a:apache:hive Apache Kafka vulnerabilities do not apply to Flume Kafka Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-kafka\-sink@.*$ cpe:/a:apache:kafka Apache Kafka vulnerabilities do not apply to Flume Kafka Source ^pkg:maven/org\.apache\.flume\.flume\-ng\-sources/flume\-kafka\-source@.*$ cpe:/a:apache:kafka Apache Kafka vulnerabilities do not apply to Flume Shared Kafka ^pkg:maven/org\.apache\.flume\.flume\-shared/flume\-shared\-kafka@.*$ cpe:/a:apache:kafka Apache HBase vulnerabilities do not apply to Flume HBase Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-hbase\-sink@.*$ cpe:/a:apache:hbase Apache Solr vulnerabilities do not apply to Flume Solr Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-morphline\-solr\-sink@.*$ cpe:/a:apache:solr CVE-2017-10355 does not apply to Xerces 2.12.2 ^pkg:maven/xerces/xercesImpl@.*$ CVE-2017-10355 CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica ^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$ CVE-2020-13955 CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica ^pkg:maven/org\.apache\.calcite\/calcite-avatica@.*$ CVE-2020-13955 CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid ^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$ CVE-2020-13955 CVE-2020-13955 applies to Apache Calcite Core not Apache Calcite Avatica subproject ^pkg:maven/org\.apache\.calcite\.avatica\/avatica(-metrics)?@.*$ CVE-2020-13955 OpenTSDB vulnerabilities do not apply to HBase Async library ^pkg:maven/org\.hbase/asynchbase@.*$ cpe:/a:opentsdb:opentsdb Eclipse Equinox vulnerabilities do not apply to DataNucleus core library ^pkg:maven/org\.datanucleus/datanucleus\-core@.*$ cpe:/a:eclipse:equinox CVE-2018-8025 applies to HBase Server not HBase Client ^pkg:maven/org\.apache\.hbase/hbase\-client@.*$ CVE-2018-8025 CVE-2019-0212 applies to HBase Server not HBase Client ^pkg:maven/org\.apache\.hbase/hbase\-client@.*$ CVE-2019-0212 CVE-2014-3643 applies to Jersey Server not Jersey Core ^pkg:maven/com\.sun\.jersey/jersey\-core@.*$ CVE-2014-3643 Fan Platform vulnerabilities do not apply to JUnit Platform libraries ^pkg:maven/org\.junit\.platform/junit\-platform\-engine@.*$ cpe:/a:fan_platform_project:fan_platform CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries ^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$ CVE-2007-6465 Pro Search vulnerabilities do not apply to Spatial4j ^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$ cpe:/a:pro_search:pro_search CVE-2021-43045 applies to the Apache Avro .NET SDK and not to the Java SDK ^pkg:maven/org\.apache\.avro/avro@.*$ CVE-2021-43045 CVE-2022-31159 applies to AWS S3 library not the SWF libraries ^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$ CVE-2022-31159 Hive vulnerabilities do not apply to Iceberg Hive Metadata ^pkg:maven/org\.apache\.iceberg/iceberg\-hive\-metastore@.*$ cpe:/a:apache:hive Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin ^pkg:maven/org\.elasticsearch\.plugin/.*?@7.6.0$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-core ^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.6.0$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch ^pkg:maven/org\.elasticsearch/elasticsearch@7.6.0$ ^cpe:/a:elastic.*$ Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries ^pkg:maven/org\.elasticsearch/elasticsearch.*$ CVE-2020-7009 Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries ^pkg:maven/org\.elasticsearch/elasticsearch.*$ CVE-2020-7014 Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries ^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.6.0$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client ^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$ ^cpe:/a:elastic.*$ HTTP server vulnerabilities do not apply to Apache FTP Server ^pkg:maven/org\.apache\.ftpserver/.*$ cpe:/a:apache:apache_http_server