NiFi packages contain other project names, which can cause incorrect identification ^pkg:maven/org\.apache\.nifi.*$ ^cpe:.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client ^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer ^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$ ^cpe:/a:elastic.*$ CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library ^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$ CVE-2022-30187 CVE-2018-14335 applies to H2 running with a web server console enabled ^pkg:maven/com\.h2database/h2@.*$ CVE-2018-14335 The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities ^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$ cpe:/a:apache:tomcat Google BigQuery Storage is not the same as the gGRPC framework library ^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$ cpe:/a:grpc:grpc Google PubSubLite is not the same as the gRPC framework library ^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$ cpe:/a:grpc:grpc CVE-2021-34538 applies to Apache Hive server not the Storage API library ^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$ CVE-2021-34538 The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ CVE-2023-35116 The Square Wire framework is not the same as the Wire secure communication application ^pkg:maven/com\.squareup\.wire/.*$ cpe:/a:wire:wire Avro project vulnerabilities do not apply to Parquet Avro ^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$ cpe:/a:avro_project:avro CVE-2016-5397 applies to Apache Thrift Go not Java ^pkg:maven/org\.apache\.thrift/libthrift@.*$ CVE-2016-5397 CVE-2019-0210 applies to Apache Thrift Go server not Java ^pkg:maven/org\.apache\.thrift/libthrift@.*$ CVE-2019-0210 CVE-2018-11798 applies Apache Thrift Node.js not Java ^pkg:maven/org\.apache\.thrift/libthrift@.*$ CVE-2018-11798 CVE-2019-11939 applies to Thrift Servers in Go not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-11939 CVE-2019-3552 applies to Thrift Servers in CPP not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3552 CVE-2019-3553 applies to Thrift Servers in CPP not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3553 CVE-2019-3558 applies to Thrift Servers in Python not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3558 CVE-2019-3564 applies to Thrift Servers in Go not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3564 CVE-2019-3565 applies to Thrift Servers in CPP not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3565 CVE-2021-24028 applies to Facebook Thrift CPP ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2021-24028 CVE-2019-11938 applies to Facebook Thrift Servers ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-11938 CVE-2019-3559 applies to Facebook Thrift Servers ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3559 CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java ^pkg:maven/org\.apache\.avro/.*$ CVE-2023-37475 CVE-2023-36415 applies to Azure Identity for Python not Java ^pkg:maven/com\.azure/azure\-identity@.*$ CVE-2023-36415 CVE-2020-13949 applies to Thrift and not to Hive ^pkg:maven/org\.apache\.hive.*$ CVE-2020-13949 Parquet MR vulnerabilities do not apply to other Parquet libraries ^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$ cpe:/a:apache:parquet-mr CVE-2019-11358 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2019-11358 CVE-2020-11022 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-11022 CVE-2020-11023 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-11023 CVE-2011-4969 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2011-4969 CVE-2012-6708 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2012-6708 CVE-2015-9251 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2015-9251 CVE-2020-7656 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-7656 CVE-2023-44487 references gRPC for Go ^pkg:maven/io\.grpc/grpc.*$ CVE-2023-44487 Guava temporary directory file creation is not used ^pkg:maven/com\.google\.guava/guava@.*$ CVE-2023-2976 Guava temporary directory file creation is not used ^pkg:maven/com\.google\.guava/guava@.*$ CVE-2020-8908 Findings for Apache Hadoop do not apply to the shaded Protobuf library ^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_25@.*$ cpe:/a:apache:hadoop CVE-2024-23081 applies to threetenbp 1.6.8 and earlier not 1.6.9 ^pkg:maven/org\.threeten/threetenbp@.*$ CVE-2024-23081 CVE-2024-23082 applies to threetenbp 1.6.8 and earlier not 1.6.9 ^pkg:maven/org\.threeten/threetenbp@.*$ CVE-2024-23082 CVE-2023-7272 applies to Eclipse Parrson not javax.json ^pkg:maven/org\.glassfish/javax\.json@.*$ CVE-2023-7272 CVE-2024-43591 applies to Azure CLI not azure-core-amqp ^pkg:maven/com\.azure/.*$ cpe:/a:microsoft:azure_cli CVE-2024-43591 jquery is not used although bundled in Hadoop avro-ipc libraries ^pkg:javascript/jquery@.*$ jquery issue: 162 Google OpenTelemetry shared-resourcemapping versions do not align with base OpenTelemetry versions leading to false positives ^pkg:maven/com\.google\.cloud\.opentelemetry/.*$ cpe:/a:opentelemetry:opentelemetry CVE-2024-35255 is resolved in msal4j 1.15.1 and the CPE for other languages does not apply CVE-2024-35255 cpe:/a:microsoft:authentication_library:*:*:*:*:*:.net:*:*