NiFi packages contain other project names, which can cause incorrect identification ^pkg:maven/org\.apache\.nifi.*$ ^cpe:.*$ CVE-2022-45868 requires running H2 from a command not applicable to project references ^pkg:maven/com\.h2database/h2@2.*$ CVE-2022-45868 CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later ^pkg:maven/org\.springframework/spring\-web@.*$ CVE-2016-1000027 CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later ^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$ CVE-2020-5408 Apache Hive vulnerabilities do not apply to Flume Hive Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$ cpe:/a:apache:hive Apache Kafka vulnerabilities do not apply to Flume Kafka Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-kafka\-sink@.*$ cpe:/a:apache:kafka Apache Kafka vulnerabilities do not apply to Flume Kafka Source ^pkg:maven/org\.apache\.flume\.flume\-ng\-sources/flume\-kafka\-source@.*$ cpe:/a:apache:kafka Apache Kafka vulnerabilities do not apply to Flume Shared Kafka ^pkg:maven/org\.apache\.flume\.flume\-shared/flume\-shared\-kafka@.*$ cpe:/a:apache:kafka Apache HBase vulnerabilities do not apply to Flume HBase Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-hbase\-sink@.*$ cpe:/a:apache:hbase Apache Solr vulnerabilities do not apply to Flume Solr Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-morphline\-solr\-sink@.*$ cpe:/a:apache:solr CVE-2017-10355 does not apply to Xerces 2.12.2 ^pkg:maven/xerces/xercesImpl@.*$ CVE-2017-10355 CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid ^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$ CVE-2020-13955 CVE-2018-8025 applies to HBase Server not HBase Client ^pkg:maven/org\.apache\.hbase/hbase\-client@.*$ CVE-2018-8025 CVE-2019-0212 applies to HBase Server not HBase Client ^pkg:maven/org\.apache\.hbase/hbase\-client@.*$ CVE-2019-0212 CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries ^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$ CVE-2007-6465 CVE-2021-43045 applies to the Apache Avro .NET SDK and not to the Java SDK ^pkg:maven/org\.apache\.avro/avro@.*$ CVE-2021-43045 CVE-2022-31159 applies to AWS S3 library not the SWF libraries ^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$ CVE-2022-31159 Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin ^pkg:maven/org\.elasticsearch\.plugin/.*?@7.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-core ^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch ^pkg:maven/org\.elasticsearch/elasticsearch@7.*$ ^cpe:/a:elastic.*$ Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries ^pkg:maven/org\.elasticsearch/elasticsearch.*$ CVE-2020-7009 Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries ^pkg:maven/org\.elasticsearch/elasticsearch.*$ CVE-2020-7014 CVE-2021-22145 applies to Elasticsearch Server not client libraries ^pkg:maven/org\.elasticsearch/elasticsearch@.*$ CVE-2021-22145 Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries ^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client ^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer ^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$ ^cpe:/a:elastic.*$ CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library ^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$ CVE-2022-30187 CVE-2022-39135 applies to Apache Calcite core not the Calcite Druid library ^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$ CVE-2022-39135 CVE-2018-1000873 applies to Jackson Java 8 Time modules not Jackson Annotations ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@.*$ CVE-2018-1000873 CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library ^pkg:maven/org\.apache\.ftpserver/.*$ CVE-2010-1151 CVE-2018-14335 applies to H2 running with a web server console enabled ^pkg:maven/com\.h2database/h2@.*$ CVE-2018-14335 CVE-2023-25613 applies to an LDAP backend class for Apache Kerby not the Token Provider library ^pkg:maven/org\.apache\.kerby/token\-provider@.*$ CVE-2023-25613 The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities ^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$ cpe:/a:apache:tomcat Google BigQuery Storage is not the same as the gGRPC framework library ^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$ cpe:/a:grpc:grpc Google PubSubLite is not the same as the gRPC framework library ^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$ cpe:/a:grpc:grpc CVE-2020-9040 applies to Couchbase Server not the client library ^pkg:maven/com\.couchbase\.client/core\-io@.*$ CVE-2020-9040 CVE-2022-41881 applies to HA Proxy components in Netty which are not used in Couchbase or other components ^pkg:maven/io\.netty/.*$ CVE-2022-41881 CVE-2021-34538 applies to Apache Hive server not the Storage API library ^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$ CVE-2021-34538 CVE-2018-8025 applies to HBase server not the shaded libraries ^pkg:maven/org\.apache\.hbase\.thirdparty/hbase\-shaded\-.*$ CVE-2018-8025 CVE-2018-8025 applies to HBase Server not HBase libraries ^pkg:maven/org\.apache\.hbase/hbase\-.*$ CVE-2018-8025 CVE-2019-0212 applies to HBase Server not HBase libraries ^pkg:maven/org\.apache\.hbase/hbase\-.*$ CVE-2019-0212 Hadoop vulnerabilities do not apply to HBase Hadoop2 compatibility library ^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$ cpe:/a:apache:hadoop CVE-2022-45688 applies to hutools-json not org.json ^pkg:maven/org\.json/json@.*$ CVE-2022-45688 The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ CVE-2023-35116 CVE-2023-25194 applies to Kafka Connect workers not client libraries ^pkg:maven/org\.apache\.kafka/kafka.*?@.*$ CVE-2023-25194 CVE-2022-34917 applies to Kafka brokers not client libraries ^pkg:maven/org\.apache\.kafka/kafka.*?@.*$ CVE-2022-34917 CVE-2023-25613 applies to the LDAP Identity Backend for Kerby Server which is not used in runtime NiFi configurations ^pkg:maven/org\.apache\.kerby/kerb.*?@.*$ CVE-2023-25613 CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients ^pkg:maven/io\.netty/netty.*?@.*$ CVE-2022-24823 CVE-2022-41915 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients ^pkg:maven/io\.netty/netty.*?@.*$ CVE-2022-41915