NiFi packages contain other project names, which can cause incorrect identification ^pkg:maven/org\.apache\.nifi.*$ ^cpe:.*$ CVE-2017-10355 does not apply to Xerces 2.12.2 ^pkg:maven/xerces/xercesImpl@.*$ CVE-2017-10355 CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid ^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$ CVE-2020-13955 CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries ^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$ CVE-2007-6465 Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client ^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer ^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$ ^cpe:/a:elastic.*$ CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library ^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$ CVE-2022-30187 CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library ^pkg:maven/org\.apache\.ftpserver/.*$ CVE-2010-1151 CVE-2018-14335 applies to H2 running with a web server console enabled ^pkg:maven/com\.h2database/h2@.*$ CVE-2018-14335 The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities ^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$ cpe:/a:apache:tomcat Google BigQuery Storage is not the same as the gGRPC framework library ^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$ cpe:/a:grpc:grpc Google PubSubLite is not the same as the gRPC framework library ^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$ cpe:/a:grpc:grpc CVE-2020-9040 applies to Couchbase Server not the client library ^pkg:maven/com\.couchbase\.client/core\-io@.*$ CVE-2020-9040 CVE-2022-41881 applies to HA Proxy components in Netty which are not used in Couchbase or other components ^pkg:maven/io\.netty/.*$ CVE-2022-41881 CVE-2021-34538 applies to Apache Hive server not the Storage API library ^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$ CVE-2021-34538 Hadoop vulnerabilities do not apply to HBase Hadoop2 compatibility library ^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$ cpe:/a:apache:hadoop The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ CVE-2023-35116 CVE-2023-25194 applies to Kafka Connect workers not client libraries ^pkg:maven/org\.apache\.kafka/kafka.*?@.*$ CVE-2023-25194 CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients ^pkg:maven/io\.netty/netty.*?@.*$ CVE-2022-24823 CVE-2022-41915 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients ^pkg:maven/io\.netty/netty.*?@.*$ CVE-2022-41915 CVE-2023-34462 applies to Netty servers using SniHandler not Netty 4.1 shaded for Couchbase and HBase 2 ^pkg:maven/io\.netty/netty.*$ CVE-2023-34462 The Square Wire framework is not the same as the Wire secure communication application ^pkg:maven/com\.squareup\.wire/.*$ cpe:/a:wire:wire Avro project vulnerabilities do not apply to Parquet Avro ^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$ cpe:/a:avro_project:avro CVE-2016-5397 applies to Apache Thrift Go not Java ^pkg:maven/org\.apache\.thrift/libthrift@.*$ CVE-2016-5397 CVE-2019-0210 applies to Apache Thrift Go server not Java ^pkg:maven/org\.apache\.thrift/libthrift@.*$ CVE-2019-0210 CVE-2018-11798 applies Apache Thrift Node.js not Java ^pkg:maven/org\.apache\.thrift/libthrift@.*$ CVE-2018-11798 CVE-2019-11939 applies to Thrift Servers in Go not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-11939 CVE-2019-3552 applies to Thrift Servers in CPP not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3552 CVE-2019-3553 applies to Thrift Servers in CPP not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3553 CVE-2019-3558 applies to Thrift Servers in Python not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3558 CVE-2019-3564 applies to Thrift Servers in Go not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3564 CVE-2019-3565 applies to Thrift Servers in CPP not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3565 CVE-2021-24028 applies to Facebook Thrift CPP ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2021-24028 CVE-2019-11938 applies to Facebook Thrift Servers ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-11938 CVE-2019-3559 applies to Facebook Thrift Servers ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3559 The jetty-servlet-api is versioned according to the Java Servlet API version not the Jetty version ^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$ cpe:/a:eclipse:jetty CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java ^pkg:maven/org\.apache\.avro/.*$ CVE-2023-37475 CVE-2023-36415 applies to Azure Identity for Python not Java ^pkg:maven/com\.azure/azure\-identity@.*$ CVE-2023-36415 CVE-2020-13949 applies to Thrift and not to Hive ^pkg:maven/org\.apache\.hive.*$ CVE-2020-13949 CVE-2023-44487 applies to netty-codec-http2 as a Server ^pkg:maven/io\.netty/netty.*$ CVE-2023-44487 Parquet MR vulnerabilities do not apply to other Parquet libraries ^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$ cpe:/a:apache:parquet-mr Apache Hadoop vulnerabilities do not apply to Parquet Hadoop Bundle library ^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$ cpe:/a:apache:hadoop CVE-2019-11358 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2019-11358 CVE-2020-11022 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-11022 CVE-2020-11023 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-11023 CVE-2011-4969 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2011-4969 CVE-2012-6708 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2012-6708 CVE-2015-9251 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2015-9251 CVE-2020-7656 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-7656 jQuery vulnerability warning for historical versions ^pkg:javascript/jquery@.*$ jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates CVE-2023-44487 references gRPC for Go ^pkg:maven/io\.grpc/grpc.*$ CVE-2023-44487 Guava temporary directory file creation is not used ^pkg:maven/com\.google\.guava/guava@.*$ CVE-2023-2976 Guava temporary directory file creation is not used ^pkg:maven/com\.google\.guava/guava@.*$ CVE-2020-8908 CVE-2023-36052 applies to Azure CLI not Azure Java libraries ^pkg:maven/com\.azure/.*$ CVE-2023-36052 software.amazon.ion:ion-java is newer than com.amazonaws.ion:ion-java and does not share the same vulnerabilities ^pkg:maven/software\.amazon\.ion/ion\-java@.*$ cpe:/a:amazon:ion CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number ^pkg:maven/org\.clojure/spec\.alpha@.*$ CVE-2017-20189 CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number ^pkg:maven/org\.clojure/core\.specs\.alpha@.*$ CVE-2017-20189 Findings for Apache Hadoop do not apply to the shaded Protobuf library ^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$ cpe:/a:apache:hadoop CVE-2024-22201 applies to Jetty Server 10.0.19 and not Jetty client usage in Solr ^pkg:maven/org\.eclipse\.jetty\.http2/http2\-common@.*$ CVE-2024-22201