There seem to be different CPE IDs for the ICU project:
When updating from dependency-check 2.1.1 to 3.1.0, every ICU4J dependency is now reclassified to the latter CPE and the dependency-check report now suggests to me:
<suppress>
<notes><![CDATA[
file name: icu4j-52.1.jar
]]></notes>
<gav regex="true">^com\.ibm\.icu:icu4j:.*$</gav>
<cpe>cpe:/a:icu-project:international_components_for_unicode</cpe>
</suppress>
I already wrote a mail to the NVD maintainers, so I expect that icu_project and icu-project will be merged in the database.
Related: Would it be possible to only remove the missqualification to cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:c/c++:*:* and keep the cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:java:*:* ID?
PS: dependency-check shows c/c++ as c%2fc%2b%2b - can this be made more readable?
There seem to be different CPE IDs for the ICU project:
cpe:2.3:a:icu_project:international_components_for_unicode:52.0:*:*:*:*:*:*:*(Excluded in response to icu4j-58.2.jar mis-identified as C/C++ implementation of ICU #851) (search)cpe:2.3:a:icu-project:international_components_for_unicode:52.1:*:*:*:*:c\/c\+\+:*:*(search)When updating from dependency-check 2.1.1 to 3.1.0, every ICU4J dependency is now reclassified to the latter CPE and the dependency-check report now suggests to me:
I already wrote a mail to the NVD maintainers, so I expect that
icu_projectandicu-projectwill be merged in the database.Related: Would it be possible to only remove the missqualification to
cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:c/c++:*:*and keep thecpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:java:*:*ID?PS: dependency-check shows
c/c++asc%2fc%2b%2b- can this be made more readable?