False Positive on kotlinx.serialization

[IdamkinI]

trafficstars

False positive on library kotlinx-serialization-runtime-jvm-1.0-M1-1.4.0-rc.jar - reported as cpe:2.3:a:jetbrains:kotlin:1.0.m1.1.4.0:*:*:*:*:*:*:*

<!-- https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-serialization-runtime-jvm -->
<dependency>
    <groupId>org.jetbrains.kotlinx</groupId>
    <artifactId>kotlinx-serialization-runtime-jvm</artifactId>
    <version>1.0-M1-1.4.0-rc</version>
</dependency>

[IdamkinI]

There are similar problems for kotlinx-serialization-core-jvm-1.0.0-RC.jar - reported as cpe:2.3:a:jetbrains:kotlin:1.0.0:*:*:*:*:*:*:*

<!-- https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-serialization-core-jvm -->
<dependency>
    <groupId>org.jetbrains.kotlinx</groupId>
    <artifactId>kotlinx-serialization-core-jvm</artifactId>
    <version>1.0.0-RC</version>
</dependency>

[jeremylong]

ODC isn't correctly handling release candidates and milestones when the NVD is including these in the CPE. This will take a bit more to resolve than most FP reports.

[IdamkinI]

This also affects kotlinx-serialization-core-jvm:1.1.0 and kotlinx-serialization-json-jvm:1.1.0

[knonm]

It happens even when it's not a RC or Milestone version. kotlinx-serialization-core-jvm-1.2.2.jar is reported as cpe:2.3:a:jetbrains:kotlin:1.2.2:*:*:*:*:*:*:*.

This false positive happened before with other kotlinx-* libs. Maybe matching any kotlinx lib to the CPE cpe:2.3:a:jetbrains:kotlin:*:*:*:*:*:*:*:* should be avoided. Related issues:

• kotlinx-coroutines -> #2600
• kotlinx-html -> #2346

[achifal]

The same problem with kotlinx-datetime-jvm-0.3.1.jar