Hans Aikema

Without a packageUrl for this library we cannot fix it and suppression would be up to you, I cannot find where this library originates from.

Appears to have been resolved, not reproducible with maven plugin of DC 7.1.0

This appears to have resolved itself, cannot reproduce with an up-to-date maven plugin (7.1.0)

We don't have an intention to micromanage the vulnerabilities of a large framework that is always released as a whole with one version resulting in a single CPE vendor/product classification...

Created an issue upstream at OSSINDEX: https://github.com/OSSIndex/vulns/issues/270

@Janpopan the FP workflow already ran an analysis with ODC 7.0.4 that surfaces this FP due to OSSINDEX returning the CVE for commons-collections, which is why I opened the ticket...

From a brief look at the evidences it looks like it's a FP caused by OSSINDEX vulnerability data and grizzly-http is only involved in a workaround to the issue. However,...

Is reported upstream to the vulnerability datasource that reports it as https://github.com/OSSIndex/vulns/issues/277

The only handling of return code in a script in my view would be a check for success or failure, which would mean comparison of the exit code to 0...

@jeremylong what do you think. Looks reasonable to me, but think we should postpone integrating for an 8.x release as it will break existing returncode handling in scripted runs.