False positive jackson-databind CVE-2023-35116, already removed from Sonatype and dependencyCheck, still present as High in grype

[elgrassa]

What happened: CVE-2023-35116 was excluded from Sonatype and dependencyCheck as false positive Details:

What you expected to happen: Exclude jacson-databind cve similar to Sonatype/dependecyCheck already did, or at least lower it from High, according to details:

The error occurs with any recursive data structure, and it's not a problem specific to the Jackson library. Jackson will not detect loops in data structures, but the same would be true if you were to call hashCode on the same map - this would also cause a stack overflow, but is not considered a security issue.
The original report did not provide a convincing demonstration of how the issue could be exploited for a Denial of Service (DoS) attack via a crafted string. The test case provided did not clearly demonstrate this possibility.
In Jackson 2.15, the default maximum nesting depth on the reader side is set at 1000 levels, and List / JsonNode deserializers both have non-JDK-stack based handling, which would prevent stack overflow issues.

That being said, although this might not be a cause for suppression, I would at least expect that they lower the severity level.

How to reproduce it (as minimally and precisely as possible): execute: grype -o table lehend/jackson-databind-cve-2020-35728-rce

Anything else we need to know?:

Environment:

• Output of grype version: grype version
  Application: grype Version: 0.63.1 Syft Version: v0.84.1 BuildDate: 2023-06-29T21:05:17Z GitCommit: brew GitDescription: [not provided] Platform: darwin/arm64 GoVersion: go1.20.5 Compiler: gc Supported DB Schema: 5
• OS (e.g: cat /etc/os-release or similar): macOS Venture 13.4.1