Improper check on Maven-Dependencies that share part of their artifact name with a maybe evidental other library

[mischoem]

Describe the bug We wrote an convinient wrapper regarding liquibase. Because of our architectural requirements we have to call that artifact "techbase-liquibase-core", and we release it in a lower version than the "real" liquibase-core in its dependencies. The CVE check treats "our" version same as the "real" liquibase-core and points out a CVE that is not existing. As you can see in the attached example, seems that every dependency, thats artifacts name is similar to or containing the literal "liquibase-core" is treated as "liquibase-core".

Version of dependency-check used Maven -> dependency-check-maven:10.0.3:aggregate

Log file I added a small maven project, where you can recreate the behaviour easily. Just call "mvn verify" on the root project. It contains two modules in a Reactor:

1. foo-liquibase-core: contains a Dummy class, nothing to worry about and no dependencies
2. a-client: uses foo-liquibase-core as dependency

To Reproduce Steps to reproduce the behavior:

1. Unzip the atttached file owasp-test.zip
2. Be sure to have a running Maven environment
3. Call "mvn verify" on the root project
4. CVE (9.8 Score) is detected where CVE could never be.

Expected behavior No CVE findings and no matching to the real "liquibase-core"

Additional context