[FP]: JGit version with backported fix is marked vulnerable

[jpmartins-ca]

Package URl

pkg:maven/org.eclipse.jgit/org.eclipse.jgit@6.10.1.202505221210-r

CPE

cpe:2.3:a:eclipse:jgit:6.10.1:202505221210::::::

CVE

CVE-2025-4949

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.1.8

Description

import org.owasp.dependencycheck.utils.DependencyVersion;

DependencyVersion a = new DependencyVersion("6.10.1.202505221210-r");
DependencyVersion b = new DependencyVersion("6.10.1.202505221210");
System.out.println(a.compareTo(b)>0?a+" is greater":b+" is "+(a.compareTo(b)==0?"equals":"greater"));
//6.10.1.202505221210 is equals

Since your comparator says they are the same, and at the CVE it says 6.10.1.202505221210 is safe, why is it still reporting as vulnerable?
In my case this is not a direct but a transitive dependency, on a plugin from me.qoomon:maven-git-versioning-extension:9.11.0

Thanks for any help you can offer.
Best regards,
J

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jgit</groupId>
   <artifactId>org.eclipse.jgit</artifactId>
   <version>6.10.1.202505221210-r</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8078
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:jgit</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/18749251018

[chadlwilson]

This is basically the same as #5943 and #6685.

And to answer your question, I believe that would be because that comparator is not what is being used to determine CPE based matches. NVD data is based on CPE and broadly speaking that means matching with CPE semantics which may differ from internal semantics (although I personally agree that multiple version parsers that are inconsistent in approach is confusing). I actually have a change in the CPE parser at stevespringett/CPE-Parser#286 (intended to fix sorting, not matching) which, now I think about it, might change the semantics here, but I have not specifically checked it. I probably should. Anyway, you will see this logic I used in ODC’s VulnerableSoftware type.

IMHO the problem is still that NVD have the wrong version numbers in their data here (which is why the earlier issues are a “won’t fix”) and their chosen versioning don’t match the released artifacts, nor the CVes raised and managed by Eclipse. They have decided just to omit the -r while including the date, which is arbitrary and wrong. They should either ignore those whole suffixes or include the whole things or we end up in semantic debates about whether “” (empty string) is > or < “-r”. It’s possible there is something in the CPE spec that clears this up, and if that’s the case perhaps it can be addressed here, but I don’t think so….

We could try interacting with Eclipse’s CVE team as they are now managing their own CVEs and may have a way to fix the data here so it at least matches their GHSAs and PURLs.

There are some special harder coded rules to understand that alpha, beta etc - when modelled as a different field - are below the version without the suffix, but that all gets messy with arbitrary suffixes.