[FP]: Jersey HK2 JARs Misidentified as GlassFish Server

[er-balaji]

Package URl

pkg:maven/org.glassfish.jersey.inject/jersey-hk2@2.48

CPE

cpe:2.3:a:eclipse:glassfish::::::::

CVE

CVE-2024-9329, CVE-2026-2586, CVE-2026-2587

ODC Integration

None

ODC Version

Maven / OWASP Dependency-Check CLI

Description

False positive: The scanner matches HK2 dependency injection JARs (namespace org.glassfish.hk2 / org.glassfish.jersey) against GlassFish Application Server CPE.

HK2 is a standalone dependency injection framework used by Jersey REST framework. GlassFish Application Server is NOT deployed. The CVEs are for GlassFish server-specific vulnerabilities (admin console, deployment) that have no relevance to the standalone HK2 DI library.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.glassfish.jersey.inject</groupId>
  <artifactId>jersey-hk2</artifactId>
  <version>2.48</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8588
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.glassfish\.jersey\.inject/jersey-hk2@.*$</packageUrl>
    <cpe regex="true">cpe:/a:eclipse:glassfish(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27364845519

[chadlwilson]

There are already suppression for this so there might be something wrong with your setup or version.

Please share an ODC report for your run including the evidence section so we can see what's happening here