Hi Mike, Thanks for noting this finding with H2. Unfortunately there are a large number of dependencies with associated vulnerability findings, many of which are false positives.
The OWASP suppressions configuration includes a note for this specific vulnerability: https://github.com/apache/nifi/blob/main/nifi-dependency-check-maven/suppressions.xml#L23 I have considered running the OWASP dependency check as a scheduled job in GitHub Actions, which would highlight findings, and also indicate suppressions based on project evaluation. It seems like that could be useful for these types of scenarios. Regards, David Handermann On Thu, Jun 22, 2023 at 9:09 AM Mike Thomsen <mikerthom...@gmail.com> wrote: > A colleague found this "CVE" report for H2. I agree with the H2 devs that > it's a big joke of a CVE, but it's something we might want to add something > to the documentation to discuss because it could cause grief for our users. > > https://github.com/h2database/h2database/issues/3686 >