Hi Team, Issue Description: We are experiencing false positive vulnerability alerts when using el-api.jar from the official Apache Tomcat distribution (https://archive.apache.org/dist/tomcat/tomcat-11/v11.0.10/bin/) and Maven repository (https://repo.maven.apache.org/maven2/org/apache/tomcat/) with OWASP Dependency Checker.
However, the identical version of el-api.jar obtained from the javax.el repository (https://mvnrepository.com/artifact/javax.el/el-api) produces no vulnerability alerts in the same OWASP Dependency Checker analysis. Request: Please investigate and resolve the metadata or packaging differences causing these false positive vulnerability reports in the official Apache Tomcat el-api.jar distribution. This discrepancy is impacting our security analysis and compliance processes. Expected Outcome: Alignment of vulnerability scanning results between official Apache Tomcat distribution and javax.el repository versions of el-api.jar. Thanks and Regards, S Sathish S
