False positive on Apache FOP due to mismatched cpe

[aikebah]

Apache Fop 2.3 gets identified as
cpe: cpe:/a:first_project:first:2.3 Confidence:Low
cpe: cpe:/a:apache:formatting_objects_processor:2.3 Confidence:Low
maven: org.apache.xmlgraphics:fop:2.3 ✓ Confidence:Highest

Which yields dependency check discovering the false positive for CVE-2018-10769 which is registered for cpe:/a:first_project:first:-, an Ethereum smart contract

(With DependencyCheck 4.0.0)

        <dependency>
            <groupId>org.apache.xmlgraphics</groupId>
            <artifactId>fop</artifactId>
            <version>2.3</version>
        </dependency>

Locally suppressed using:

    <suppress base="true">
        <notes><![CDATA[
        1. first_project:first is an Ethereum smart contract.
        ]]></notes>
        <filePath regex="true">.*(\.(dll|jar|ear|war|pom)|pom\.xml)$</filePath>
        <cpe>cpe:/a:first_project:first</cpe>
    </suppress>

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.