[FP]: Java Scala libraries are flagged for multiple unrelated kafka release 3.7.0

[vinay871]

Package URl

pkg:maven/org.scala-lang:scala-compiler

CPE

cpe:2.3:a:scala-lang:scala:2.10.0:::::::, cpe:2x.3:a:scala-lang:scala-collection-compat:2.10.0::::::: cpe:2.3:a:scala-lang:scala:1.0.2:::::::*

CVE

CVE-2017-15288

ODC Integration

{"label" => "Docker"}

ODC Version

7.1.0

Description

We are getting following vulnerability (CVE) in Dependency Checker Tool findings, although as per our analysis we consider it as false positive.
CVE details and our justification for false positive is mentioned below.
Kindly check and get it fixed in Dependency Checker tool. So these false positive does not appear in scan report.

Dependency Checker tool is scanning below mentioned path /tmp/src/sdp22.11.tar/opt/EABfds/components/3rd/kafka/3.7.0/6/fast/libs/scala-collection-compat_2.13-2.10.0.jar /tmp/src/sdp22.11.tar/opt/EABfds/components/3rd/kafka/3.7.0/6/fast/libs/scala-java8-compat_2.13-1.0.2.jar

Justification: Above vulnerability does not affect the kafka version 3.7.0 as mentioned in the below kafka jira ticket.
https://issues.apache.org/jira/browse/KAFKA-12325

[github-actions]

Error parsing package url: pkg:maven/org.scala-lang:scala-compiler.

Error: Error: Invalid purl: maven requires a "namespace" component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/13236355343