patch to remove additional false positives due to SCM entries in the pom

Former-commit-id: 7f889606bf9ece29121a14167b01ad6f5b93df76
2026-01-14 07:43:40 +01:00 · 2014-05-10 06:59:34 -04:00
parent a59c8908f0
commit c55efddc81
1 changed files with 3 additions and 1 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -138,7 +138,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
            "include-resource",
            "embed-dependency",
            "ipojo-components",
-            "ipojo-extension");
+            "ipojo-extension",
+            "eclipse-sourcereferences");
    /**
     * item in some manifest, should be considered medium confidence.
     */
@@ -764,6 +765,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                            && !key.endsWith("class-path")
                            && !key.endsWith("-scm") //todo change this to a regex?
                            && !key.startsWith("scm-")
+                            && !value.trim().startsWith("scm:")
                            && !isImportPackage(key, value)
                            && !isPackage(key, value)) {