How to waive a "similar" match


One of our components are detected by IQ-Server as me.yogendra:api-demo:1.0.1 and it seems the evaluation of the component is done using me.yogendra:api-demo:1.0.1 instead of our own component.

For example CVE-2020-10683 is detected on this component but the dom4j dependency is already at v2.1.3 according to dependency:tree.

Adding a waiver to the policy “Component-Similar” makes no difference.

I seem to be stuck and I’m obviously missing something. Could someone give i pointer where I should look?

1 Like