One of our components are detected by IQ-Server as me.yogendra:api-demo:1.0.1 and it seems the evaluation of the component is done using me.yogendra:api-demo:1.0.1 instead of our own component.
For example CVE-2020-10683 is detected on this component but the dom4j dependency is already at v2.1.3 according to dependency:tree.
Adding a waiver to the policy “Component-Similar” makes no difference.
I seem to be stuck and I’m obviously missing something. Could someone give i pointer where I should look?