False positive: wrong match on jenkins git plugin

[cidkidnix]

the CPE for the jenkins git plugin says the package is "git" instead of "git-jenkins-plugin" or similar. The solution would be parsing/heuristics for the vendor, though we don't really get that information from the derivation easily

[raboof]

Good one! I wonder if we ship this plugin in nixpkgs at all, and if so, whether/how it would turn up in the system inventory.

I suspect it would be a Maven-built jar. It would be really interesting if we could improve the inventory scanning to produce groupId:artifactId product names for such resources. Then we can override the package identification information for those advisories to also use the groupId:artifactId package identification, and prefer that for matching.

So I think for the short term we might want to exclude these CVEs with #51 , until the inventory is able to provide this information and we can do something less primitive.