Jim,
You are exactly correct with what is happening and yes, this is expected behavior. As the dependency-check team does not maintain a vulnerability database, the tool relies on the NVD, we made the choice to report false positives like this as it is easy for a human to look at this and determine if there is a real issue. The "all previous versions" is always problematic when major version numbers change; for some projects it is a completely different code base (see Axis and Struts) and for others it is not. We have hard coded workarounds for Axis and Struts; but these are currently the only two.
After looking at this we should be able to filter this out with a slightly more complicated matching algorithm. I just opened a ticket,
issue #180, for an enhancement request.
Best Regards,
Jeremy