Hi Kaj,
Yes it is, we ran into the same FP for other projects containing 'tag' in their name (at least some JSF taglibs). Wanted to open up a FP issue for that, but didn't get around to doing it yet.
It definitely is an FP for your library as well.
It's likely a new CPE due to the first registered CVEs for project_tag, so now we see FPs surfacing for other projects that don't have a vulnerability (and therefor no presence in the CPE caches) and now get matched to project_tag because it is the 'best match' for the known CPEs
Kind regards,
Hans
> On 7 Jan 2021, at 11:59, Kaj Hejer <
kaj...@gmail.com> wrote:
>
> Hi
> --
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
dependency-che...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/dependency-check/7E3AE44B-5B57-4DBD-B71A-D13F7A5494CB%40gmail.com.