[FP]: io.sentry:sentry matched to getsentry:sentry CPE

[wagnerlee]

Package URl

pkg:maven/io.sentry/sentry@8.16.0

CPE

cpe:2.3:a:sentry:sentry:8.41.0:::::::*

CVE

CVE-2023-36826
CVE-2026-26004
CVE-2025-53099

ODC Integration

None

ODC Version

dependency-check:12.2.0

Description

The Maven artifact io.sentry:sentry represents the Java SDK and not the Sentry platform/server product.

The reported CVEs affect the Sentry server/platform (getsentry:sentry) and are not applicable to the Java SDK artifact.

This appears to be a false positive caused by overly broad CPE matching due to the shared product name "sentry".

Please refine the CPE matching logic or provide official suppression guidance.

[github-actions]

Error parsing package url: io.sentry:sentry.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/26103214418

[github-actions]

Maven Coordinates

<dependency>
  <groupId>io.sentry</groupId>
  <artifactId>sentry</artifactId>
  <version>8.16.0</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8519
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.sentry/sentry@.*$</packageUrl>
    <cpe>cpe:/a:getsentry:sentry:</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/26103369182

[github-actions]

Maven Coordinates

<dependency>
  <groupId>io.sentry</groupId>
  <artifactId>sentry</artifactId>
  <version>8.16.0</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8519
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.sentry/sentry@.*$</packageUrl>
    <cpe>cpe:/a:getsentry:sentry:</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/26103552042

[chadlwilson]

The CVEs you linked don't have CPE matches to sentry, so im not sure they are coming from there, and our automation cannot replicate a CPE match (at least not via the CLI)

Please share your HTMl or JSON report or a way to replicate.

[wagnerlee]

dependency-check-report.html

Thanks for checking.

Report attached.

[chadlwilson]

The CPE in your issue is wrong, as are the list of CVEs - please fix them to match the report.

It's important that you refer to the CPE as reported correctly, as well any CVEs you are referring to as examples.