tbroyer, CVEs reported without version, and/or never updated to limit their CPEs to exclude versions where the vulnerability is fixed;
and now I get false positives every single time I update that dependency 😭
(in this case, specifically, Keycloak's CVE-2022-1438 and CVE-2023-0105, both still reported on version 22.0.4 by Dependency Track; the GitHub Advisories have the accurate information, but not the NVD 😡)
Add comment