False negative Jetty

[andyswe]

Hello,
I'm running the following test gradle project and think I have a false negative on Jetty via Dropwizard. (related to #1512 ???):

buildscript {
    repositories {
        mavenCentral()
    }
}

plugins {
    id "org.owasp.dependencycheck" version "3.3.2"
    id "java"
}
repositories {
    mavenCentral()
}

ext {
    dropwizardVersion = "1.3.1"
}

dependencies {
    compile group: 'io.dropwizard', name: 'dropwizard-core', version: dropwizardVersion
    compile group: 'io.dropwizard', name: 'dropwizard-auth', version: dropwizardVersion
}

dependencyCheck {
    format='ALL'
}

In the HTML vulnerability report I get

Scan Information (show less):
dependency-check version: 3.3.2
Report Generated On: Oct 25, 2018 at 10:11:20 +02:00
Dependencies Scanned: 92 (92 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0
NVD CVE 2002: 20/10/2018 09:49:35
NVD CVE 2003: 20/10/2018 09:47:04
NVD CVE 2004: 20/10/2018 09:46:21
NVD CVE 2005: 20/10/2018 09:45:02
NVD CVE 2006: 20/10/2018 09:42:51
NVD CVE 2007: 20/10/2018 09:39:31
NVD CVE 2008: 20/10/2018 09:36:21
NVD CVE 2009: 19/10/2018 09:48:16
NVD CVE 2010: 19/10/2018 09:45:17
NVD CVE 2011: 19/10/2018 09:41:18
NVD CVE 2012: 22/10/2018 09:24:35
NVD CVE 2013: 23/10/2018 09:33:09
NVD CVE 2014: 23/10/2018 13:17:54
NVD CVE 2015: 23/10/2018 09:25:40
NVD CVE 2016: 23/10/2018 09:21:31
NVD CVE 2017: 23/10/2018 13:17:52
NVD CVE 2018: 23/10/2018 09:05:31
NVD CVE Checked: 25/10/2018 09:00:57
NVD CVE Modified: 25/10/2018 07:03:26
VersionCheckOn: 1540296866020

If I scroll down to jetty-servlets-9.4.8.v20171121.jar in the dependenct list, the following CPEs are identified for jetty-servlets-9.4.8.v20171121.jar.

cpe:/a:eclipse:jetty:9.4.8.v20171121
cpe:/a:jetty:jetty:9.4.8.v20171121

If I search the first CPE on https://nvd.nist.gov/vuln/search resulting in:

https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A%2Fa%3Aeclipse%3Ajetty%3A9.4.8.v20171121&search_type=all

Thus, vulnerabilities exist for my (transitive) dependencies but the produced report is empty of vulnerabilities.
Bug? General or specific to jetty? Is it a problem with CPE 2.2 vs 2.3? Or XML/JSON format?
How can we proceed to get a true positive on jetty-servlets-9.4.8.v20171121.jar

gradle clean check dependencyCheckAnalyze -info -debug > check_issue.log in https://gist.github.com/andyswe/48b4a4934ae780c2a21cc026bc1df585

Best regards, Andreas

Details on jetty-servlets-9.4.8.v20171121.jar in the report:

jetty-servlets-9.4.8.v20171121.jar
Description:

 Utility Servlets from Jetty
License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\andreas\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlets\9.4.8.v20171121\f7b7f3d6be91f5e1a47b4d3ecaf286652b4d1332\jetty-servlets-9.4.8.v20171121.jar
MD5: 920b12079422b8f34f57815c855ecd5f
SHA1: f7b7f3d6be91f5e1a47b4d3ecaf286652b4d1332
SHA256:50ed558aac35fdb08c39d7d8c30f898d199c17e3f002a2d16521bce7325421c1
Referenced In Projects/Scopes:
owasp-test:compile
owasp-test:runtimeClasspath
owasp-test:runtime
owasp-test:default
owasp-test:compileClasspath
Evidence
Identifiers
maven: org.eclipse.jetty:jetty-servlets:9.4.8.v20171121  Confidence:Highest
cpe: cpe:/a:eclipse:jetty:9.4.8.v20171121  Confidence:Low  suppress
cpe: cpe:/a:jetty:jetty:9.4.8.v20171121  Confidence:Low  suppress

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.