Bug on CVE-2009-2704 and CVE-2009-2705 in SiteMinder J2EE

[gobiltd]

Describe the bug
As per NVD description , these CVE-2009-2704 and CVE-2009-2705 should be valid if we have combination of cpe:2.3:a:sun:j2ee:::::::: and cpe:2.3:a:broadcom:siteminder:::::::: in scanned project. However, the CVE-2009-2704 and CVE-2009-2705 is getting reported even if we have only one of the matching CPE (cpe:2.3:a:sun:j2ee::::::::) related jar

Version of dependency-check used
The problem occurs using version 8.2.1 of the CLI.

To Reproduce
Steps to reproduce the behavior:

• Download any jar named *j2ee.jar and run the OWASP DC CLI - 8.2.1.
• Reporting CVE-2009-2705 and CVE-2009-2704 will be reported due to CPE "cpe:2.3:a:sun:j2ee::::::::"

Expected behavior

• CVE-2009-2705 and CVE-2009-2704 configuration having AND condition (multiple CPEs assigned), but with one CPE "cpe:2.3:a:sun:j2ee::::::::" also artifact is listing these CVE's.

[jeremylong]

The AND/OR configurations have not been implemented as ODC does not always have the information required to evaluate these.

[aikebah]

Also note that ODC 8.2.1 is outdated and unsupported. You should update to 10.x