False positives for certain Python packages #7968
Description
Precondition
- I checked the issues list for existing open or closed reports of the same problem.
Describe the bug
When running dependency-check against my Python (poetry) project, certain dependencies, for example snowflake-snowpark-python seem to lead to vulnerabilities in Python with the same version to be reported.
Version of dependency-check used
The problem occurs using version 12.1.5 of the cli.
Log file
In the log file I do see lines like the following:
2025-09-24 15:25:34,075 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(kafka\-python2 kafka\-pythonv2 kafka\-python) AND vendor:(kafka\-python)
...
2025-09-24 15:25:34,126 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(snowflake\-connector\-python snowflake\-connector\-pythonv3 snowflake\-connector\-python3) AND vendor:(snowflake\-connector\-python)
...
2025-09-24 15:25:34,127 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(snowflake\-snowpark\-pythonv1 snowflake\-snowpark\-python snowflake\-snowpark\-python1) AND vendor:(snowflake\-snowpark\-python)
Those lead me to believe that perhaps Python is somehow handled in a special way, perhaps due to some operating system packages being called python, python3, python311 and so on. Maybe there's some confusion there?
To Reproduce
Analyse a poetry.lock containing for example snowflake-snowpark-python as a dependency:
[[package]]
name = "snowflake-snowpark-python"
version = "1.39.0"
description = "Snowflake Snowpark for Python"
optional = false
python-versions = "<3.14,>=3.9"
groups = ["main"]
files = [
{file = "snowflake_snowpark_python-1.39.0-py3-none-any.whl", hash = "sha256:ca4e99fae16ef0a95d25c5c74d57e1bc0f0cf77f63a5fc86de3a7acbc8db0fca"},
{file = "snowflake_snowpark_python-1.39.0.tar.gz", hash = "sha256:0eba7a6d3b6c86c06b9539059b60d1aec4fec45b409ddb68c7e96b9ee11421ef"},
]
[package.dependencies]
cloudpickle = ">=1.6.0,<2.1.0 || >2.1.0,<2.2.0 || >2.2.0,<=3.1.1"
protobuf = ">=3.20,<6.32"
python-dateutil = "*"
pyyaml = "*"
setuptools = ">=40.6.0"
snowflake-connector-python = ">=3.17.0,<4.0.0"
typing-extensions = ">=4.1.0,<5.0.0"
tzlocal = "*"
wheel = "*"
[package.extras]
development = ["cachetools", "coverage", "decorator", "graphviz", "lxml", "matplotlib", "openpyxl", "pre-commit", "psutil", "pytest (<8.0.0)", "pytest-assume", "pytest-cov", "pytest-timeout", "pytest-xdist", "snowflake.core (>=1.0.0,<2)", "sphinx (==5.0.2)", "tox", "wrapt"]
localtest = ["pandas", "requests"]
modin = ["ipywidgets", "modin (>=0.35.0,<0.37.0)", "pandas (<=2.3.1)", "snowflake-connector-python[pandas] (>=3.17.0,<4.0.0)", "tqdm"]
modin-development = ["cachetools", "coverage", "decorator", "graphviz", "ipywidgets", "lxml", "matplotlib", "modin (>=0.35.0,<0.37.0)", "openpyxl", "pandas (<=2.3.1)", "plotly (<6.0.0)", "pre-commit", "psutil", "pytest (<8.0.0)", "pytest-assume", "pytest-cov", "pytest-timeout", "pytest-xdist", "ray", "s3fs", "scikit-learn", "scipy", "snowflake-connector-python[pandas] (>=3.17.0,<4.0.0)", "snowflake-ml-python (>=1.8.0) ; python_version < \"3.12\"", "snowflake.core (>=1.0.0,<2)", "sphinx (==5.0.2)", "statsmodels", "tox", "tqdm", "wrapt"]
opentelemetry = ["opentelemetry-api (>=1.0.0,<2.0.0)", "opentelemetry-sdk (>=1.0.0,<2.0.0)"]
pandas = ["snowflake-connector-python[pandas] (>=3.17.0,<4.0.0)"]
secure-local-storage = ["snowflake-connector-python[secure-local-storage] (>=3.17.0,<4.0.0)"]Observe that Vulnerabilities that seem to have nothing to do with these packages end up in the report, for example:
Expected behavior
I expect only to get Vulnerabilities as a result that have to do with the actual Python packages, not with ancient Python versions.