Deepfence reports vulnerabilities from overriden dependencies in pom.xml

[beMonika]

Description
False vulnerabilities from overridden dependencies are reported

Details
I have Jenkins service running on linux machine. Vulnerabilities are reported to be found in pom.xml files from unpacked jenkins.war on filesystem.
Let's say that in my build pom.xml I have dependency to plugin A, which has vulnerability present only from its dependency B. But in my build pom.xml I also define dependency B of newer version which overrides version coming from dependency A. And scans now report vulnerability in pom.xml of dependency A from older dependency B which is not actually used nor present in any form on filesystem. I also checked with OWASP maven dependency check, and vulnerability is not reported there.

Example
<dependency> <groupId>org.jenkins-ci.plugins</groupId> <artifactId>badge</artifactId> <version>1.9.1</version> <type>hpi</type> </dependency> <dependency> <groupId>org.jenkins-ci.plugins</groupId> <artifactId>script-security</artifactId> <version>1244.ve463715a_f89c</version> <type>hpi</type> </dependency>

For badge dependency are reported 6 vulnerabilities from its script-security dependency. However I override script-security with newer version which does not have vulnerabilities.

Vulnerabilities from script-security dependency are still reported to be found for badge dependency, e.g. in pom.xml on filesystem: home/user/.jenkins/plugins/badge/META-INF/maven/org.jenkins-ci.plugins/badge/pom.xml

Expected behavior
Vulnerabilities described in description are not reported.

Additional context
-agent version: 1.5.0-a455ac21-1683193637040523
-previously used agent version which did not report this vulnerabilities: 1.3.0-49a7d8a-1647345233150322
-maven is not installed on machine where agent runs scans