False positive vulnerabilities from ActiveMQ Classic (v5.x) reported for ActiveMQ Artemis (v2.x)

[mjherzog]

We have some strange data in VCIO for pkg:maven/org.apache.activemq/[email protected]. There are currently 4 VCIDS for this package:
VCID-h1ua-8jbg-aaag
VCID-ngge-wjjg-aaas
VCID-ra92-t3ms-aaaa
VCID-wcbb-1nm4-aaab

The data for VCID-wcbb-1nm4-aaab looks normal with an immediate fix: pkg:maven/org.apache.activemq/[email protected]

The other 3 are weird because the vulnerabilities are reported for ActiveMQ version 5.x, but ActiveMQ Artemis is at version 2.38 latest. According to https://activemq.apache.org/, "There are currently two "flavors" of ActiveMQ available - the well-known "classic" broker and the "next generation" broker code-named Artemis. Once Artemis reaches a sufficient level of feature parity with the "Classic" code-base it will become the next major version of ActiveMQ." So these seem to be distinctly different packages.

From looking at the NVD/CVE data I see that:
The CPE for VCID-wcbb-1nm4-aaab is: cpe:2.3:a:apache:activemq_artemis:::::::: - but -
The CPE for the other three is: cpe:2.3:a:apache:activemq::::::::.
For the latter 3 cases the CVE data refers to v5.x

From looking at the GHSA data I see references to more specific ActiveMQ (Classic) packages:
org.apache.activemq:apache-activemq < 5.16.6 >= 5.17.0, < 5.17.4
org.apache.activemq:activemq-parent >= 5.16.0, < 5.16.1 < 5.15.14
org.apache.activemq:activemq-client / org.apache.activemq:activemq-openwire-legacy

My take is that the three VCIDs that refer to ActiveMQ (Classic) v5.x are false positives based on a generic CPE without versions.

There are 2 follow-up items:

• Do we have a bug in data collection?
• How do we fix false positives like this?