[FP]: CVE-2026-54133 is for PHP, not Java

[marcelstoer]

Package URl

pkg:maven/com.amazonaws/jmespath-java@1.11.277

CPE

cpe:2.3:a:jmespath:jmespath:1.11.277:*:*:*:*:*:*:*

CVE

CVE-2026-54133

ODC Integration

None

ODC Version

12.2.2

Description

The NVD has a correct CPE for the affected package: cpe:2.3:a:jmespath:jmespath:*:*:*:*:*:php:*:* (< 2.9.1). We match this against a Java package.

Related to #7139.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>com.amazonaws</groupId>
  <artifactId>jmespath-java</artifactId>
  <version>1.11.277</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8617
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.amazonaws/jmespath-java@.*$</packageUrl>
    <cpe regex="true">cpe:/a:jmespath:jmespath(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27673085639

[chadlwilson]

Should be fixed/suppressed now