From 4510477f0648167463679aa8d773210802c5e895 Mon Sep 17 00:00:00 2001
From: Catherine Redfield <catherine.redfield@chainguard.dev>
Date: Thu, 13 Nov 2025 14:51:32 -0500
Subject: [PATCH] doc(flyway): GHSA-m494-w24q-6f7w

mssql-jdbc version matching issue similar to https://github.com/wolfi-dev/advisories/pull/25255

Relates: https://github.com/chainguard-dev/CVE-Dashboard/issues/36003
---
 flyway.advisories.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/flyway.advisories.yaml b/flyway.advisories.yaml
index 58eca8bd06..1c7835bc20 100644
--- a/flyway.advisories.yaml
+++ b/flyway.advisories.yaml
@@ -65,6 +65,13 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/flyway/drivers/mssql-jdbc-12.10.2.jre11.jar
             scanner: grype
+      - timestamp: 2025-11-13T19:47:50Z
+        type: false-positive-determination
+        data:
+          type: vulnerable-code-not-included-in-package
+          note: |
+            The affected component's suffix is non-standard for Maven parsing. It supports "." as a delimiter, but treats jre11 as an unknown qualifier that sorts after known ones (alpha, beta, rc, ga, etc.), which breaks version matching. This vulnerability was resolved in flyway 11.16.0 and above[1].
+            [1] https://documentation.red-gate.com/flyway/release-notes-and-older-versions/release-notes-for-flyway-engine
 
   - id: CGA-7vrc-vhf3-9f48
     aliases: