supress false positive in dependency-check plugin

pom.xml

@@ -52,6 +52,9 @@
 		<junit.jupiter.version>5.8.1</junit.jupiter.version>
 		<mockito.version>3.12.4</mockito.version>
 		<hamcrest.version>2.2</hamcrest.version>
+
+		<!-- build plugin dependencies -->
+		<dependency-check.version>7.0.0</dependency-check.version>
 	</properties>
 
 	<dependencies>
@@ -263,7 +266,7 @@
 				<plugin>
 					<groupId>org.owasp</groupId>
 					<artifactId>dependency-check-maven</artifactId>
-					<version>6.3.1</version>
+					<version>${dependency-check.version}</version>
 				</plugin>
 			</plugins>
 		</pluginManagement>

suppression.xml

@@ -25,4 +25,23 @@
 		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
 		<cpe regex="true">.*</cpe>
 	</suppress>
+
+	<suppress>
+		<notes><![CDATA[
+        Incorrectly matched CPE, see https://github.com/jeremylong/DependencyCheck/issues/4177git
+      ]]></notes>
+		<gav regex="true">^org\.cryptomator:.*$</gav>
+		<cpe>cpe:/a:cryptomator:cryptomator</cpe>
+		<cve>CVE-2022-25366</cve>
+	</suppress>
+
+	<suppress>
+		<notes><![CDATA[
+			False positive for commons-cli due, see https://github.com/jeremylong/DependencyCheck/pull/4148
+		]]></notes>
+		<gav regex="true">^commons\-cli:commons\-cli:.*$</gav>
+		<cpe>cpe:/a:apache:james</cpe>
+		<!-- while we are at it exclude also this fp -->
+		<cpe>cpe:/a:spirit-project:spirit</cpe>
+	</suppress>
 </suppressions>