fix(fp): allow stricter matching of suppression CPE 2.2 URI prefixes to only whole parts

[chadlwilson]

Description of Change

Follows up on #8509 to allow rules with a trailing : to indicate a strict match of the last part is intended; rather than potentially matching only a substring of the part (usually an application name). Without this, we'd also need to correct all of the base suppressions to regex, like done in #8522.

e.g.

DependencyCheck/core/src/main/resources/dependencycheck-base-suppression.xml

Lines 13 to 19 in c5f5f68

	<suppress base="true">
	<notes><![CDATA[
	obvious fp - currently not returning any CVEs
	]]></notes>
	<packageUrl regex="true">^pkg:maven/javax\.xml\.bind/jaxb\-api@.*$</packageUrl>
	<cpe>cpe:/a:oracle:java_se:</cpe>
	</suppress>

Main goal as with #8509 is to reduce false negatives from other products with the same "prefiix" in the name.

Some CpeIdentifiers don't include the version at all; making the changes in #8509 fail to suppress some VulnerableSoftwareIdentifiers.

This change

• allows us to avoid needing regex
• when using regex, memoize the pattern to avoid O(n^2) regex compiling during matching.
  • makes PropertyType immutable to do so

I can split up the regex stuff if preferred; I kept them together since they both touch the same tests.

Related issues

• required by chore(fp): use more conservative CPE 22 prefix suppression syntax to avoid false negatives #8509
• relates to fix(fp): convert hosted/generated suppressions to conservative regex prefix matchers #8522

Have test cases been added to cover the new functionality?

yes

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Refactors suppression/hint property handling by making PropertyType immutable with factory helpers and cached regex compilation, and updates suppression matching logic/tests accordingly.

Changes:

• Make PropertyType immutable, add factory methods, and memoize compiled regex patterns.
• Adjust SAX handlers to construct PropertyType via constructor instead of setters.
• Refine CPE suppression matching semantics (prefix + optional “part boundary” via trailing :) and update/add tests.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
core/src/main/java/org/owasp/dependencycheck/xml/suppression/PropertyType.java	Makes PropertyType immutable, adds factories, caches compiled regex
core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java	Updates suppression XML parsing to new PropertyType construction
core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java	Updates hint XML parsing to new PropertyType construction
core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java	Refactors identifier matching + CPE prefix/part-boundary behavior
core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleTest.java	Updates suppression rule tests + adds GAV/PURL matching test
core/src/test/java/org/owasp/dependencycheck/xml/suppression/PropertyTypeTest.java	Updates tests for new matching & regex compilation failure behavior
core/src/test/java/org/owasp/dependencycheck/analyzer/UnusedSuppressionRuleAnalyzerTest.java	Reformats and modernizes helper usage / PropertyType creation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jeremylong]

LGTM