Holger

It sounds like you are reporting that you upgraded defect dojo mid april and now you are seeing different behaviour. Is that correct?

No. The new behavior started without any upgrades. I tried to fix it by upgrading. But this didn't help. But I think I found out now what changed: I had so many related findings recently because the findings were reported for org.springframework.boot:spring-boot and org.springframework:spring-core . Both have around 10 <relatedDependency> entries reported from Dependency-Check. This was different for other/older findings which were caused by different jars (not spring-boot or spring-core) and had way less <relatedDependency> entries. That's why the noise increased and I thought the behavior of the import changed. But actually only the vulnerable jars had changed -> and this triggered the noise. I've attached an example file stripped down to only one dependency (spring-boot in this case). This dependency has 11 <relatedDependency> entries and 8 <vulnerability> entries. It creates 96 findings for those 8 vulnerabilities when imported. IMO it would sufficient to create 8 findings (simply on the actual <dependency>) but skip all <relatedDependency>.

OWASP Dependency-Check groups multiple jars that share the same content (identical hash) under a <relatedDependencies> block on a single dependency

That seems to be a misconception. <relatedDependencies> seem not to contain "multiple jars that share the same content (identical hash)" but actually contain completely different jars which are somehow related to the main vulnerable one. Is it an option to change the parser to skip all <relatedDependency> entries?