I scanned old .Net 4.7.2 web application with Synopsys Black Duck scanner. It found high Security Risk in the library jQuery 2.0.0 However, this version of jQuery library do not exist in this project, it was upgraded to the jQuery 3.6.1.
If I click "Source" in the Black Duck report, it tells me that it was refered by Microsoft jQuery Unobtrusive Validation 4.0.0 as "Transitive Dependency" and "Dynamically Linked", see image below.
Per looking into it, I see that jQuery Unobtrusive Validation NuGet package install jQuery only if no jQuery installed. Per looking into code of the package, I see that it doesn't come with jQuery files. Would it be valid to mitigate this vulnerability as "false positive"? Why Black Duck even flags it?