Sonatype OSSindex update clutters notifications

[elastic-pangolin]

Hello everyone,

It seems sonatype expanded their free database with some findings that are not (yet) based on concrete info and do not contain any details on mitigation or updates/fixes (which oftentimes do not exist). See the announcement by sonatype here: https://ossindex.sonatype.org/updates-notice

This affects some widely used components, like the newest version of flask (pkg:pypi/flask@2.1.2) : https://ossindex.sonatype.org/vulnerability/sonatype-2020-0201

Are you struggling with this too? Is there a clean way to exclude these unconfirmed findings from my dependency-track or to (semi-)automatically audit them for the whole database?

I will also get in contact with sonatype, but since we use the free access, I'm not sure there's much they will be willing to do.

Thank you for your help!