Fix false positives in Java dependencies

[vgaidarji]

What has been done

Fixed false positives in Java dependencies caused by jar: shortcut logic

See neuvector/neuvector#2205 for more details.

How to test

Build scanner with the fix from PR.
Run scanner against dockerized demo Java project https://github.com/vgaidarji/demo-java-service-neuvector-issue/blob/main/README.md#how-to-reproduce-the-issue-locally.
Confirm no false positives are reported. False positives can be found in https://github.com/vgaidarji/demo-java-service-neuvector-issue/blob/main/neuvector-scanner-patch/neuvector-scan-report.md#jar-level-vulnerabilities-all-false-positives

False Positive example: jar:common -- 4 JARs flagged

Flagged JAR file	Actual library	Scanner identified as
opentelemetry-common-1.59.0.jar	io.opentelemetry:opentelemetry-common	jar:common
opentelemetry-exporter-common-1.59.0.jar	io.opentelemetry:opentelemetry-exporter-common	jar:common
opentelemetry-exporter-otlp-common-1.59.0.jar	io.opentelemetry:opentelemetry-exporter-otlp-common	jar:common
opentelemetry-sdk-common-1.59.0.jar	io.opentelemetry:opentelemetry-sdk-common	jar:common

CVEs incorrectly matched:

CVE	Severity	Actually affects	Description
CVE-2024-46985	High	DataEase (data visualization tool)	XXE injection in static resource upload interface. Fixed in DataEase v2.10.1
CVE-2024-46997	High	DataEase (data visualization tool)	RCE via H2 JDBC connection parameter injection. Fixed in DataEase v2.10.1

Why it's false: These OpenTelemetry JARs lack pom.properties. The scanner falls back to MANIFEST.MF, extracts the generic Implementation-Title "common", defaults the vendor to "jar", producing the lookup key jar:common. This collides with the CVE database shortcut key jar:common generated from a completely unrelated DataEase artifact.

[vgaidarji]

@williamlin-suse hi. would you mind reviewing proposed fix? CI is currently also blocked until you formally approve, not sure if CI even passes. Thank you.