Though Clair currently does not support OSV vulnerabilities for Java packages, there will be an issue finding vulnerabilities for this package at least once OSV is in use. I tested this with 9.0.68, so it's possible 10.x and 11.x do not deal with this, but at least for 9.x of https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core Clair claims the package is called org.apache.tomcat-embed-core:tomcat-embed-core. This makes sense, as that is all we could determine. However, OSV shows the package as org.apache.tomcat.embed:tomcat-embed-core (for example: https://osv.dev/vulnerability/GHSA-344f-f5vg-2jfj), which Clair will not find.

Perhaps we should consider hardcoding this groupid for this package since we know how OSV indexes it.