As part of our build-pipeline, we are performing a call to 'nexusPolicyEvaluation'.  The scan works fine and critical-errors result (somewhat expected) because we are scanning a Spring Boot application that includes one or more components with current CVEs - e.g. spring-web.jar or snakeyaml-1.33.jar.    While the CVEs are legitimate vulnerabilities, each of them is conditional, e.g. spring-web requires Java deserialization, e.g. snakeyaml requires untrusted yaml, which do not pertain to our situation.   Having analyzed these problems, I'd like to be able to inform Nexus to ignore that problem so that we can eliminate false positives.

The plugin offers 2 possible mechanisms, but I am unable to get either to work.  I have tried both:

iqModuleExcludes: [[moduleExclude: '**/snakeyaml*.jar']]

advancedProperties: 'fileExcludes=*/snakeyaml.jar'

Neither of these seems to be effective for what I am trying to do.  Is there a way to make Nexus ignore something that is not really an issue?