Static Reachability: Fix Java matching failures

Context

When running the static reachability on a Java project, the final cdx files are not enriched with the static reachability information.

Examples

As can be seen in this CI execution, the pipeline finishes successfully, however no 3rd side packages in the cdx file have static reachability "value": "in_use".

I believe this is caused by name mismatches, as in the sca.json file the 3rd side packages have a short name (for example esapi) while in the cdx file they have a long name (same example - org.owasp.esapi/esapi)

DOD

Find a better matching algorithm / Apply a fix to the calculator or sca matcher that allows this matching.