We're facing cases where a third party dependency has a different versioning scheme than the one that matches our upgrade policy.
One recent example is the Upgrade to MySQL 9.3.0 that contains a CVE fix that wasn't backported.
Usually we ask users to override the version. However, looking at their release notes, it's obvious that 9.1.0 and 9.2.0 are no longer maintained:
Version 9.3.0 is a new GA release of MySQL Connector/J. MySQL Connector/J 9.3.0 supersedes 9.2 and is recommended for use on production systems.
For cases like this, it'd be nice to configure bomr on a particular module so that it overrides the upgrade policy to use.