Hi team, I am running a dummy project to scan the vulnerabilities using owasp dependency-check. The project doesn't contain anything except for the activemq jars added as dependencies in the pom.xml. Even when we use the latest version of activemq-kahadb-store jar (5.15.9 version) we see some vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally should be fixed in the latest release as per mentioned in the link: https://activemq.apache.org/components/classic/security
Can you please check and tell if the issue is not fixed or NVD database is still showing the vulnerability even if the issue is fixed. I have attached the pom.xml and the dependency check reports for your reference.
<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd";> <modelVersion>4.0.0</modelVersion> <groupId>abcd</groupId> <artifactId>cd</artifactId> <packaging>pom</packaging> <version>0.0.1-SNAPSHOT</version> <name>cd Maven Webapp</name> <url>http://maven.apache.org</url> <profiles> <profile> <id>DependencyCheckProfile</id> <build> <plugins> <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>5.0.0-M1</version> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> <configuration> <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability> </configuration> </plugin> </plugins> </build> </profile> </profiles> <reporting> <plugins> <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>5.0.0-M1</version> <reportSets> <reportSet> <reports> <report>aggregate</report> </reports> </reportSet> </reportSets> </plugin> </plugins> </reporting> <dependencies> <dependency> <groupId>org.apache.activemq</groupId> <version>5.15.9</version> <artifactId>activemq-kahadb-store</artifactId> </dependency> <dependency> <groupId>org.apache.activemq</groupId> <version>5.15.9</version> <artifactId>activemq-broker</artifactId> </dependency> <dependency> <groupId>org.apache.activemq</groupId> <version>5.15.9</version> <artifactId>activemq-client</artifactId> </dependency> </dependencies> <build> <pluginManagement> <plugins> <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>1.2.8</version> </plugin> <plugin> <artifactId>maven-war-plugin</artifactId> <version>2.4</version> <configuration> <warSourceDirectory>WebContent</warSourceDirectory> <failOnMissingWebXml>false</failOnMissingWebXml> </configuration> </plugin> </plugins> </pluginManagement> <finalName>cd</finalName> </build> <modules> <module>test</module> </modules> </project>
