There are no known CVE's in git for either Axis 1.x or Axis2. Strangely I don't see that Axis2 dep error via "mvn dependency:analyze" nor do I see that jar in ~/.m2 .
On Fri, Feb 26, 2021 at 12:19 AM Andrew Marlow <[email protected]> wrote: > Hello everyone, > > I am trying to find out what CVE issues there are with axis2. I am using > the owasp maven plugin. With the appropriate plugin section added to the > pom I get a build error: > > [INFO] --------------------< org.apache.axis2:axis2-jibx > >--------------------- > [INFO] Building Apache Axis2 - JiBX Data Binding 1.8.0-SNAPSHOT > [29/85] > [INFO] --------------------------------[ jar > ]--------------------------------- > [INFO] > [INFO] --- dependency-check-maven:5.2.4:check (default-cli) @ axis2-jibx > --- > [ERROR] Unable to resolve system scoped dependency: > com.sun:tools:jar:1.8.0:system > > It looks like there is a dependency on com.sun.tools. This is shown by the > maven dependency analyser which reports: > > INFO [m] +- org.apache.ant:ant:jar:1.10.9:test > INFO [m] | +- org.apache.ant:ant-launcher:jar:1.10.9:test > INFO [m] | \- com.sun:tools:jar:1.8.0:system > > Can anyone shed any light on this error please? > -- > Regards, > > Andrew Marlow > http://www.andrewpetermarlow.co.uk > >
