Sorry to say it bluntly, but I think this means that the tool you are using is completely braindead. It sees "ant" and "1.8.0" in the JAR file name and believes the artifact is Ant 1.8.0 [1]. Same for taglibs-standard-impl-1.2.5.jar: it sees "tag" and "1.2.5" and then spits out CVEs for https://github.com/dhowden/tag, which is a completely unrelated project. I find it shocking what kind of stuff so called "security" companies nowadays try to make money with.
Andreas [1] The actual Maven module depends on Ant 1.10. Even if it did depend on Ant 1.8, that wouldn't make it vulnerable, because it's a **plugin** for Ant. The vulnerability is in Ant itself, so what matters is which Ant version the user is running. On Thu, Mar 11, 2021 at 10:53 AM Andrew Marlow <[email protected]> wrote: > Hello everyone, > > When I build axis2 as root the build now completes ok (avoiding that > strange permission denied problem). So I am now able to do a full owasp and > maven dependency tree analysis. I am pleased to say that this shows that > the CVEs from tomcat 6 are gone, since it now depends on tomcat 10. Great! > However, the dependency on the ant-plugin seems to have crept back in. > Below are the CVEs reported by owasp: > > axis2-ant-plugin-1.8.0-SNAPSHOT.jar > (pkg:maven/org.apache.axis2/[email protected], > cpe:2.3:a:apache:ant:1.8.0:*:*:*:*:*:*:*, > cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*) : CVE-2020-1945 > axis2.war: taglibs-standard-impl-1.2.5.jar > (pkg:maven/org.apache.taglibs/[email protected], > cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*, > cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242, > CVE-2020-29243, CVE-2020-29244, CVE-2020-29245 > axis2-xmlbeans-1.8.0-SNAPSHOT.jar > (pkg:maven/org.apache.axis2/[email protected], > cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*, > cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926 > axis2-xmlbeans-codegen-1.8.0-SNAPSHOT.jar > (pkg:maven/org.apache.axis2/[email protected], > cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*, > cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926 > commons-httpclient-3.1.jar > (pkg:maven/commons-httpclient/[email protected], > cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*, > cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*) : CVE-2020-13956 > failureaccess-1.0.1.jar (pkg:maven/com.google.guava/[email protected], > cpe:2.3:a:google:guava:1.0.1:*:*:*:*:*:*:*) : CVE-2020-8908 > org.eclipse.ui.ide-3.17.100.v20200530-0835.jar > (pkg:maven/osgi.bundle/[email protected], > cpe:2.3:a:eclipse:eclipse_ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*, > cpe:2.3:a:eclipse:ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*) : CVE-2008-7271 > org.eclipse.ui.workbench-3.119.0.v20200521-1247.jar > (pkg:maven/osgi.bundle/[email protected], > cpe:2.3:a:eclipse:eclipse_ide:3.119.0.v20200521:*:*:*:*:*:*:*) : > CVE-2008-7271 > taglibs-standard-impl-1.2.5.jar > (pkg:maven/org.apache.taglibs/[email protected], > cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*, > cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242, > CVE-2020-29243, CVE-2020-29244, CVE-2020-29245 > xmlbeans-2.6.0.jar (pkg:maven/org.apache.xmlbeans/[email protected], > cpe:2.3:a:apache:xmlbeans:2.6.0:*:*:*:*:*:*:*) : CVE-2021-23926 > > -- > Regards, > > Andrew Marlow > http://www.andrewpetermarlow.co.uk > >
