Hi Sorry if you are getting this mail twice, but I sent it before having finished subscribing, so I was unsure if it reached the list.
We have recently integrated the OWASP Dependency Checker into our CI-setup, and it has flagged two libraries as potentially problematic (i.e. affected by serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It turns out those are actually dependencies for Axis2. Both JAR files seem to be part of Tomcat 6. Question is, how should we react to this finding? Are the CVE's for those libraries not relevant when used in the context of Axis2, since they haven't been updated(the latest version of Axis2 still ships those versions)? Thanks! BR, Martin --- Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence Evidence Count tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 cpe:/a:apache_software_foundation:tomcat:6.0.16 cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 ✓ High 66 Highest 18 juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 cpe:/a:apache_software_foundation:tomcat:6.0.16 cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 ✓ High 66 Highest 16