These libraries are dependencies of axis2-clustering. Are you using the clustering support?
Andreas On Mon, Aug 6, 2018 at 11:13 AM axis2user82 <axis2use...@gmail.com> wrote: > > Hi > > Sorry if you are getting this mail twice, but I sent it before having > finished subscribing, so I was unsure if it reached the list. > > We have recently integrated the OWASP Dependency Checker into our CI-setup, > and it has flagged two libraries as potentially problematic (i.e. affected by > serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It turns out > those are actually dependencies for Axis2. Both JAR files seem to be part of > Tomcat 6. Question is, how should we react to this finding? Are the CVE's for > those libraries not relevant when used in the context of Axis2, since they > haven't been updated(the latest version of Axis2 still ships those versions)? > > Thanks! > > BR, Martin > > --- > > Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence > Evidence Count > > tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 > cpe:/a:apache_software_foundation:tomcat:6.0.16 > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 ✓ > High 66 Highest 18 > > > juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 > cpe:/a:apache_software_foundation:tomcat:6.0.16 > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 ✓ > High 66 Highest 16 > --------------------------------------------------------------------- To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org For additional commands, e-mail: java-user-h...@axis.apache.org
