See <https://ci-builds.apache.org/job/Struts/job/Struts-examples-dependency-check/163/display/redirect>
Changes: ------------------------------------------ Started by timer Running as SYSTEM [EnvInject] - Loading node environment variables. Building remotely on builds48 (tmp-22 ubuntu) in workspace <https://ci-builds.apache.org/job/Struts/job/Struts-examples-dependency-check/ws/> The recommended git tool is: NONE No credentials specified Cloning the remote Git repository Cloning repository https://gitbox.apache.org/repos/asf/struts-examples.git > git init > <https://ci-builds.apache.org/job/Struts/job/Struts-examples-dependency-check/ws/> > # timeout=10 Fetching upstream changes from https://gitbox.apache.org/repos/asf/struts-examples.git > git --version # timeout=10 > git --version # 'git version 2.34.1' > git fetch --tags --force --progress -- > https://gitbox.apache.org/repos/asf/struts-examples.git > +refs/heads/*:refs/remotes/origin/* # timeout=10 > git config remote.origin.url > https://gitbox.apache.org/repos/asf/struts-examples.git # timeout=10 > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # > timeout=10 Avoid second fetch > git rev-parse refs/remotes/origin/main^{commit} # timeout=10 Checking out Revision 9293ef31a9fc751e8f392b96953d43a8f4e0bcc0 (refs/remotes/origin/main) > git config core.sparsecheckout # timeout=10 > git checkout -f 9293ef31a9fc751e8f392b96953d43a8f4e0bcc0 # timeout=10 Commit message: "Merge pull request #507 from apache/dependabot/github_actions/actions/checkout-6.0.0" > git rev-list --no-walk 9293ef31a9fc751e8f392b96953d43a8f4e0bcc0 # timeout=10 Setting MAVEN_3_LATEST_HOME=/home/jenkins/tools/maven/latest3 [Struts-examples-dependency-check] $ /bin/sh -xe /tmp/jenkins15396590618044157307.sh + export MAVEN_OPTS=-Xms2g -Xmx2g + export PATH=/home/jenkins/tools/maven/latest3:/home/jenkins/tools/java/latest17/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin + ./mvnw verify -Pdependency-check [INFO] Scanning for projects... [WARNING] [WARNING] Some problems were encountered while building the effective model for org.apache.struts:rest-angular:war:2.0.0 [WARNING] 'build.plugins.plugin.version' for com.cj.jshintmojo:jshint-maven-plugin is missing. @ line 116, column 21 [WARNING] [WARNING] It is highly recommended to fix these problems because they threaten the stability of your build. [WARNING] [WARNING] For this reason, future Maven versions might no longer support building such malformed projects. [WARNING] [INFO] ------------------------------------------------------------------------ [INFO] Reactor Build Order: [INFO] [INFO] Struts 2 Examples [pom] [INFO] Action chaining [war] [INFO] Annotations with Convention Plugin [war] [INFO] Basic Struts2 Example [war] [INFO] Bean Validation [war] [INFO] Struts 2 Blank Webapp [war] [INFO] Coding Struts 2 Action [war] [INFO] Control Tags [war] [INFO] CRUD Example [war] [INFO] Debugging Struts [war] [INFO] Dynamic Url [war] [INFO] Exception handling [war] [INFO] Exclude Parameters [war] [INFO] Expression Cache [war] [INFO] File upload [war] [INFO] Form Processing [war] [INFO] Form Tags [war] [INFO] Form validation [war] [INFO] XML based form validation [war] [INFO] Hello World Struts 2 Example Application [war] [INFO] Http Session [war] [INFO] Struts 2 Interceptors [war] [INFO] jfreechart [war] [INFO] JSON produce/consume [war] [INFO] Customized JSON produce [war] [INFO] Struts 2 Mail Reader Webapp [war] [INFO] Message resource [war] [INFO] Message Store [war] [INFO] Preparable Interface [war] [INFO] Struts 2 Quarkus [jar] [INFO] REST to Action Mapper Example Application [war] [INFO] REST Plugin based application with AngularJS [war] [INFO] Struts2 with Basic Shiro Security Integration [war] [INFO] Struts2 with Spring Integration [war] [INFO] Custom TextProvider [war] [INFO] Struts Tiles Example [war] [INFO] Struts 2 Themes [war] [INFO] Struts 2 Themes Override [war] [INFO] Type Conversion [war] [INFO] Unit Testing [war] [INFO] Unknown handler [war] [INFO] Using Struts 2 Tags [war] [INFO] validation-messages [war] [INFO] Wildcard Method Selection [war] [INFO] Wildcard RegEx pattern matching [war] [INFO] JasperReports Tutorial [war] [INFO] Struts Sitemesh 3 Example [war] [INFO] [INFO] -----------------< org.apache.struts:struts-examples >------------------ [INFO] Building Struts 2 Examples 2.0.0 [1/47] [INFO] from pom.xml [INFO] --------------------------------[ pom ]--------------------------------- [INFO] [INFO] --- dependency-check:12.1.8:check (default) @ struts-examples --- [INFO] Checking for updates [INFO] Skipping the NVD API Update as it was completed within the last 240 minutes [INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours. [INFO] Check for updates complete (1098 ms) [INFO] Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report. About ODC: https://dependency-check.github.io/DependencyCheck/general/internals.html False Positives: https://dependency-check.github.io/DependencyCheck/general/suppression.html [INFO] Analysis Started [INFO] Finished Archive Analyzer (0 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Jar Analyzer (0 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Created CPE Index (3 seconds) [INFO] Finished CPE Analyzer (4 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished RetireJS Analyzer (0 seconds) [WARNING] Disabling OSS Index analyzer due to missing user/password credentials. Authentication is now required: https://ossindex.sonatype.org/doc/auth-required [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.apache\.struts/struts\-core@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:apache:struts, regex=false, caseSensitive=false},}cve={CVE-2016-1182,CVE-2016-1181,CVE-2014-0114,CVE-2015-0899,CVE-2011-5057,CVE-2012-0391,CVE-2012-0392,CVE-2012-0393,CVE-2012-0394,CVE-2012-0838,CVE-2013-1965,CVE-2013-1966,CVE-2013-2115,CVE-2013-2134,CVE-2013-2135,CVE-2014-0094,CVE-2014-0113,CVE-2015-5169,CVE-2016-0785,CVE-2016-4003,CVE-2015-2992,}} [INFO] Suppression Rule had zero matches: SuppressionRule{gav=PropertyType{value=^org\.apache\.struts:struts\-tiles\:1\.3\.8.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:apache:struts, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{gav=PropertyType{value=^org\.apache\.struts:struts\-taglib\:1\.3\.8.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:apache:struts, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.beanshell/bsh@.*$, regex=true, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2016-2510, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:plexus-utils_project:plexus-utils, regex=false, caseSensitive=false},}cve={CVE-2017-1000487,}vulnerabilityName={PropertyType{value=Directory traversal in org.codehaus.plexus.util.Expand, regex=false, caseSensitive=false},PropertyType{value=Possible XML Injection, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/uk\.ltd\.getahead/dwr@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:getahead:direct_web_remoting, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/commons\-collections/commons\-collections@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:apache:commons_collections, regex=false, caseSensitive=false},}cve={CVE-2015-6420,CVE-2017-15708,}vulnerabilityName={PropertyType{value=Remote code execution, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/commons\-beanutils/commons\-beanutils@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:apache:commons_beanutils, regex=false, caseSensitive=false},}cve={CVE-2014-0114,CVE-2019-10086,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/dom4j/dom4j@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:dom4j_project:dom4j, regex=false, caseSensitive=false},}cve={CVE-2020-10683,CVE-2018-1000632,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.apache\.tiles/tiles\-ognl@.*$, regex=true, caseSensitive=false},cve={CVE-2016-3093,}} [INFO] Suppression Rule had zero matches: SuppressionRule{gav=PropertyType{value=^io\.quarkus:quarkus-jdbc-postgresql:.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:postgresql:postgresql, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{gav=PropertyType{value=^io\.quarkus:quarkus-resteasy.*:.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:redhat:resteasy, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{gav=PropertyType{value=^io\.quarkus:quarkus-undertow.*:.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:redhat:undertow, regex=false, caseSensitive=false},}cve={CVE-2022-4147,}} [INFO] Suppression Rule had zero matches: SuppressionRule{gav=PropertyType{value=^io\.quarkus:quarkus-swagger-ui.*:.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:swagger_project:swagger-ui, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{gav=PropertyType{value=^io\.quarkus:quarkus-netty.*:.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:netty:netty, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.eclipse\.microprofile\.config/microprofile-config-api@.*, regex=true, caseSensitive=false},cve={CVE-2022-37422,CVE-2022-45129,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/io\.quarkus/quarkus-vertx-http@.*, regex=true, caseSensitive=false},cve={CVE-2022-4147,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.springframework/spring\-.*@.*$, regex=true, caseSensitive=false},cve={CVE-2022-22965,CVE-2022-22950,CVE-2022-22968,CVE-2022-22970,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.springframework/spring\-web@.*$, regex=true, caseSensitive=false},cve={CVE-2016-1000027,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.apache\.velocity/velocity@.*, regex=true, caseSensitive=false},cve={CVE-2020-13936,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.apache\.velocity/velocity-tools@.*, regex=true, caseSensitive=false},cve={CVE-2020-13959,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/com\.thoughtworks\.xstream/xstream@1\.4\.19, regex=true, caseSensitive=false},cve={CVE-2022-40151,CVE-2022-40152,CVE-2022-40156,}} [INFO] Finished Unused Suppression Rule Analyzer (0 seconds) [INFO] Analysis Complete (5 seconds) [INFO] Writing HTML report to: <https://ci-builds.apache.org/job/Struts/job/Struts-examples-dependency-check/ws/target/dependency-check-report.html> [WARNING] One or more dependencies were identified with known vulnerabilities in Struts 2 Examples: commons-fileupload2-core-2.0.0-M2.jar (pkg:maven/org.apache.commons/[email protected], cpe:2.3:a:apache:commons_fileupload:2.0.0:m2:*:*:*:*:*:*) : CVE-2025-48976 commons-lang3-3.17.0.jar (pkg:maven/org.apache.commons/[email protected], cpe:2.3:a:apache:commons_lang:3.17.0:*:*:*:*:*:*:*) : CVE-2025-48924 struts2-core-7.0.3.jar (pkg:maven/org.apache.struts/[email protected], cpe:2.3:a:apache:struts:7.0.3:*:*:*:*:*:*:*) : CVE-2025-66675, CVE-2025-64775 See the dependency-check report for more details. [INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for Struts 2 Examples 2.0.0: [INFO] [INFO] Struts 2 Examples .................................. FAILURE [ 12.199 s] [INFO] Action chaining .................................... SKIPPED [INFO] Annotations with Convention Plugin ................. SKIPPED [INFO] Basic Struts2 Example .............................. SKIPPED [INFO] Bean Validation .................................... SKIPPED [INFO] Struts 2 Blank Webapp .............................. SKIPPED [INFO] Coding Struts 2 Action ............................. SKIPPED [INFO] Control Tags ....................................... SKIPPED [INFO] CRUD Example ....................................... SKIPPED [INFO] Debugging Struts ................................... SKIPPED [INFO] Dynamic Url ........................................ SKIPPED [INFO] Exception handling ................................. SKIPPED [INFO] Exclude Parameters ................................. SKIPPED [INFO] Expression Cache ................................... SKIPPED [INFO] File upload ........................................ SKIPPED [INFO] Form Processing .................................... SKIPPED [INFO] Form Tags .......................................... SKIPPED [INFO] Form validation .................................... SKIPPED [INFO] XML based form validation .......................... SKIPPED [INFO] Hello World Struts 2 Example Application ........... SKIPPED [INFO] Http Session ....................................... SKIPPED [INFO] Struts 2 Interceptors .............................. SKIPPED [INFO] jfreechart ......................................... SKIPPED [INFO] JSON produce/consume ............................... SKIPPED [INFO] Customized JSON produce ............................ SKIPPED [INFO] Struts 2 Mail Reader Webapp ........................ SKIPPED [INFO] Message resource ................................... SKIPPED [INFO] Message Store ...................................... SKIPPED [INFO] Preparable Interface ............................... SKIPPED [INFO] Struts 2 Quarkus ................................... SKIPPED [INFO] REST to Action Mapper Example Application .......... SKIPPED [INFO] REST Plugin based application with AngularJS ....... SKIPPED [INFO] Struts2 with Basic Shiro Security Integration ...... SKIPPED [INFO] Struts2 with Spring Integration .................... SKIPPED [INFO] Custom TextProvider ................................ SKIPPED [INFO] Struts Tiles Example ............................... SKIPPED [INFO] Struts 2 Themes .................................... SKIPPED [INFO] Struts 2 Themes Override ........................... SKIPPED [INFO] Type Conversion .................................... SKIPPED [INFO] Unit Testing ....................................... SKIPPED [INFO] Unknown handler .................................... SKIPPED [INFO] Using Struts 2 Tags ................................ SKIPPED [INFO] validation-messages ................................ SKIPPED [INFO] Wildcard Method Selection .......................... SKIPPED [INFO] Wildcard RegEx pattern matching .................... SKIPPED [INFO] JasperReports Tutorial ............................. SKIPPED [INFO] Struts Sitemesh 3 Example .......................... SKIPPED [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 12.746 s [INFO] Finished at: 2026-01-01T21:59:24Z [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.owasp:dependency-check-maven:12.1.8:check (default) on project struts-examples: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': [ERROR] [ERROR] commons-fileupload2-core-2.0.0-M2.jar (pkg:maven/org.apache.commons/[email protected], cpe:2.3:a:apache:commons_fileupload:2.0.0:m2:*:*:*:*:*:*): CVE-2025-48976(7.5) [ERROR] struts2-core-7.0.3.jar (pkg:maven/org.apache.struts/[email protected], cpe:2.3:a:apache:struts:7.0.3:*:*:*:*:*:*:*): CVE-2025-64775(7.5), CVE-2025-66675(8.2) [ERROR] [ERROR] See the dependency-check report for more details. [ERROR] [ERROR] [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException Build step 'Execute shell' marked build as failure Setting MAVEN_3_LATEST_HOME=/home/jenkins/tools/maven/latest3
