Hi.
Might be related to the patch plugin while building the distribution archives.
Adding the commons lib to the skip list in
https://github.com/apache/tomee/blob/320f9a20c51a5a058e21d1f20205110d02bf6a94/tomee/apache-tomee/pom.xml#L566
might resolve it (didn't test, just a blind guess).
It
THALES GROUP LIMITED DISTRIBUTION to email recipients
Hello everyone,
Quite recently I run NexusIQ on TomEE Plus 8.0.15.
The tool reports a vulnerability on commons-collections--3.2.1.
Issue: in TomEE delivery there is no commons-collections--3.2.1 ☹
So we opened a ticket to NexusIQ support.
