Hi Martin, It is possible to have a newer pax-web version (including pax-web-tomcat) with a custom karaf distribution. We are currently using karaf 4.4.6 with pax-web 8.0.29. Concerning security scans: I haven’t managed to make the karaf-maven-plugin to not install the pax-web-version that comes with the Karaf version (8.0.27 in the case of Karaf 4.4.6) into the repository as well (so you have two versions of pax-web in the karaf repository). This means that code scans will still find the old Tomcat version even though only the newer one is installed into the running Karaf container.
Best regards Stephan From: Martin Zukal via user <user@karaf.apache.org> Sent: Tuesday, 14 January 2025 10:37 To: user@karaf.apache.org Subject: upgrade apache tomcat bundled in pax-web Hello everyone, We received results of a security scan of our application running on Apache Karaf 4.4.3. One of the issues is that there is an old and vulnerable component in use. It is the Apache Tomcat version 9.0.70 in particular. This comes from the pax-web feature (version 8.0.15 in karaf 4.4.3). I checked what version of pax-web is used in Karaf 4.4.6 and found out that it is 8.0.27. According to what I was able to find version 8.0.27 of pax web uses Apache Tomcat version 9.0.87. Unfortunately this version of Tomcat has still some known vulnerabilities (see https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.87). Even the newest version of pax-web (8.0.29) uses a vulnerable version of Apache Tomcat – 9.0.96 (see https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.96). The only 9.x version of Tomcat without vulnerabilities is 9.0.98. My question is whether it is possible to upgrade just the tomcat feature (pax-web-tomcat). If so how can I do that? Is it possible to configure the karaf-maven-plugin to package the newest version of tomcat in the assembly? Best Regards Martin Zukal
