On 06/11/2025 09:17, S Sathish S wrote:
Hi Team,
Issue Description:
We are experiencing false positive vulnerability alerts when using el-api.jar
from the official Apache Tomcat distribution
(https://archive.apache.org/dist/tomcat/tomcat-11/v11.0.10/bin/) and Maven
repository (https://repo.maven.apache.org/maven2/org/apache/tomcat/) with OWASP
Dependency .
If it is a false positive then that is an issue for the OWASP Dependency
Checker.
However, the identical version of el-api.jar obtained from the javax.el
repository (https://mvnrepository.com/artifact/javax.el/el-api) produces no
vulnerability alerts in the same OWASP Dependency Checker analysis.
That is not the official repository for that JAR. You should be using
Maven Central.
Request:
Please investigate and resolve the metadata or packaging differences causing
these false positive vulnerability reports in the official Apache Tomcat
el-api.jar distribution. This discrepancy is impacting our security analysis
and compliance processes.
You haven't told us what the actual problems and, even if you did, the
Tomcat committers are unlikely to spend their limited time on fixing an
issue in a third-party tool.
Expected Outcome:
Alignment of vulnerability scanning results between official Apache Tomcat
distribution and javax.el repository versions of el-api.jar.
You'll have to take that up with the OWASP team.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
