Hi Chris/Team, Please find the below identifier on OWASP Dependency Checker Tool report for Tomcat-el-api.jar and el-api.jar. Tomcat-el-api.jar Identifiers
* cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*<https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Atomcat&cpe_version=cpe%3A%2F%3Aapache%3Atomcat%3A6.0.0> (Confidence:Medium) suppress * cpe:2.3:a:apache_tomcat:apache_tomcat:11.0.10:*:*:*:*:*:*:* (Confidence:Low) suppress el-api.jar Identifiers * cpe:2.3:a:eclipse:jakarta_expression_language:6.0.0:*:*:*:*:*:*:* (Confidence:Low) suppress Thanks and Regards, S Sathish S On 2025/11/07 16:43:43 Christopher Schultz wrote: > Sathish, > > On 11/6/25 4:17 AM, S Sathish S wrote: > > Issue Description: > > We are experiencing false positive vulnerability alerts when using > > el-api.jar from the official Apache Tomcat distribution > > (https://archive.apache.org/dist/tomcat/tomcat-11/v11.0.10/bin/) and Maven > > repository (https://repo.maven.apache.org/maven2/org/apache/tomcat/) with > > OWASP Dependency Checker. > > > > However, the identical version of el-api.jar obtained from the javax.el > > repository (https://mvnrepository.com/artifact/javax.el/el-api) produces no > > vulnerability alerts in the same OWASP Dependency Checker analysis. > > Please provide the detection analysis from OWASP Dependency Checker. I'm > looking for the "identifiers" that OWASP has used to identify your library. > > For example, for commons-beanutils: > > Identifiers > > pkg:maven/commons-beanutils/[email protected] (Confidence:High) > cpe:2.3:a:apache:commons_beanutils:1.11.0:*:*:*:*:*:*:* > (Confidence:Highest) > > > What does is show for el-api.jar? > > -chris > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
