Piotr,
On 11/8/25 4:39 AM, Piotr P. Karwasz wrote:
Hi Chris,
On 7.11.2025 17:43, Christopher Schultz wrote:
Please provide the detection analysis from OWASP Dependency Checker. I'm
looking for the "identifiers" that OWASP has used to identify your library.
For example, for commons-beanutils:
Identifiers
pkg:maven/commons-beanutils/[email protected] (Confidence:High)
cpe:2.3:a:apache:commons_beanutils:1.11.0:*:*:*:*:*:*:*
(Confidence:Highest)
What does is show for el-api.jar?
*TL;DR:* Sathish is most likely using a repackaged version of
`el-api.jar`, not the original Tomcat artifact.
I agree. I wanted to walk him through the process to discover this
himself :)
I ran OWASP Dependency-Check 12.1.1 against Tomcat 11.0.10 (the same
setup as the OP). Dependency-Check identifies el-api.jar with high
confidence as:
pkg:maven/org.apache.tomcat/[email protected]
and no other identifiers.
Since Tomcat builds are reproducible, the JAR is easily verifiable by
its SHA-1:
https://search.maven.org/solrsearch/select?q=1:0cf38ceee2c2f23aa28dd121253f019a4ad1186a
+1
When I modify the JAR, Dependency-Check falls back to some CPE
identifiers, which of course report all CVEs in Tomcat 11.0.10 *and* 6.0.0:
cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:11.0.10:*:*:*:*:*:*:*
LOL Tomcat 6. I guess you have to cast a wide net if you can't decide
what something is.
I use OWASP dependency-check at $work, and we always have to tell it
that JARs aren't what it thinks they are. It's like whack-a-mole.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
