Hello everyone, When I build axis2 as root the build now completes ok (avoiding that strange permission denied problem). So I am now able to do a full owasp and maven dependency tree analysis. I am pleased to say that this shows that the CVEs from tomcat 6 are gone, since it now depends on tomcat 10. Great! However, the dependency on the ant-plugin seems to have crept back in. Below are the CVEs reported by owasp:
axis2-ant-plugin-1.8.0-SNAPSHOT.jar (pkg:maven/org.apache.axis2/[email protected], cpe:2.3:a:apache:ant:1.8.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*) : CVE-2020-1945 axis2.war: taglibs-standard-impl-1.2.5.jar (pkg:maven/org.apache.taglibs/[email protected], cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*, cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245 axis2-xmlbeans-1.8.0-SNAPSHOT.jar (pkg:maven/org.apache.axis2/[email protected], cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926 axis2-xmlbeans-codegen-1.8.0-SNAPSHOT.jar (pkg:maven/org.apache.axis2/[email protected], cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926 commons-httpclient-3.1.jar (pkg:maven/commons-httpclient/[email protected], cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*, cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*) : CVE-2020-13956 failureaccess-1.0.1.jar (pkg:maven/com.google.guava/[email protected], cpe:2.3:a:google:guava:1.0.1:*:*:*:*:*:*:*) : CVE-2020-8908 org.eclipse.ui.ide-3.17.100.v20200530-0835.jar (pkg:maven/osgi.bundle/[email protected], cpe:2.3:a:eclipse:eclipse_ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*, cpe:2.3:a:eclipse:ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*) : CVE-2008-7271 org.eclipse.ui.workbench-3.119.0.v20200521-1247.jar (pkg:maven/osgi.bundle/[email protected], cpe:2.3:a:eclipse:eclipse_ide:3.119.0.v20200521:*:*:*:*:*:*:*) : CVE-2008-7271 taglibs-standard-impl-1.2.5.jar (pkg:maven/org.apache.taglibs/[email protected], cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*, cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245 xmlbeans-2.6.0.jar (pkg:maven/org.apache.xmlbeans/[email protected], cpe:2.3:a:apache:xmlbeans:2.6.0:*:*:*:*:*:*:*) : CVE-2021-23926 -- Regards, Andrew Marlow http://www.andrewpetermarlow.co.uk
