Hello, [-1] (non binding)
Indeed, I downloaded TomEE+ 7.1.5 binary (from https://dist.apache.org/repos/dist/dev/tomee/staging-1206/tomee-7.1.5/apache-tomee-7.1.5-plus.tar.gz) and then I ran Grype (https://github.com/anchore/grype) on TomEE+'s archive extract directory. That gives 2 Critical and 125 High CVEs (see attached Grype output for this scan). I agree with whoever will say that Grype isn't quite smart, but nevertheless the world is now paranoid with security matter. I don't think releasing a "last 7.1.x" version with CVEs would be of any good, so Grype's output is all false positive, then at least we need a statement to avoid confusion in this page: https://tomee.apache.org/security/tomee.html Please also note in attached Grype output the Warning lines related to archive-xbean-asm6-shaded-4.8.jar: isn't that showing a somehow malformed MANIFEST ? Thanks, Alex Le lun. 1 août 2022 à 19:35, Richard Zowalla <r...@apache.org> a écrit : > > Hi all, > > this is a first attempt at a vote for a release of Apache TomEE 7.1.5 > > It is a maintenance release with some bug fixes and dependencies > upgrades for which were was some interest on the list. > > Yet, a discussion, if this will be the last release of the 7.1.x > series, is pending. > > Here are some infos: > > Maven Repo: > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > <repositories> > <repository> > <id>tomee-7.1.5-release-test</id> > <name>Testing TomEE 7.1.5 release candidate</name> > <url> > https://repository.apache.org/content/repositories/orgapachetomee-1206 > </url> > </repository> > </repositories> > > > Binaries & Source: > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/ > > Tag: > https://github.com/apache/tomee/tree/tomee-project-7.1.5 > > Latest (green) CI/CD build: > > https://ci-builds.apache.org/job/Tomee/job/tomee-7.1.x/19/ > > Release notes: > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12349482 > > > Here is an adoc generated version of the changelog as well: > > > == Dependency upgrade > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-2959[TOMEE-959]2 j > ackson 2.12.0 > - link:https://issues.apache.org/jira/browse/TOMEE-3941[TOMEE-3941] > ActiveMQ 5.16.5 > - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > BatchEE 1.0.2 > - link:https://issues.apache.org/jira/browse/TOMEE-3772[TOMEE-3772] > JUnit 4.13.2 > - link:https://issues.apache.org/jira/browse/TOMEE-2979[TOMEE-2979] > MyFaces 2.2.14 > - link:https://issues.apache.org/jira/browse/TOMEE-4016[TOMEE-4016] > Myfaces 2.2.15 > - link:https://issues.apache.org/jira/browse/TOMEE-2958[TOMEE-2958] > Tomcat 8.5.61 > - link:https://issues.apache.org/jira/browse/TOMEE-4017[TOMEE-4017] > Tomcat 8.5.81 > - link:https://issues.apache.org/jira/browse/TOMEE-2939[TOMEE-2939] > bcprov-jdk15on 1.67 > - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > bcprov-jdk15on 1.70 > - link:https://issues.apache.org/jira/browse/TOMEE-3719[TOMEE-3719] > commons-io 2.8 > > == Bug > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-2919[TOMEE-2919] > java.util.ConcurrentModificationException error deploying ear in TomEE Plus > 7.1.4 > - link:https://issues.apache.org/jira/browse/TOMEE-2968[TOMEE-2968] > Postgres connection error when a password contains "}" > - link:https://issues.apache.org/jira/browse/TOMEE-2125[TOMEE-2125] > Datasource config: MaxWait, timeBetweenEvictionRunsMillis and > MinEvictableIdleTimeMillis are ignored > - link:https://issues.apache.org/jira/browse/TOMEE-3718[TOMEE-3718] > Missing mime mappings > > == Improvement > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-2957[TOMEE-2957] > Fix OWASP Checks on ASF Jenkins Environment > - link:https://issues.apache.org/jira/browse/TOMEE-2973[TOMEE-2973] > TomEE :: Examples :: JSF2/CDI/BV/JPA/DeltaSpike uses too old version of > commons-lang3 > > > Please VOTE > > [+1] go ship it > [+0] meh, don't care > [-1] stop, there is a ${showstopper} > > The VOTE is open for 72h or as long as needed. > > Gruß > Richard >
[0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " org.apache.xbean.asm6.signature;version=\"[6.1.1,6.1.1]\"," [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " org.apache.xbean.asm6.commons;version=\"[6.1.1,6.1.1]\"," [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " org.apache.xbean.asm6.tree;version=\"[6.1.1,6.1.1]\"" [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " org.apache.xbean.asm6;version=6.1.1," [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " org.apache." [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " xbean.asm6.signature;version=6.1.1," [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " org.apache.xbean.asm6" [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " .commons;version=6.1.1," [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " org.apache.xbean.asm6.tree;versio" [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest "/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found continuation with no previous key: " n=6.1.1" [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest section found without a name: /tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar [0;33mfrom-lib[0m=syft [0;90m[0000][0m [0;33m WARN[0m java manifest section found without a name: /tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar [0;33mfrom-lib[0m=syft NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY activemq-protobuf 1.1 java-archive CVE-2010-0684 Low activemq-protobuf 1.1 java-archive CVE-2016-3088 Critical activemq-protobuf 1.1 java-archive CVE-2013-1880 Medium activemq-protobuf 1.1 java-archive CVE-2012-6092 Medium activemq-protobuf 1.1 java-archive CVE-2018-11775 High activemq-protobuf 1.1 java-archive CVE-2012-6551 Medium activemq-protobuf 1.1 java-archive CVE-2015-7559 Medium activemq-protobuf 1.1 java-archive CVE-2020-13920 Medium activemq-protobuf 1.1 java-archive CVE-2011-4905 Medium activemq-protobuf 1.1 java-archive CVE-2012-5784 Medium activemq-protobuf 1.1 java-archive CVE-2010-1244 Medium activemq-protobuf 1.1 java-archive CVE-2020-13947 Medium activemq-protobuf 1.1 java-archive CVE-2013-3060 Medium activemq-protobuf 1.1 java-archive CVE-2014-3576 High activemq-protobuf 1.1 java-archive CVE-2013-1879 Medium cxf-core 3.1.18 java-archive CVE-2021-30468 High cxf-core 3.1.18 java-archive CVE-2019-12423 High cxf-core 3.1.18 java-archive CVE-2019-12406 Medium cxf-core 3.1.18 java-archive CVE-2020-13954 Medium cxf-core 3.1.18 java-archive CVE-2021-22696 High cxf-core 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-bindings-soap 3.1.18 java-archive CVE-2021-22696 High cxf-rt-bindings-soap 3.1.18 java-archive CVE-2019-12423 High cxf-rt-bindings-soap 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-bindings-soap 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-bindings-soap 3.1.18 java-archive CVE-2021-30468 High cxf-rt-bindings-soap 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-bindings-xml 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-bindings-xml 3.1.18 java-archive CVE-2019-12423 High cxf-rt-bindings-xml 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-bindings-xml 3.1.18 java-archive CVE-2021-22696 High cxf-rt-bindings-xml 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-bindings-xml 3.1.18 java-archive CVE-2021-30468 High cxf-rt-databinding-jaxb 3.1.18 java-archive CVE-2021-22696 High cxf-rt-databinding-jaxb 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-databinding-jaxb 3.1.18 java-archive CVE-2019-12423 High cxf-rt-databinding-jaxb 3.1.18 java-archive CVE-2021-30468 High cxf-rt-databinding-jaxb 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-databinding-jaxb 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-frontend-jaxrs 3.1.18 java-archive CVE-2021-22696 High cxf-rt-frontend-jaxrs 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-frontend-jaxrs 3.1.18 java-archive CVE-2019-12423 High cxf-rt-frontend-jaxrs 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-frontend-jaxrs 3.1.18 java-archive CVE-2021-30468 High cxf-rt-frontend-jaxrs 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-frontend-jaxws 3.1.18 java-archive CVE-2021-30468 High cxf-rt-frontend-jaxws 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-frontend-jaxws 3.1.18 java-archive CVE-2019-12423 High cxf-rt-frontend-jaxws 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-frontend-jaxws 3.1.18 java-archive CVE-2021-22696 High cxf-rt-frontend-jaxws 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-frontend-simple 3.1.18 java-archive CVE-2021-30468 High cxf-rt-frontend-simple 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-frontend-simple 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-frontend-simple 3.1.18 java-archive CVE-2019-12423 High cxf-rt-frontend-simple 3.1.18 java-archive CVE-2021-22696 High cxf-rt-frontend-simple 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-management 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-management 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-management 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-management 3.1.18 java-archive CVE-2019-12423 High cxf-rt-management 3.1.18 java-archive CVE-2021-22696 High cxf-rt-management 3.1.18 java-archive CVE-2021-30468 High cxf-rt-rs-client 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-rs-client 3.1.18 java-archive CVE-2021-22696 High cxf-rt-rs-client 3.1.18 java-archive CVE-2021-30468 High cxf-rt-rs-client 3.1.18 java-archive CVE-2019-12423 High cxf-rt-rs-client 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-rs-client 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-rs-extension-providers 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-rs-extension-providers 3.1.18 java-archive CVE-2021-30468 High cxf-rt-rs-extension-providers 3.1.18 java-archive CVE-2021-22696 High cxf-rt-rs-extension-providers 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-rs-extension-providers 3.1.18 java-archive CVE-2019-12423 High cxf-rt-rs-extension-providers 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-rs-extension-search 3.1.18 java-archive CVE-2019-12423 High cxf-rt-rs-extension-search 3.1.18 java-archive CVE-2021-30468 High cxf-rt-rs-extension-search 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-rs-extension-search 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-rs-extension-search 3.1.18 java-archive CVE-2021-22696 High cxf-rt-rs-extension-search 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-rs-json-basic 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-rs-json-basic 3.1.18 java-archive CVE-2021-22696 High cxf-rt-rs-json-basic 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-rs-json-basic 3.1.18 java-archive CVE-2019-12423 High cxf-rt-rs-json-basic 3.1.18 java-archive CVE-2021-30468 High cxf-rt-rs-json-basic 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-rs-security-cors 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-rs-security-cors 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-rs-security-cors 3.1.18 java-archive CVE-2021-22696 High cxf-rt-rs-security-cors 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-rs-security-cors 3.1.18 java-archive CVE-2021-30468 High cxf-rt-rs-security-cors 3.1.18 java-archive CVE-2019-12423 High cxf-rt-rs-security-jose 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-rs-security-jose 3.1.18 java-archive CVE-2021-30468 High cxf-rt-rs-security-jose 3.1.18 java-archive CVE-2021-22696 High cxf-rt-rs-security-jose 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-rs-security-jose 3.1.18 java-archive CVE-2019-12423 High cxf-rt-rs-security-jose 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-rs-security-jose-jaxrs 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-rs-security-jose-jaxrs 3.1.18 java-archive CVE-2019-12423 High cxf-rt-rs-security-jose-jaxrs 3.1.18 java-archive CVE-2021-30468 High cxf-rt-rs-security-jose-jaxrs 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-rs-security-jose-jaxrs 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-rs-security-jose-jaxrs 3.1.18 java-archive CVE-2021-22696 High cxf-rt-rs-security-oauth2 3.1.18 java-archive CVE-2021-30468 High cxf-rt-rs-security-oauth2 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-rs-security-oauth2 3.1.18 java-archive CVE-2021-22696 High cxf-rt-rs-security-oauth2 3.1.18 java-archive CVE-2019-12423 High cxf-rt-rs-security-oauth2 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-rs-security-oauth2 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-rs-service-description 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-rs-service-description 3.1.18 java-archive CVE-2021-22696 High cxf-rt-rs-service-description 3.1.18 java-archive CVE-2019-12423 High cxf-rt-rs-service-description 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-rs-service-description 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-rs-service-description 3.1.18 java-archive CVE-2021-30468 High cxf-rt-security 3.1.18 java-archive CVE-2021-30468 High cxf-rt-security 3.1.18 java-archive CVE-2021-22696 High cxf-rt-security 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-security 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-security 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-security 3.1.18 java-archive CVE-2019-12423 High cxf-rt-security-saml 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-security-saml 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-security-saml 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-security-saml 3.1.18 java-archive CVE-2021-22696 High cxf-rt-security-saml 3.1.18 java-archive CVE-2019-12423 High cxf-rt-security-saml 3.1.18 java-archive CVE-2021-30468 High cxf-rt-transports-http 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-transports-http 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-transports-http 3.1.18 java-archive CVE-2019-12423 High cxf-rt-transports-http 3.1.18 java-archive CVE-2021-30468 High cxf-rt-transports-http 3.1.18 java-archive CVE-2021-22696 High cxf-rt-transports-http 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-ws-addr 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-ws-addr 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-ws-addr 3.1.18 java-archive CVE-2021-22696 High cxf-rt-ws-addr 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-ws-addr 3.1.18 java-archive CVE-2019-12423 High cxf-rt-ws-addr 3.1.18 java-archive CVE-2021-30468 High cxf-rt-ws-policy 3.1.18 java-archive CVE-2021-22696 High cxf-rt-ws-policy 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-ws-policy 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-ws-policy 3.1.18 java-archive CVE-2019-12423 High cxf-rt-ws-policy 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-ws-policy 3.1.18 java-archive CVE-2021-30468 High cxf-rt-ws-security 3.1.18 java-archive CVE-2019-12423 High cxf-rt-ws-security 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-ws-security 3.1.18 java-archive CVE-2021-22696 High cxf-rt-ws-security 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-ws-security 3.1.18 java-archive CVE-2021-30468 High cxf-rt-ws-security 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-wsdl 3.1.18 java-archive CVE-2021-30468 High cxf-rt-wsdl 3.1.18 java-archive CVE-2020-13954 Medium cxf-rt-wsdl 3.1.18 java-archive CVE-2019-12406 Medium cxf-rt-wsdl 3.1.18 java-archive CVE-2021-22696 High cxf-rt-wsdl 3.1.18 java-archive CVE-2020-1954 Medium cxf-rt-wsdl 3.1.18 java-archive CVE-2019-12423 High geronimo-activation_1.1_spec 1.1 java-archive CVE-2011-5034 High geronimo-activation_1.1_spec 1.1 java-archive CVE-2008-0732 Low geronimo-annotation_1.2_spec 1.0 java-archive CVE-2008-0732 Low geronimo-annotation_1.2_spec 1.0 java-archive CVE-2011-5034 High geronimo-annotation_1.2_spec 1.0 java-archive CVE-2006-0254 Medium geronimo-atinject_1.0_spec 1.0 java-archive CVE-2006-0254 Medium geronimo-atinject_1.0_spec 1.0 java-archive CVE-2011-5034 High geronimo-atinject_1.0_spec 1.0 java-archive CVE-2008-0732 Low geronimo-concurrent_1.0_spec 1.0-alpha-1 java-archive CVE-2011-5034 High geronimo-concurrent_1.0_spec 1.0-alpha-1 java-archive CVE-2008-0732 Low geronimo-connector 3.1.4 java-archive CVE-2008-0732 Low geronimo-ejb_3.2_spec 1.0-alpha-1 java-archive CVE-2008-0732 Low geronimo-ejb_3.2_spec 1.0-alpha-1 java-archive CVE-2011-5034 High geronimo-interceptor_1.2_spec 1.0 java-archive CVE-2011-5034 High geronimo-interceptor_1.2_spec 1.0 java-archive CVE-2008-0732 Low geronimo-interceptor_1.2_spec 1.0 java-archive CVE-2006-0254 Medium geronimo-j2ee-connector_1.6_spec 1.0 java-archive CVE-2008-0732 Low geronimo-j2ee-connector_1.6_spec 1.0 java-archive CVE-2011-5034 High geronimo-j2ee-connector_1.6_spec 1.0 java-archive CVE-2006-0254 Medium geronimo-j2ee-deployment_1.1_spec 1.1 java-archive CVE-2008-0732 Low geronimo-j2ee-deployment_1.1_spec 1.1 java-archive CVE-2011-5034 High geronimo-j2ee-management_1.1_spec 1.0.1 java-archive CVE-2008-0732 Low geronimo-j2ee-management_1.1_spec 1.0.1 java-archive CVE-2011-5034 High geronimo-jacc_1.4_spec 1.0 java-archive CVE-2011-5034 High geronimo-jacc_1.4_spec 1.0 java-archive CVE-2008-0732 Low geronimo-jacc_1.4_spec 1.0 java-archive CVE-2006-0254 Medium geronimo-javamail_1.4_mail 1.9.0-alpha-2 java-archive CVE-2008-0732 Low geronimo-javamail_1.4_mail 1.9.0-alpha-2 java-archive CVE-2011-5034 High geronimo-javamail_1.4_provider 1.9.0-alpha-2 java-archive CVE-2008-0732 Low geronimo-javamail_1.4_provider 1.9.0-alpha-2 java-archive CVE-2011-5034 High geronimo-javamail_1.4_spec 1.7.2-alpha-1 java-archive CVE-2011-5034 High geronimo-javamail_1.4_spec 1.7.2-alpha-1 java-archive CVE-2008-0732 Low geronimo-jaxr_1.0_spec 2.1 java-archive CVE-2007-5085 Medium geronimo-jaxr_1.0_spec 2.1 java-archive CVE-2008-5518 High geronimo-jaxr_1.0_spec 2.1 java-archive CVE-2009-0039 Medium geronimo-jaxr_1.0_spec 2.1 java-archive CVE-2009-0038 Medium geronimo-jaxr_1.0_spec 2.1 java-archive CVE-2008-0732 Low geronimo-jaxr_1.0_spec 2.1 java-archive CVE-2011-5034 High geronimo-jaxr_1.0_spec 2.1 java-archive CVE-2007-5797 High geronimo-jaxrpc_1.1_spec 2.1 java-archive CVE-2011-5034 High geronimo-jaxrpc_1.1_spec 2.1 java-archive CVE-2008-5518 High geronimo-jaxrpc_1.1_spec 2.1 java-archive CVE-2007-5797 High geronimo-jaxrpc_1.1_spec 2.1 java-archive CVE-2008-0732 Low geronimo-jaxrpc_1.1_spec 2.1 java-archive CVE-2007-5085 Medium geronimo-jaxrpc_1.1_spec 2.1 java-archive CVE-2009-0039 Medium geronimo-jaxrpc_1.1_spec 2.1 java-archive CVE-2009-0038 Medium geronimo-jaxrs_2.0_spec 1.0-alpha-1 java-archive CVE-2011-5034 High geronimo-jaxrs_2.0_spec 1.0-alpha-1 java-archive CVE-2008-0732 Low geronimo-jaxws_2.2_spec 1.2 java-archive CVE-2011-5034 High geronimo-jaxws_2.2_spec 1.2 java-archive CVE-2008-0732 Low geronimo-jbatch_1.0_spec 1.0 java-archive CVE-2006-0254 Medium geronimo-jbatch_1.0_spec 1.0 java-archive CVE-2008-0732 Low geronimo-jbatch_1.0_spec 1.0 java-archive CVE-2011-5034 High geronimo-jcache_1.0_spec 1.0-alpha-1 java-archive CVE-2008-0732 Low geronimo-jcache_1.0_spec 1.0-alpha-1 java-archive CVE-2011-5034 High geronimo-jcdi_1.1_spec 1.0 java-archive CVE-2008-0732 Low geronimo-jcdi_1.1_spec 1.0 java-archive CVE-2006-0254 Medium geronimo-jcdi_1.1_spec 1.0 java-archive CVE-2011-5034 High geronimo-jms_2.0_spec 1.0-alpha-2 java-archive CVE-2011-5034 High geronimo-jms_2.0_spec 1.0-alpha-2 java-archive CVE-2008-0732 Low geronimo-jpa_2.1_spec 1.0-alpha-1 java-archive CVE-2008-0732 Low geronimo-jpa_2.1_spec 1.0-alpha-1 java-archive CVE-2011-5034 High geronimo-json_1.0_spec 1.0-alpha-1 java-archive CVE-2011-5034 High geronimo-json_1.0_spec 1.0-alpha-1 java-archive CVE-2008-0732 Low geronimo-jsonb_1.0_spec 1.0 java-archive CVE-2011-5034 High geronimo-jsonb_1.0_spec 1.0 java-archive CVE-2008-0732 Low geronimo-jsonb_1.0_spec 1.0 java-archive CVE-2006-0254 Medium geronimo-jta_1.2_spec 1.0-alpha-1 java-archive CVE-2008-0732 Low geronimo-jta_1.2_spec 1.0-alpha-1 java-archive CVE-2011-5034 High geronimo-osgi-locator 1.0 java-archive CVE-2006-0254 Medium geronimo-osgi-locator 1.0 java-archive CVE-2008-0732 Low geronimo-osgi-locator 1.0 java-archive CVE-2011-5034 High geronimo-saaj_1.3_spec 1.1 java-archive CVE-2011-5034 High geronimo-saaj_1.3_spec 1.1 java-archive CVE-2008-0732 Low geronimo-stax-api_1.2_spec 1.2 java-archive CVE-2011-5034 High geronimo-stax-api_1.2_spec 1.2 java-archive CVE-2008-0732 Low geronimo-transaction 3.1.4 java-archive CVE-2008-0732 Low geronimo-validation_1.1_spec 1.0 java-archive CVE-2008-0732 Low geronimo-validation_1.1_spec 1.0 java-archive CVE-2011-5034 High geronimo-validation_1.1_spec 1.0 java-archive CVE-2006-0254 Medium geronimo-ws-metadata_2.0_spec 1.1.3 java-archive CVE-2008-0732 Low geronimo-ws-metadata_2.0_spec 1.1.3 java-archive CVE-2011-5034 High jackson-databind 2.12.0 2.12.6.1 java-archive GHSA-57j2-w4cx-62h2 High jackson-databind 2.12.0 java-archive CVE-2020-36518 High tomcat-jdbc 8.5.81 java-archive CVE-2016-6325 High tomcat-jdbc 8.5.81 java-archive CVE-2016-5425 High tomcat-jdbc 8.5.81 java-archive CVE-2022-34305 Medium tomcat-jdbc 8.5.81 java-archive CVE-2020-8022 High tomcat-juli 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-catalina 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-common 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-jaxrs 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-jdbc 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-juli 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-loader 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-mojarra 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-myfaces 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-webapp 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High tomee-webservices 7.1.5-SNAPSHOT java-archive CVE-2021-40690 High xmlsec 2.0.10 2.1.4 java-archive GHSA-4q98-wr72-h35w Medium xmlsec 2.0.10 2.1.7 java-archive GHSA-j8wc-gxx9-82hx High