Hi, well, but the thing is, if I do ONLY check ehCache stand-alone I have the same result. (And in this case without the rest of the distribution the scanner cannot reference to any other lib.)
If I should do an educated guess and have a look into the jar file I would say the scanner finds for example <jar-file>\rest-management-private-classpath\com\fasterxml\jackson and so on and complains on that being integrated. Same goes with jetty. So anyone an idea what to do? Chris Am Mo., 11. Nov. 2019 um 17:32 Uhr schrieb Colm O hEigeartaigh < cohei...@apache.org>: > I'm not sure why the scanner is associating Jackson CVEs with EhCache? In > any case, the latest CXF release (3.3.4) uses Jackson 2.9.10. > > Colm. > > On Mon, Nov 11, 2019 at 7:19 AM Christoph Weser < > christoph.wese...@googlemail.com> wrote: > > > Hey Colm, > > > > I know. We're also using OWASP and there are no complains. > > Customer is using the quite widely spread Nexus Vulnerability scanner. > > (you can download that one, start it local and let analyze files and > you'll > > get the report via mail.) > > > > For ehCache 2.10.6 it complains about: > > > > CVE-2018-14721 > > [maven] net.sf.ehcache : ehcache : 2.10.6 > > > > CVE-2018-14718 > > [maven] net.sf.ehcache : ehcache : 2.10.6 > > > > CVE-2018-14719 > > [maven] net.sf.ehcache : ehcache : 2.10.6 > > > > CVE-2018-14720 > > [maven] net.sf.ehcache : ehcache : 2.10.6 > > > > SONATYPE-2017-0312 > > [maven] net.sf.ehcache : ehcache : 2.10.6 > > > > CVE-2019-10241 > > [maven] net.sf.ehcache : ehcache : 2.10.6 > > > > CVE-2019-10246 > > [maven] net.sf.ehcache : ehcache : 2.10.6 > > > > CVE-2019-10247 > > [maven] net.sf.ehcache : ehcache : 2.10.6 > > > > Most is about jackson databinding in jetty. > > So I'm really not completely sure what to do. > > > > Any way to get around this? > > > > Christoph > > > > Am Fr., 8. Nov. 2019 um 16:02 Uhr schrieb Colm O hEigeartaigh < > > cohei...@apache.org>: > > > >> Hi, > >> > >> What are the known vulnerabilities in ehcache 2.10.6? The Owasp maven > >> dependency checker isn't detecting any issues. > >> > >> There is a JIRA for the next WSS4J release to migrate to EhCache 3, once > >> we > >> pick this up then we can update CXF as well - > >> https://issues.apache.org/jira/browse/WSS-632 > >> > >> Colm. > >> > >> On Fri, Nov 8, 2019 at 12:24 PM Christoph Weser > >> <christoph.wese...@googlemail.com.invalid> wrote: > >> > >> > Hello, > >> > > >> > as this is my first question please forgive me if this is the wrong > list > >> > for my question. Any hint towards the right one is appreciated. > >> > > >> > We're using Apache 3.1.4 (Yes, I know it's quite old.). > >> > Deploying that the package also contains ehCache 2.10.4. > >> > > >> > Customer is now complaining about several vulnerabilities found in > >> ehCache > >> > 2.10.4. > >> > As I looked at the newest release of Apache CXF I saw that also in > that > >> one > >> > ehCache 2.10.6 is used which still has several known vulnerabilities > >> and so > >> > not even go to the newest release would solve these issues. > >> > > >> > As we're using WS security it seems that this reference is needed. > >> > > >> > So does anyone see a way getting around of that? > >> > > >> > Thanks a lot, > >> > Chris > >> > > >> > > >