THALES GROUP LIMITED DISTRIBUTION to email recipients Hello everyone,
Quite recently I run NexusIQ on TomEE Plus 8.0.15. The tool reports a vulnerability on commons-collections--3.2.1. Issue: in TomEE delivery there is no commons-collections--3.2.1 ☹ So we opened a ticket to NexusIQ support. You have to know that the tools uses Maven Central for its processing. If I download the commons-collections--3.2.2.jar from this repo and I run a sha1 on it, I get 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5 Now, if I take the one inside TomEE and run a sha1 on it, I get bd3c432b046a303c22a1915a4c6f9217b4688ea6 Then I performed a binary comparison using BeyondCompare. Result: there the same ☹ Finally, we found the issue: the sha1 difference comes from the jar metadata. For example, the date of the files in the jar downloaded from maven central is 2015-11-13 whereas for the one from Tomee is 2023-05-08. It seems that TomEE somehow repackage the libraries it is using. The side effect is that NexusIQ generates false positive. It’s really annoying ! Do you have a solution for that ? Best Regards.