The TomEE Patch Plugin doesn't rewrite the content of the manifest files ;-)
You could check the file hashes or the related classes, which required patching Gruß Richard Am 13. November 2023 17:42:18 MEZ schrieb COURTAULT Francois <francois.courta...@thalesgroup.com.INVALID>: >THALES GROUP LIMITED DISTRIBUTION to email recipients > >Hello Jonathan > >You wrote: >" > One comment I'll make though, is that NexusIQ (I also use it) will >> potentially still identify the jars as Tomcat 10.0.27, and therefore >> may still identify them as vulnerable (incorrectly), despite a patch >> being applied." > >I have checked the MANIFEST.MF file of the Tomcat and Catalina libraries >inside TomEE 9.1.1 and >all of them have Implementation-Version: 10.0.27.and sometimes Bundle-Version: >10.0.27. > >Best Regards. > >-----Original Message----- >From: Vicente Rossello <cocorosse...@gmail.com> >Sent: lundi 13 novembre 2023 16:16 >To: users@tomee.apache.org >Subject: Re: TomEE 9.x relies on Tomcat 10.0.27 but this one is quite old ... > >Hi, > >I was also wondering about this outdated tomcat. > >I was trying to move to tomee 9.1, but I realized that we depend on some >tomcat features that are not present on tomcat 10.x. > >So I guess we have to move from tomee 8 all the way to tomee 10. So, also >checking on 10.x branch, I see that it depends on eclipselink 3.0.3, but I >guess that this is temporal and it will be upgraded to eclipselink 4.x, since >this is the version compatible with jakarta 10 > >This jakarta migration seems like a huge and risky task, every time I try to >attempt it I find new obstacles (this is not criticism of course, just saying). > >On Mon, Nov 13, 2023 at 4:00 PM Jonathan Gallimore < >jonathan.gallim...@gmail.com> wrote: > >> I will check on the state of these CVEs with respect to the backports, >> and reply on this thread. >> >> One comment I'll make though, is that NexusIQ (I also use it) will >> potentially still identify the jars as Tomcat 10.0.27, and therefore >> may still identify them as vulnerable (incorrectly), despite a patch >> being applied. >> >> While I understand the frustration that may cause both yourself and >> your customers, please understand that both Tomcat and TomEE are >> community projects, and everyone contributing is doing so as a volunteer. >> >> Richard has already outlined why we can't move to Tomcat 10.1.x on >> TomEE 9.x. TomEE 10.x is in progress. Any contributions you wanted to >> make would be most welcome. >> >> Jon >> >> On Mon, Nov 13, 2023 at 1:29 PM COURTAULT Francois >> <francois.courta...@thalesgroup.com.invalid> wrote: >> >> > THALES GROUP LIMITED DISTRIBUTION to email recipients >> > >> > Hello Richard, >> > >> > I performed a vulnerabilities scan using NexusIQ, the result are: >> > - CVE-2022-45143 (CVSS 3 scoring 7.5) on tomcat-catalina : 10.0.27 >> > - CVE-2023-24998 (CVSS 3 scoring 7.5) on tomcat-coyote : 10.0.27 >> > >> > Some of our customers won't accept that ☹ >> > >> > BTW I also scan Tomcat 10.1.15 with the same tool and I don't have >> anymore >> > such CVSS 3 score. >> > So will you start TomEE 10.x at some point ? >> > >> > Best Regards. >> > >> > -----Original Message----- >> > From: Richard Zowalla <r...@apache.org> >> > Sent: lundi 13 novembre 2023 12:53 >> > To: users@tomee.apache.org >> > Subject: Re: TomEE 9.x relies on Tomcat 10.0.27 but this one is >> > quite old ... >> > >> > Hi, >> > >> > the TomEE 10.0.27 contained in TomEE 9.1.x is patched inside the >> > TomEE build to fix the latest CVEs. We did not backport bug fixes, though. >> > >> > As TomEE 9 targets EE9(.1), we cannot upgrade to Tomcat 10.1.x, >> > which is EE10. So from a spec perspective, there is currently no >> > plan to migrate TomEE 9.x to Tomcat 10.1.x (without breaking the tck). >> > >> > Gruß >> > Richard >> > >> > >> > Am Montag, dem 13.11.2023 um 11:30 +0000 schrieb COURTAULT Francois: >> > > THALES GROUP LIMITED DISTRIBUTION to email recipients >> > > >> > > Hello everyone, >> > > >> > > According to this link >> > > https://tomcat.apache.org/tomcat-10.0-eol.html Tomcat 10.0.x is >> > > EOL, right? >> > > But TomEE 9.1.1 still rely on Tomcat 10.0.x. >> > > >> > > Any plan to migrate TomEE 9.x to Tomcat 10.1.x ? >> > > >> > > Best Regards. >> > > >> > > >> > > >> > >>
