Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 1.4.5
Report Generated On: Mar 11, 2017 at 23:57:40 EST
Dependencies Scanned: 12 (11 unique)
Vulnerable Dependencies: 1
Vulnerabilities Found: 2
Vulnerabilities Suppressed: 0
...
CurrentEngineRelease:
NVD CVE 2002: 19/02/2017 03:25:58
NVD CVE 2003: 19/02/2017 03:24:25
NVD CVE 2004: 19/02/2017 03:23:59
NVD CVE 2005: 24/02/2017 03:12:32
NVD CVE 2006: 19/02/2017 03:20:36
NVD CVE 2007: 19/02/2017 03:18:20
NVD CVE 2008: 19/02/2017 03:16:18
NVD CVE 2009: 19/02/2017 03:14:03
NVD CVE 2010: 09/02/2017 03:09:26
NVD CVE 2011: 19/02/2017 03:11:57
NVD CVE 2012: 24/02/2017 03:11:07
NVD CVE 2013: 24/02/2017 03:09:00
NVD CVE 2014: 01/03/2017 03:07:38
NVD CVE 2015: 04/03/2017 03:06:02
NVD CVE 2016: 05/03/2017 03:02:53
NVD CVE 2017: 05/03/2017 03:00:24
NVD CVE Checked: 11/03/2017 23:34:50
NVD CVE Modified: 11/03/2017 20:00:24
VersionCheckOn: 1486838497071

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	CPE	GAV	Highest Severity	CVE Count	CPE Confidence	Evidence Count
geronimo-spec-j2ee-connector-1.5-rc4.jar	cpe:/a:apache:geronimo:1.5.rc4	geronimo-spec:geronimo-spec-j2ee-connector:1.5-rc4	High	2	LOW	14
activation-1.1.jar		javax.activation:activation:1.1		0		17
mail-1.4.7.jar	cpe:/a:sun:javamail:1.4.7	javax.mail:mail:1.4.7		0	LOW	26
javax.servlet-api-3.1.0.jar		javax.servlet:javax.servlet-api:3.1.0		0		22
junit-4.12.jar		junit:junit:4.12		0		16
log4j-1.2.17.jar		log4j:log4j:1.2.17		0		18
commons-lang3-3.5.jar		org.apache.commons:commons-lang3:3.5		0		27
qpid-client-6.0.0.jar	cpe:/a:apache:qpid:6.0.0	org.apache.qpid:qpid-client:6.0.0		0	LOW	19
hamcrest-core-1.3.jar		org.hamcrest:hamcrest-core:1.3		0		17
postgresql-9.4.1212.jre7.jar	cpe:/a:postgresql:postgresql:9.4.1212.jre7	org.postgresql:postgresql:9.4.1212.jre7		0	LOW	25
slf4j-api-1.7.7.jar		org.slf4j:slf4j-api:1.7.7		0		20

Dependencies

geronimo-spec-j2ee-connector-1.5-rc4.jar

File Path: C:\Users\Dad\.m2\repository\geronimo-spec\geronimo-spec-j2ee-connector\1.5-rc4\geronimo-spec-j2ee-connector-1.5-rc4.jar
MD5: 6a2ccbc1d0af6329c00b2089ae1a31d7
SHA1: 2f5310631817f11c5b170d3a0084a58766d49269
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	geronimo-spec-j2ee-connector
central	groupid	geronimo-spec
central	version	1.5-rc4
file	name	geronimo-spec-j2ee-connector
file	version	1.5.rc4
Manifest	extension-name	geronimo-spec-j2ee-connector
Manifest	Implementation-Title	javax.resource
Manifest	Implementation-Vendor	Apache Software Foundation
Manifest	Implementation-Version	1.5-rc4
Manifest	specification-title	J2EE Connector Architecture
Manifest	specification-vendor	Apache Software Foundation
pom	artifactid	geronimo-spec-j2ee-connector
pom	groupid	geronimo-spec
pom	version	1.5-rc4

Identifiers

cpe: cpe:/a:apache:geronimo:1.5.rc4 Confidence:LOW
maven: geronimo-spec:geronimo-spec-j2ee-connector:1.5-rc4 Confidence:HIGHEST

Published Vulnerabilities

CVE-2011-5034

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.

Vulnerable Software & Versions: (show all)

cpe:/a:apache:geronimo:2.2.1 and all previous versions
...
cpe:/a:apache:geronimo:1.0
cpe:/a:apache:geronimo:1.1
cpe:/a:apache:geronimo:1.1.1
cpe:/a:apache:geronimo:1.2
cpe:/a:apache:geronimo:2.0.1
cpe:/a:apache:geronimo:2.0.2
cpe:/a:apache:geronimo:2.1
cpe:/a:apache:geronimo:2.1.1
cpe:/a:apache:geronimo:2.1.2
cpe:/a:apache:geronimo:2.1.3
cpe:/a:apache:geronimo:2.1.4
cpe:/a:apache:geronimo:2.1.5
cpe:/a:apache:geronimo:2.1.6
cpe:/a:apache:geronimo:2.1.7
cpe:/a:apache:geronimo:2.1.8
cpe:/a:apache:geronimo:2.2
cpe:/a:apache:geronimo:2.2.1 and all previous versions

CVE-2008-0732

Severity: Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.

SUSE - SUSE-SR:2008:003

Vulnerable Software & Versions:

cpe:/a:apache:geronimo

activation-1.1.jar

Description: JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).

License:

Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html

File Path: C:\Users\Dad\.m2\repository\javax\activation\activation\1.1\activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	activation
central	groupid	javax.activation
central	version	1.1
file	name	activation
file	version	1.1
Manifest	extension-name	javax.activation
Manifest	Implementation-Vendor	Sun Microsystems, Inc.
Manifest	Implementation-Vendor-Id	com.sun
Manifest	Implementation-Version	1.1
Manifest	specification-title	JavaBeans(TM) Activation Framework Specification
Manifest	specification-vendor	Sun Microsystems, Inc.
pom	artifactid	activation
pom	description	JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
pom	groupid	javax.activation
pom	name	JavaBeans Activation Framework (JAF)
pom	url	http://java.sun.com/products/javabeans/jaf/index.jsp
pom	version	1.1

Identifiers

maven: javax.activation:activation:1.1 Confidence:HIGHEST

mail-1.4.7.jar

Description: JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.html

File Path: C:\Users\Dad\.m2\repository\javax\mail\mail\1.4.7\mail-1.4.7.jar
MD5: 77f53ff0c78ba43c4812ecc9f53e20f8
SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	mail
central	groupid	javax.mail
central	version	1.4.7
file	name	mail
file	version	1.4.7
manifest	Bundle-Description	JavaMail API (compat)
Manifest	bundle-docurl	http://www.oracle.com
Manifest	Bundle-Name	JavaMail API (compat)
Manifest	bundle-symbolicname	javax.mail
Manifest	extension-name	javax.mail
Manifest	Implementation-Title	javax.mail
Manifest	Implementation-Vendor	Oracle
Manifest	Implementation-Vendor-Id	com.sun
Manifest	Implementation-Version	1.4.7
Manifest	originally-created-by	1.7.0_15 (Oracle Corporation)
Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml
Manifest	specification-title	JavaMail(TM) API Design Specification
Manifest	specification-vendor	Oracle
Manifest (hint)	Implementation-Vendor	sun
Manifest (hint)	specification-vendor	sun
pom	artifactid	mail
pom	groupid	javax.mail
pom	name	JavaMail API (compat)
pom	parent-artifactid	all
pom	parent-groupid	com.sun.mail
pom	version	1.4.7

Identifiers

cpe: cpe:/a:sun:javamail:1.4.7 Confidence:LOW
maven: javax.mail:mail:1.4.7 Confidence:HIGHEST

javax.servlet-api-3.1.0.jar

Description: Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html

File Path: C:\Users\Dad\.m2\repository\javax\servlet\javax.servlet-api\3.1.0\javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	javax.servlet-api
central	groupid	javax.servlet
central	version	3.1.0
file	name	javax.servlet-api
file	version	3.1.0
manifest	Bundle-Description	Java(TM) Servlet 3.1 API Design Specification
Manifest	bundle-docurl	https://glassfish.dev.java.net
Manifest	Bundle-Name	Java Servlet API
Manifest	bundle-symbolicname	javax.servlet-api
Manifest	extension-name	javax.servlet
Manifest	Implementation-Vendor	GlassFish Community
Manifest	Implementation-Vendor-Id	org.glassfish
Manifest	Implementation-Version	3.1.0
Manifest	specification-vendor	Oracle Corporation
pom	artifactid	javax.servlet-api
pom	groupid	javax.servlet
pom	name	Java Servlet API
pom	organization name	https://glassfish.dev.java.net
pom	parent-artifactid	jvnet-parent
pom	parent-groupid	net.java
pom	url	http://servlet-spec.java.net
pom	version	3.1.0

Identifiers

maven: javax.servlet:javax.servlet-api:3.1.0 Confidence:HIGHEST

junit-4.12.jar

Description: JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

License:

Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.html

File Path: C:\Users\Dad\.m2\repository\junit\junit\4.12\junit-4.12.jar
MD5: 5b38c40c97fbd0adee29f91e60405584
SHA1: 2973d150c0dc1fefe998f834810d68f278ea58ec
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	junit
central	groupid	junit
central	version	4.12
file	name	junit
file	version	4.12
Manifest	Implementation-Title	JUnit
Manifest	Implementation-Vendor	JUnit
Manifest	Implementation-Vendor-Id	junit
Manifest	Implementation-Version	4.12
pom	artifactid	junit
pom	description	JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
pom	groupid	junit
pom	name	JUnit
pom	organization name	http://www.junit.org
pom	url	http://junit.org
pom	version	4.12

Identifiers

maven: junit:junit:4.12 Confidence:HIGHEST

log4j-1.2.17.jar

Description: Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\log4j\log4j\1.2.17\log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	log4j
central	groupid	log4j
central	version	1.2.17
file	name	log4j
file	version	1.2.17
manifest	Bundle-Description	Apache Log4j 1.2
Manifest	bundle-docurl	http://logging.apache.org/log4j/1.2
Manifest	Bundle-Name	Apache Log4j
Manifest	bundle-symbolicname	log4j
manifest: org.apache.log4j	Implementation-Title	log4j
manifest: org.apache.log4j	Implementation-Vendor	"Apache Software Foundation"
pom	artifactid	log4j
pom	description	Apache Log4j 1.2
pom	groupid	log4j
pom	name	Apache Log4j
pom	organization name	http://www.apache.org
pom	url	http://logging.apache.org/log4j/1.2/
pom	version	1.2.17

Identifiers

maven: log4j:log4j:1.2.17 Confidence:HIGHEST

commons-lang3-3.5.jar

Description: Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: C:\Users\Dad\.m2\repository\org\apache\commons\commons-lang3\3.5\commons-lang3-3.5.jar
MD5: 780b5a8b72eebe6d0dbff1c11b5658fa
SHA1: 6c6c702c89bfff3cd9e80b04d668c5e190d588c6
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	commons-lang3
central	groupid	org.apache.commons
central	version	3.5
file	name	commons-lang3
file	version	3.5
manifest	Bundle-Description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Manifest	bundle-docurl	http://commons.apache.org/proper/commons-lang/
Manifest	Bundle-Name	Apache Commons Lang
Manifest	bundle-symbolicname	org.apache.commons.lang3
Manifest	implementation-build	release@r36f98d87b24c2f542b02abbf6ec1ee742f1b158b; 2016-10-13 19:52:17+0000
Manifest	Implementation-Title	Apache Commons Lang
Manifest	implementation-url	http://commons.apache.org/proper/commons-lang/
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache
Manifest	Implementation-Version	3.5
Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"
Manifest	specification-title	Apache Commons Lang
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	commons-lang3
pom	description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
pom	groupid	apache.commons
pom	groupid	org.apache.commons
pom	name	Apache Commons Lang
pom	parent-artifactid	commons-parent
pom	parent-groupid	org.apache.commons
pom	url	http://commons.apache.org/proper/commons-lang/
pom	version	3.5

Identifiers

maven: org.apache.commons:commons-lang3:3.5 Confidence:HIGHEST

qpid-client-6.0.0.jar

Description: JMS client supporting AMQP 0-8, 0-9, 0-9-1 and 0-10.

File Path: C:\Users\Dad\.m2\repository\org\apache\qpid\qpid-client\6.0.0\qpid-client-6.0.0.jar
MD5: 244a004182de831f2ff3774dbac2741f
SHA1: 0a4c3e81e2c4777bf3d50c293391831a5dd1acf9
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	qpid-client
central	groupid	org.apache.qpid
central	version	6.0.0
file	name	qpid-client
file	version	6.0.0
Manifest	Implementation-Title	Qpid AMQP 0-x JMS Client
Manifest	Implementation-Vendor	The Apache Software Foundation
Manifest	Implementation-Vendor-Id	org.apache.qpid
Manifest	Implementation-Version	6.0.0
Manifest	specification-title	Qpid AMQP 0-x JMS Client
Manifest	specification-vendor	The Apache Software Foundation
pom	artifactid	qpid-client
pom	description	JMS client supporting AMQP 0-8, 0-9, 0-9-1 and 0-10.
pom	groupid	apache.qpid
pom	groupid	org.apache.qpid
pom	name	Qpid AMQP 0-x JMS Client
pom	parent-artifactid	qpid-java-build
pom	parent-groupid	org.apache.qpid
pom	version	6.0.0

Related Dependencies

Identifiers

cpe: cpe:/a:apache:qpid:6.0.0 Confidence:LOW
maven: org.apache.qpid:qpid-client:6.0.0 Confidence:HIGHEST

hamcrest-core-1.3.jar

Description: This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.

File Path: C:\Users\Dad\.m2\repository\org\hamcrest\hamcrest-core\1.3\hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	hamcrest-core
central	groupid	org.hamcrest
central	version	1.3
file	name	hamcrest-core
file	version	1.3
Manifest	built-date	2012-07-09 19:49:34
Manifest	Implementation-Title	hamcrest-core
Manifest	Implementation-Vendor	hamcrest.org
Manifest	Implementation-Version	1.3
pom	artifactid	hamcrest-core
pom	description	This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
pom	groupid	hamcrest
pom	groupid	org.hamcrest
pom	name	Hamcrest Core
pom	parent-artifactid	hamcrest-parent
pom	parent-groupid	org.hamcrest
pom	version	1.3

Identifiers

maven: org.hamcrest:hamcrest-core:1.3 Confidence:HIGHEST

postgresql-9.4.1212.jre7.jar

Description: Java JDBC 4.1 (JRE 7+) driver for PostgreSQL database

License:

http://www.postgresql.org/about/licence/

File Path: C:\Users\Dad\.m2\repository\org\postgresql\postgresql\9.4.1212.jre7\postgresql-9.4.1212.jre7.jar
MD5: 8681ad73ea0de09c3d8a6dfb0470412f
SHA1: 7101612950488be0ff6882bcc27aa0f0a4c202dd
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	postgresql
central	groupid	org.postgresql
central	version	9.4.1212.jre7
file	name	postgresql
file	version	9.4.1212.jre7
Manifest	bundle-copyright	Copyright (c) 2003-2015, PostgreSQL Global Development Group
manifest	Bundle-Description	Java JDBC 4.1 (JRE 7+) driver for PostgreSQL database
Manifest	bundle-docurl	http://jdbc.postgresql.org/
Manifest	Bundle-Name	PostgreSQL JDBC Driver JDBC41
Manifest	bundle-symbolicname	org.postgresql.jdbc41
Manifest	Implementation-Title	PostgreSQL JDBC Driver - JDBC 4.1
Manifest	Implementation-Vendor	PostgreSQL Global Development Group
Manifest	Implementation-Vendor-Id	org.postgresql
Manifest	Implementation-Version	9.4.1212.jre7
Manifest	require-capability	osgi.ee;filter:="(&(\|(osgi.ee=J2SE)(osgi.ee=JavaSE))(version>=1.7))"
Manifest	specification-title	JDBC
Manifest	specification-vendor	Oracle Corporation
pom	artifactid	postgresql
pom	description	Java JDBC 4.1 (JRE 7+) driver for PostgreSQL database
pom	groupid	org.postgresql
pom	groupid	postgresql
pom	name	PostgreSQL JDBC Driver - JDBC 4.1
pom	parent-artifactid	pgjdbc-core-prevjre
pom	parent-groupid	org.postgresql
pom	version	9.4.1212.jre7

Identifiers

cpe: cpe:/a:postgresql:postgresql:9.4.1212.jre7 Confidence:LOW
maven: org.postgresql:postgresql:9.4.1212.jre7 Confidence:HIGHEST

slf4j-api-1.7.7.jar

Description: The slf4j API

File Path: C:\Users\Dad\.m2\repository\org\slf4j\slf4j-api\1.7.7\slf4j-api-1.7.7.jar
MD5: ca4280bf93d64367723ae5c8d42dd0b9
SHA1: 2b8019b6249bb05d81d3a3094e468753e2b21311
Referenced In Project/Scope: fgsms Common WS Test Utilities:compile

Evidence

Source	Name	Value
central	artifactid	slf4j-api
central	groupid	org.slf4j
central	version	1.7.7
file	name	slf4j-api
file	version	1.7.7
manifest	Bundle-Description	The slf4j API
Manifest	Bundle-Name	slf4j-api
Manifest	bundle-requiredexecutionenvironment	J2SE-1.3
Manifest	bundle-symbolicname	slf4j.api
Manifest	Implementation-Title	slf4j-api
Manifest	Implementation-Version	1.7.7
pom	artifactid	slf4j-api
pom	description	The slf4j API
pom	groupid	org.slf4j
pom	groupid	slf4j
pom	name	SLF4J API Module
pom	parent-artifactid	slf4j-parent
pom	parent-groupid	org.slf4j
pom	url	http://www.slf4j.org
pom	version	1.7.7

Identifiers

maven: org.slf4j:slf4j-api:1.7.7 Confidence:HIGHEST

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: fgsms Common WS Test Utilities

Dependencies

geronimo-spec-j2ee-connector-1.5-rc4.jar

Evidence

Identifiers

Published Vulnerabilities

activation-1.1.jar

Evidence

Identifiers

mail-1.4.7.jar

Evidence

Identifiers

javax.servlet-api-3.1.0.jar

Evidence

Identifiers

junit-4.12.jar

Evidence

Identifiers

log4j-1.2.17.jar

Evidence

Identifiers

commons-lang3-3.5.jar

Evidence

Identifiers

qpid-client-6.0.0.jar

Evidence

Related Dependencies

Identifiers

hamcrest-core-1.3.jar

Evidence

Identifiers

postgresql-9.4.1212.jre7.jar

Evidence

Identifiers

slf4j-api-1.7.7.jar

Evidence

Identifiers