Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 6.1.6
Report Generated On: Mon, 6 Dec 2021 15:04:38 GMT
Dependencies Scanned: 24 (21 unique)
Vulnerable Dependencies: 2
Vulnerabilities Found: 2
Vulnerabilities Suppressed: 0
...
NVD CVE Checked: 2021-12-06T15:04:04
NVD CVE Modified: 2021-12-06T13:00:01
VersionCheckOn: 2021-12-06T15:04:04

Summary

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
commons-codec-1.10.jar		pkg:maven/commons-codec/commons-codec@1.10		0		40
commons-compress-1.21.jar	cpe:2.3:a:apache:commons_compress:1.21:::::::*	pkg:maven/org.apache.commons/commons-compress@1.21		0	Highest	45
commons-io-2.5.jar	cpe:2.3:a:apache:commons_io:2.5:::::::*	pkg:maven/commons-io/commons-io@2.5	MEDIUM	1	Highest	40
commons-lang3-3.6.jar		pkg:maven/org.apache.commons/commons-lang3@3.6		0		41
commons-logging-1.2.jar		pkg:maven/commons-logging/commons-logging@1.2		0		36
httpclient-4.5.13.jar	cpe:2.3:a:apache:httpclient:4.5.13:::::::*	pkg:maven/org.apache.httpcomponents/httpclient@4.5.13		0	Highest	34
httpcore-4.4.14.jar		pkg:maven/org.apache.httpcomponents/httpcore@4.4.14		0		34
httpmime-4.5.13.jar		pkg:maven/org.apache.httpcomponents/httpmime@4.5.13		0		32
jackrabbit-api-2.19.3.jar	cpe:2.3:a:apache:jackrabbit:2.19.3:::::::*	pkg:maven/org.apache.jackrabbit/jackrabbit-api@2.19.3		0	Highest	29
jaxen-1.1.6.jar		pkg:maven/jaxen/jaxen@1.1.6		0		26
jcr-2.0.jar		pkg:maven/javax.jcr/jcr@2.0		0		32
jdom2-2.0.6.jar	cpe:2.3:a:jdom:jdom:2.0.6:::::::*	pkg:maven/org.jdom/jdom2@2.0.6	HIGH	1	Highest	53
json-20140107.jar		pkg:maven/org.json/json@20140107		0		22
maven-artifact-3.8.1.jar		pkg:maven/org.apache.maven/maven-artifact@3.8.1		0		28
org.apache.jackrabbit.vault-3.5.6.jar	cpe:2.3:a:apache:jackrabbit:3.5.6:::::::*	pkg:maven/org.apache.jackrabbit.vault/org.apache.jackrabbit.vault@3.5.6		0	Highest	47
plexus-utils-3.2.1.jar	cpe:2.3:a:plexus-utils_project:plexus-utils:3.2.1:::::::*	pkg:maven/org.codehaus.plexus/plexus-utils@3.2.1		0	Highest	27
stax2-api-4.2.jar		pkg:maven/org.codehaus.woodstox/stax2-api@4.2		0		48
txw2-2.3.2.jar		pkg:maven/org.glassfish.jaxb/txw2@2.3.2		0		34
woodstox-core-6.1.1.jar		pkg:maven/com.fasterxml.woodstox/woodstox-core@6.1.1		0		41
woodstox-core-6.1.1.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)		pkg:maven/com.sun.xml.bind.jaxb/isorelax@20090621		0		12
woodstox-core-6.1.1.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)		pkg:maven/net.java.dev.msv/xsdlib@2013.6.1		0		9

Dependencies

commons-codec-1.10.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/runner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
SHA256:4241dfa94e711d435f29a4604a3e2de5c4aa3c165e23bd066be6fc1fc4309569
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	apache	Highest
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	file	name	commons-codec	High
Vendor	jar	package name	commons	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	implementation-build	trunk@r1637108; 2014-11-06 14:14:12+0000	Low
Vendor	pom	groupid	commons-codec	Highest
Vendor	pom	artifactid	commons-codec	Low
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-codec/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	Manifest	bundle-symbolicname	org.apache.commons.codec	Medium
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	jar	package name	codec	Highest
Vendor	pom	url	http://commons.apache.org/proper/commons-codec/	Highest
Vendor	jar	package name	encoder	Highest
Vendor	pom	name	Apache Commons Codec	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Product	jar	package name	apache	Highest
Product	file	name	commons-codec	High
Product	jar	package name	commons	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	implementation-build	trunk@r1637108; 2014-11-06 14:14:12+0000	Low
Product	pom	groupid	commons-codec	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-codec/	Low
Product	pom	parent-groupid	org.apache.commons	Medium
Product	Manifest	Implementation-Title	Apache Commons Codec	High
Product	Manifest	bundle-symbolicname	org.apache.commons.codec	Medium
Product	Manifest	specification-title	Apache Commons Codec	Medium
Product	pom	artifactid	commons-codec	Highest
Product	jar	package name	codec	Highest
Product	pom	parent-artifactid	commons-parent	Medium
Product	jar	package name	encoder	Highest
Product	pom	name	Apache Commons Codec	High
Product	pom	url	http://commons.apache.org/proper/commons-codec/	Medium
Product	Manifest	Bundle-Name	Apache Commons Codec	Medium
Version	pom	version	1.10	Highest
Version	Manifest	Implementation-Version	1.10	High
Version	pom	parent-version	1.10	Low
Version	file	version	1.10	High

Identifiers

pkg:maven/commons-codec/commons-codec@1.10 (Confidence:High)

commons-compress-1.21.jar

Description:

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/runner/.m2/repository/org/apache/commons/commons-compress/1.21/commons-compress-1.21.jar
MD5: 2a713d10331bc4e13459a3dc0463f16f
SHA1: 4ec95b60d4e86b5c95a0e919cb172a0af98011ef
SHA256:6aecfd5459728a595601cfa07258d131972ffc39b492eb48bdd596577a2f244a
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-compress/	Low
Vendor	jar	package name	apache	Highest
Vendor	pom	name	Apache Commons Compress	High
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	jar	package name	commons	Highest
Vendor	pom	url	https://commons.apache.org/proper/commons-compress/	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	jar	package name	compress	Highest
Vendor	pom	artifactid	commons-compress	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	file	name	commons-compress	High
Vendor	Manifest	implementation-build	UNKNOWN@r60e3d9f6bef1e431f8738e881c051d706f81e6cf; 2021-07-09 16:56:00+0000	Low
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	automatic-module-name	org.apache.commons.compress	Medium
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-compress	Medium
Vendor	Manifest	extension-name	org.apache.commons.compress	Medium
Vendor	pom	groupid	apache.commons	Highest
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-compress/	Low
Product	jar	package name	apache	Highest
Product	pom	name	Apache Commons Compress	High
Product	pom	artifactid	commons-compress	Highest
Product	jar	package name	commons	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	parent-groupid	org.apache.commons	Medium
Product	jar	package name	compress	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	file	name	commons-compress	High
Product	Manifest	Bundle-Name	Apache Commons Compress	Medium
Product	Manifest	Implementation-Title	Apache Commons Compress	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	https://commons.apache.org/proper/commons-compress/	Medium
Product	Manifest	specification-title	Apache Commons Compress	Medium
Product	Manifest	implementation-build	UNKNOWN@r60e3d9f6bef1e431f8738e881c051d706f81e6cf; 2021-07-09 16:56:00+0000	Low
Product	Manifest	automatic-module-name	org.apache.commons.compress	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-compress	Medium
Product	Manifest	extension-name	org.apache.commons.compress	Medium
Product	pom	groupid	apache.commons	Highest
Version	pom	version	1.21	Highest
Version	Manifest	Implementation-Version	1.21	High
Version	pom	parent-version	1.21	Low
Version	file	version	1.21	High

Identifiers

pkg:maven/org.apache.commons/commons-compress@1.21 (Confidence:High)
cpe:2.3:a:apache:commons_compress:1.21:*:*:*:*:*:*:* (Confidence:Highest)

commons-io-2.5.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/runner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
SHA256:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	commons-io	Highest
Vendor	jar	package name	apache	Highest
Vendor	file	name	commons-io	High
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	implementation-build	tags/commons-io-2.5@r1739098; 2016-04-14 09:19:54-0400	Low
Vendor	pom	name	Apache Commons IO	High
Vendor	jar	package name	commons	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	artifactid	commons-io	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	jar	package name	io	Highest
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-io/	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-io/	Highest
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.io	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-io/	Low
Product	jar	package name	apache	Highest
Product	pom	groupid	commons-io	Highest
Product	file	name	commons-io	High
Product	pom	url	http://commons.apache.org/proper/commons-io/	Medium
Product	Manifest	implementation-build	tags/commons-io-2.5@r1739098; 2016-04-14 09:19:54-0400	Low
Product	pom	name	Apache Commons IO	High
Product	jar	package name	commons	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	parent-groupid	org.apache.commons	Medium
Product	jar	package name	io	Highest
Product	Manifest	specification-title	Apache Commons IO	Medium
Product	pom	artifactid	commons-io	Highest
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-io/	Low
Product	Manifest	Implementation-Title	Apache Commons IO	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.io	Medium
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-io/	Low
Product	Manifest	Bundle-Name	Apache Commons IO	Medium
Version	file	version	2.5	High
Version	pom	parent-version	2.5	Low
Version	pom	version	2.5	Highest
Version	Manifest	Implementation-Version	2.5	High

Identifiers

pkg:maven/commons-io/commons-io@2.5 (Confidence:High)
cpe:2.3:a:apache:commons_io:2.5:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-29425

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSSv3:

Base Score: MEDIUM (4.8)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-lang3-3.6.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
SHA256:89c27f03fff18d0b06e7afd7ef25e209766df95b6c1269d6c3ebbdea48d5f284
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	apache	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-lang/	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-lang/	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	artifactid	commons-lang3	Low
Vendor	jar	package name	lang3	Highest
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-lang/	Low
Vendor	Manifest	Implementation-Vendor-Id	org.apache.commons	Medium
Vendor	file	name	commons-lang3	High
Vendor	pom	name	Apache Commons Lang	High
Vendor	pom	groupid	apache.commons	Highest
Product	jar	package name	apache	Highest
Product	Manifest	Bundle-Name	Apache Commons Lang	Medium
Product	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-lang/	Low
Product	jar	package name	commons	Highest
Product	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Product	pom	artifactid	commons-lang3	Highest
Product	pom	parent-groupid	org.apache.commons	Medium
Product	Manifest	Implementation-Title	Apache Commons Lang	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Apache Commons Lang	Medium
Product	jar	package name	lang3	Highest
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-lang/	Low
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/proper/commons-lang/	Medium
Product	file	name	commons-lang3	High
Product	pom	name	Apache Commons Lang	High
Product	pom	groupid	apache.commons	Highest
Version	pom	parent-version	3.6	Low
Version	file	version	3.6	High
Version	Manifest	Implementation-Version	3.6	High
Version	pom	version	3.6	Highest

Identifiers

pkg:maven/org.apache.commons/commons-lang3@3.6 (Confidence:High)

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/runner/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	Apache Commons Logging	High
Vendor	jar	package name	apache	Highest
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	jar	package name	commons	Highest
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	jar	package name	logging	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Vendor	pom	artifactid	commons-logging	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-logging/	Highest
Vendor	pom	groupid	commons-logging	Highest
Vendor	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	file	name	commons-logging	High
Product	pom	name	Apache Commons Logging	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	Manifest	specification-title	Apache Commons Logging	Medium
Product	pom	artifactid	commons-logging	Highest
Product	pom	parent-groupid	org.apache.commons	Medium
Product	jar	package name	logging	Highest
Product	Manifest	Bundle-Name	Apache Commons Logging	Medium
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Product	pom	url	http://commons.apache.org/proper/commons-logging/	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Product	Manifest	Implementation-Title	Apache Commons Logging	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	groupid	commons-logging	Highest
Product	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Product	file	name	commons-logging	High
Version	file	version	1.2	High
Version	pom	parent-version	1.2	Low
Version	pom	version	1.2	Highest
Version	Manifest	Implementation-Version	1.2	High

Identifiers

pkg:maven/commons-logging/commons-logging@1.2 (Confidence:High)

httpclient-4.5.13.jar

Description:

   Apache HttpComponents Client

File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar
MD5: 40d6b9075fbd28fa10292a45a0db9457
SHA1: e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada
SHA256:6fe9026a566c6a5001608cf3fc32196641f6c1e5e1986d1037ccdbd5f31ef743
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	apache	Highest
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	parent-artifactid	httpcomponents-client	Low
Vendor	file	name	httpclient	High
Vendor	pom	groupid	apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpClient	High
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	jar	package name	client	Highest
Vendor	Manifest	Implementation-Vendor-Id	org.apache.httpcomponents	Medium
Vendor	pom	url	http://hc.apache.org/httpcomponents-client	Highest
Vendor	jar	package name	httpclient	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	parent-groupid	org.apache.httpcomponents	Medium
Vendor	pom	artifactid	httpclient	Low
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	pom	url	http://hc.apache.org/httpcomponents-client	Medium
Product	jar	package name	apache	Highest
Product	file	name	httpclient	High
Product	pom	groupid	apache.httpcomponents	Highest
Product	pom	name	Apache HttpClient	High
Product	jar	package name	client	Highest
Product	pom	artifactid	httpclient	Highest
Product	jar	package name	httpclient	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Product	Manifest	specification-title	Apache HttpClient	Medium
Product	pom	parent-artifactid	httpcomponents-client	Medium
Product	Manifest	Implementation-Title	Apache HttpClient	High
Product	pom	parent-groupid	org.apache.httpcomponents	Medium
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	jar	package name	http	Highest
Version	Manifest	Implementation-Version	4.5.13	High
Version	pom	version	4.5.13	Highest
Version	file	version	4.5.13	High

Identifiers

pkg:maven/org.apache.httpcomponents/httpclient@4.5.13 (Confidence:High)
cpe:2.3:a:apache:httpclient:4.5.13:*:*:*:*:*:*:* (Confidence:Highest)

httpcore-4.4.14.jar

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar
MD5: 2b3991eda121042765a5ee299556c200
SHA1: 9dd1a631c082d92ecd4bd8fd4cf55026c720a8c1
SHA256:f956209e450cb1d0c51776dfbd23e53e9dd8db9a1298ed62b70bf0944ba63b28
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	apache	Highest
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	parent-artifactid	httpcomponents-core	Low
Vendor	pom	groupid	apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpCore	High
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Vendor	pom	artifactid	httpcore	Low
Vendor	pom	url	http://hc.apache.org/httpcomponents-core-ga	Highest
Vendor	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Vendor	file	name	httpcore	High
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	pom	parent-groupid	org.apache.httpcomponents	Medium
Vendor	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	pom	url	http://hc.apache.org/httpcomponents-core-ga	Medium
Product	jar	package name	apache	Highest
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	Manifest	specification-title	HttpComponents Apache HttpCore	Medium
Product	pom	groupid	apache.httpcomponents	Highest
Product	pom	name	Apache HttpCore	High
Product	pom	artifactid	httpcore	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Product	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Product	file	name	httpcore	High
Product	Manifest	Implementation-Title	HttpComponents Apache HttpCore	High
Product	pom	parent-artifactid	httpcomponents-core	Medium
Product	pom	parent-groupid	org.apache.httpcomponents	Medium
Product	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	jar	package name	http	Highest
Version	file	version	4.4.14	High
Version	pom	version	4.4.14	Highest
Version	Manifest	Implementation-Version	4.4.14	High

Identifiers

pkg:maven/org.apache.httpcomponents/httpcore@4.4.14 (Confidence:High)

httpmime-4.5.13.jar

Description:

   Apache HttpComponents HttpClient - MIME coded entities

File Path: /home/runner/.m2/repository/org/apache/httpcomponents/httpmime/4.5.13/httpmime-4.5.13.jar
MD5: 3f0c1ef2c9dc47b62b780192f54b0c18
SHA1: efc110bad4a0d45cda7858e6beee1d8a8313da5a
SHA256:06e754d99245b98dcc2860dcb43d20e737d650da2bf2077a105f68accbd5c5cc
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpmime	Medium
Vendor	jar	package name	apache	Highest
Vendor	file	name	httpmime	High
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	parent-artifactid	httpcomponents-client	Low
Vendor	jar	package name	mime	Highest
Vendor	pom	groupid	apache.httpcomponents	Highest
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	name	Apache HttpClient Mime	High
Vendor	pom	artifactid	httpmime	Low
Vendor	Manifest	Implementation-Vendor-Id	org.apache.httpcomponents	Medium
Vendor	pom	url	http://hc.apache.org/httpcomponents-client	Highest
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	parent-groupid	org.apache.httpcomponents	Medium
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpmime	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-client	Medium
Product	jar	package name	apache	Highest
Product	file	name	httpmime	High
Product	jar	package name	mime	Highest
Product	pom	groupid	apache.httpcomponents	Highest
Product	pom	name	Apache HttpClient Mime	High
Product	pom	artifactid	httpmime	Highest
Product	Manifest	Implementation-Title	Apache HttpClient Mime	High
Product	pom	parent-artifactid	httpcomponents-client	Medium
Product	pom	parent-groupid	org.apache.httpcomponents	Medium
Product	Manifest	specification-title	Apache HttpClient Mime	Medium
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	jar	package name	http	Highest
Version	Manifest	Implementation-Version	4.5.13	High
Version	pom	version	4.5.13	Highest
Version	file	version	4.5.13	High

Identifiers

pkg:maven/org.apache.httpcomponents/httpmime@4.5.13 (Confidence:High)

jackrabbit-api-2.19.3.jar

Description:

Jackrabbit-specific extensions to the JCR API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/runner/.m2/repository/org/apache/jackrabbit/jackrabbit-api/2.19.3/jackrabbit-api-2.19.3.jar
MD5: 70fa2dc7695900e62e96aea2792f3a3a
SHA1: 8503de04a71ea05b680692d47bfe8a185ec5f4d0
SHA256:045be6c97e17c771bbe885d6d0308722bb540b5bf693322a96aadb976de7aa5a
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	jackrabbit	Highest
Vendor	jar	package name	apache	Highest
Vendor	pom	groupid	org.apache.jackrabbit	Highest
Vendor	pom	artifactid	jackrabbit-api	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-docurl	http://jackrabbit.apache.org	Low
Vendor	pom	parent-groupid	org.apache.jackrabbit	Medium
Vendor	pom	name	Apache Jackrabbit API	High
Vendor	pom	groupid	apache.jackrabbit	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.jackrabbit.jackrabbit-api	Medium
Vendor	jar	package name	api	Highest
Vendor	file	name	jackrabbit-api	High
Vendor	pom	parent-artifactid	jackrabbit-parent	Low
Product	jar	package name	jackrabbit	Highest
Product	jar	package name	apache	Highest
Product	Manifest	Bundle-Name	Apache Jackrabbit API	Medium
Product	pom	artifactid	jackrabbit-api	Highest
Product	pom	parent-artifactid	jackrabbit-parent	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-docurl	http://jackrabbit.apache.org	Low
Product	pom	parent-groupid	org.apache.jackrabbit	Medium
Product	pom	name	Apache Jackrabbit API	High
Product	pom	groupid	apache.jackrabbit	Highest
Product	Manifest	bundle-symbolicname	org.apache.jackrabbit.jackrabbit-api	Medium
Product	jar	package name	api	Highest
Product	file	name	jackrabbit-api	High
Version	pom	version	2.19.3	Highest
Version	Manifest	Bundle-Version	2.19.3	High
Version	file	version	2.19.3	High

Related Dependencies

Identifiers

pkg:maven/org.apache.jackrabbit/jackrabbit-api@2.19.3 (Confidence:High)
cpe:2.3:a:apache:jackrabbit:2.19.3:*:*:*:*:*:*:* (Confidence:Highest)

jaxen-1.1.6.jar

Description:

Jaxen is a universal Java XPath engine.

License:

http://jaxen.codehaus.org/license.html

File Path: /home/runner/.m2/repository/jaxen/jaxen/1.1.6/jaxen-1.1.6.jar
MD5: a140517286b56eea981e188dcc3a13f6
SHA1: 3f8c36d9a0578e8e98f030c662b69888b1430ac0
SHA256:5ac9c74bbb3964b34a886ba6b1b6c0b0dc3ebeebc1dc4a44942a76634490b3eb
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jaxen	High
Vendor	Manifest	bundle-symbolicname	jaxen	Medium
Vendor	Manifest	bundle-docurl	http://codehaus.org	Low
Vendor	pom	name	jaxen	High
Vendor	pom	url	http://jaxen.codehaus.org/	Highest
Vendor	jar	package name	jaxen	Highest
Vendor	jar	package name	xpath	Highest
Vendor	pom	organization url	http://codehaus.org	Medium
Vendor	pom	artifactid	jaxen	Low
Vendor	pom	organization name	Codehaus	High
Vendor	pom	groupid	jaxen	Highest
Product	Manifest	bundle-symbolicname	jaxen	Medium
Product	pom	url	http://jaxen.codehaus.org/	Medium
Product	pom	name	jaxen	High
Product	jar	package name	jaxen	Highest
Product	jar	package name	xpath	Highest
Product	pom	organization url	http://codehaus.org	Low
Product	pom	groupid	jaxen	Highest
Product	Manifest	Bundle-Name	jaxen	Medium
Product	file	name	jaxen	High
Product	Manifest	bundle-docurl	http://codehaus.org	Low
Product	pom	organization name	Codehaus	Low
Product	pom	artifactid	jaxen	Highest
Version	pom	version	1.1.6	Highest
Version	Manifest	Bundle-Version	1.1.6	High
Version	file	version	1.1.6	High

Identifiers

pkg:maven/jaxen/jaxen@1.1.6 (Confidence:High)

jcr-2.0.jar

Description:

        The Content Repository API for JavaTM Technology Version 2.0 is specified by JSR-283.
        This module contains the complete API as specified.

License:

Day Specification License: http://www.day.com/dam/day/downloads/jsr283/day-spec-license.htm
Day Specification License addendum: http://www.day.com/content/dam/day/downloads/jsr283/LICENSE.txt

File Path: /home/runner/.m2/repository/javax/jcr/jcr/2.0/jcr-2.0.jar
MD5: ede5e78b16c8ed298ce0b6d296584ebd
SHA1: 08297216bcfe4aea369ed6ee0d1718133f752e97
SHA256:cbf083bc58cb88a0c19112187a4c52d3115f525b5bb7f2913635f5679e6e9743
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jcr	High
Vendor	jar	package name	javax	Highest
Vendor	pom	groupid	javax.jcr	Highest
Vendor	pom	artifactid	jcr	Low
Vendor	jar	package name	repository	Highest
Vendor	jar	package name	version	Highest
Vendor	Manifest	bundle-category	jcr	Low
Vendor	Manifest	bundle-docurl	http://www.jcp.org/en/jsr/detail?id=283	Low
Vendor	pom	organization name	Day Software	High
Vendor	pom	organization url	http://www.day.com	Medium
Vendor	pom	name	Content Repository for JavaTM Technology API	High
Vendor	pom	url	http://www.jcp.org/en/jsr/detail?id=283	Highest
Vendor	Manifest	bundle-symbolicname	javax.jcr	Medium
Vendor	jar	package name	jcr	Highest
Product	file	name	jcr	High
Product	jar	package name	javax	Highest
Product	pom	groupid	javax.jcr	Highest
Product	jar	package name	repository	Highest
Product	jar	package name	version	Highest
Product	Manifest	bundle-category	jcr	Low
Product	Manifest	bundle-docurl	http://www.jcp.org/en/jsr/detail?id=283	Low
Product	pom	url	http://www.jcp.org/en/jsr/detail?id=283	Medium
Product	pom	artifactid	jcr	Highest
Product	pom	organization url	http://www.day.com	Low
Product	pom	organization name	Day Software	Low
Product	pom	name	Content Repository for JavaTM Technology API	High
Product	Manifest	bundle-symbolicname	javax.jcr	Medium
Product	jar	package name	jcr	Highest
Product	Manifest	Bundle-Name	Content Repository for JavaTM Technology API	Medium
Version	pom	version	2.0	Highest
Version	Manifest	Bundle-Version	2.0	High
Version	file	version	2.0	High

Identifiers

pkg:maven/javax.jcr/jcr@2.0 (Confidence:High)

jdom2-2.0.6.jar

Description:

		A complete, Java-based solution for accessing, manipulating, 
		and outputting XML data

License:

Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt

File Path: /home/runner/.m2/repository/org/jdom/jdom2/2.0.6/jdom2-2.0.6.jar
MD5: 86a30c9b1ddc08ca155747890db423b7
SHA1: 6f14738ec2e9dd0011e343717fa624a10f8aab64
SHA256:1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	jdom2	Low
Vendor	manifest: org/jdom2/filter/	Implementation-Vendor	jdom.org	Medium
Vendor	pom	url	http://www.jdom.org	Highest
Vendor	file	name	jdom2	High
Vendor	manifest: org/jdom2/	Implementation-Vendor	jdom.org	Medium
Vendor	manifest: org/jdom2/xpath/	Implementation-Vendor	jdom.org	Medium
Vendor	manifest: org/jdom2/adapters/	Implementation-Vendor	jdom.org	Medium
Vendor	manifest: org/jdom2/input/	Implementation-Vendor	jdom.org	Medium
Vendor	pom	groupid	jdom	Highest
Vendor	pom	organization name	JDOM	High
Vendor	manifest: org/jdom2/transform/	Implementation-Vendor	jdom.org	Medium
Vendor	pom	organization url	http://www.jdom.org	Medium
Vendor	pom	name	JDOM	High
Vendor	manifest: org/jdom2/output/	Implementation-Vendor	jdom.org	Medium
Vendor	pom	groupid	org.jdom	Highest
Vendor	jar	package name	jdom2	Highest
Product	file	name	jdom2	High
Product	manifest: org/jdom2/output/	Specification-Title	JDOM Output Classes	Medium
Product	manifest: org/jdom2/transform/	Specification-Title	JDOM Transformation Classes	Medium
Product	jar	package name	transform	Highest
Product	jar	package name	output	Highest
Product	manifest: org/jdom2/filter/	Specification-Title	JDOM Filter Classes	Medium
Product	pom	groupid	jdom	Highest
Product	manifest: org/jdom2/	Implementation-Title	org.jdom2	Medium
Product	pom	url	http://www.jdom.org	Medium
Product	manifest: org/jdom2/adapters/	Implementation-Title	org.jdom2.adapters	Medium
Product	manifest: org/jdom2/	Specification-Title	JDOM Classes	Medium
Product	pom	name	JDOM	High
Product	jar	package name	adapters	Highest
Product	manifest: org/jdom2/adapters/	Specification-Title	JDOM Adapter Classes	Medium
Product	jar	package name	jdom2	Highest
Product	pom	organization name	JDOM	Low
Product	manifest: org/jdom2/xpath/	Specification-Title	JDOM XPath Classes	Medium
Product	manifest: org/jdom2/output/	Implementation-Title	org.jdom2.output	Medium
Product	jar	package name	input	Highest
Product	jar	package name	xpath	Highest
Product	manifest: org/jdom2/transform/	Implementation-Title	org.jdom2.transform	Medium
Product	pom	artifactid	jdom2	Highest
Product	manifest: org/jdom2/input/	Specification-Title	JDOM Input Classes	Medium
Product	manifest: org/jdom2/input/	Implementation-Title	org.jdom2.input	Medium
Product	pom	organization url	http://www.jdom.org	Low
Product	manifest: org/jdom2/xpath/	Implementation-Title	org.jdom2.xpath	Medium
Product	jar	package name	filter	Highest
Product	manifest: org/jdom2/filter/	Implementation-Title	org.jdom2.filter	Medium
Version	pom	version	2.0.6	Highest
Version	manifest: org/jdom2/input/	Implementation-Version	2.0.6	Medium
Version	manifest: org/jdom2/filter/	Implementation-Version	2.0.6	Medium
Version	manifest: org/jdom2/adapters/	Implementation-Version	2.0.6	Medium
Version	manifest: org/jdom2/	Implementation-Version	2.0.6	Medium
Version	manifest: org/jdom2/xpath/	Implementation-Version	2.0.6	Medium
Version	manifest: org/jdom2/output/	Implementation-Version	2.0.6	Medium
Version	manifest: org/jdom2/transform/	Implementation-Version	2.0.6	Medium
Version	file	version	2.0.6	High

Identifiers

pkg:maven/org.jdom/jdom2@2.0.6 (Confidence:High)
cpe:2.3:a:jdom:jdom:2.0.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-33813

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

json-20140107.jar

Description:

		JSON is a light-weight, language independent, data interchange format.
		See http://www.JSON.org/

		The files in this package implement JSON encoders/decoders in Java.
		It also includes the capability to convert between JSON and XML, HTTP
		headers, Cookies, and CDL.

		This is a reference implementation. There is a large number of JSON packages
		in Java. Perhaps someday the Java community will standardize on one. Until
		then, choose carefully.

		The license includes this restriction: "The software shall be used for good,
		not evil." If your conscience cannot live with that, then choose a different
		package.

		The package compiles on Java 1.2 thru Java 1.4.

License:

The JSON License: http://json.org/license.html

File Path: /home/runner/.m2/repository/org/json/json/20140107/json-20140107.jar
MD5: 8ca2437d3dbbaa2e76195adedfd901f4
SHA1: d1ffca6e2482b002702c6a576166fd685e3370e3
SHA256:8e5aa0a368bee60347b5a4ad861d9f68c7793f60deeea89efd449eb70d5ae622
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	cdl	Highest
Vendor	pom	name	JSON in Java	High
Vendor	pom	groupid	org.json	Highest
Vendor	jar	package name	json	Highest
Vendor	pom	url	douglascrockford/JSON-java	Highest
Vendor	pom	artifactid	json	Low
Vendor	jar	package name	json	Low
Vendor	file	name	json-20140107	High
Vendor	jar	package name	xml	Highest
Vendor	pom	groupid	json	Highest
Vendor	jar	package name	http	Highest
Product	jar	package name	cdl	Highest
Product	pom	name	JSON in Java	High
Product	pom	url	douglascrockford/JSON-java	High
Product	jar	package name	json	Highest
Product	pom	artifactid	json	Highest
Product	file	name	json-20140107	High
Product	jar	package name	xml	Highest
Product	pom	groupid	json	Highest
Product	jar	package name	http	Highest
Version	file	version	20140107	Medium
Version	pom	version	20140107	Highest

Identifiers

pkg:maven/org.json/json@20140107 (Confidence:High)

maven-artifact-3.8.1.jar

File Path: /home/runner/.m2/repository/org/apache/maven/maven-artifact/3.8.1/maven-artifact-3.8.1.jar
MD5: 6f07d7c18fb630df205d8175fe37b74e
SHA1: 114a2dd16c4c568bf0ca57719b83f2685dcc5734
SHA256:9dbd3db15ac4816471e72981cb06ef90f3ffa8be6628dddf7135f7bd69bee0c0
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	apache	Highest
Vendor	pom	parent-artifactid	maven	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	name	Maven Artifact	High
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	jar	package name	maven	Highest
Vendor	pom	groupid	apache.maven	Highest
Vendor	jar	package name	artifact	Highest
Vendor	pom	groupid	org.apache.maven	Highest
Vendor	pom	artifactid	maven-artifact	Low
Vendor	file	name	maven-artifact	High
Vendor	pom	parent-groupid	org.apache.maven	Medium
Product	jar	package name	apache	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	name	Maven Artifact	High
Product	jar	package name	maven	Highest
Product	Manifest	specification-title	Maven Artifact	Medium
Product	pom	groupid	apache.maven	Highest
Product	pom	artifactid	maven-artifact	Highest
Product	jar	package name	artifact	Highest
Product	Manifest	Implementation-Title	Maven Artifact	High
Product	file	name	maven-artifact	High
Product	pom	parent-groupid	org.apache.maven	Medium
Product	pom	parent-artifactid	maven	Medium
Version	file	version	3.8.1	High
Version	Manifest	Implementation-Version	3.8.1	High
Version	pom	version	3.8.1	Highest

Identifiers

pkg:maven/org.apache.maven/maven-artifact@3.8.1 (Confidence:High)

org.apache.jackrabbit.vault-3.5.6.jar

Description:

The core classes of Apache Jackrabbit FileVault

License:

"Apache License, Version 2.0";link="https://www.apache.org/licenses/LICENSE-2.0.txt"

File Path: /home/runner/.m2/repository/org/apache/jackrabbit/vault/org.apache.jackrabbit.vault/3.5.6/org.apache.jackrabbit.vault-3.5.6.jar
MD5: 7311cb5a35268eb640213d16658cefa1
SHA1: 936eb3333d7389aa59b635669ad8867643c9eda2
SHA256:961bb956259edfc3cb08766d88e1508573613b6f085e5b98cb7710caf49df761
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	jackrabbit	Highest
Vendor	jar	package name	apache	Highest
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	bundle-symbolicname	org.apache.jackrabbit.vault	Medium
Vendor	pom	parent-groupid	org.apache.jackrabbit.vault	Medium
Vendor	pom	groupid	org.apache.jackrabbit.vault	Highest
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.service;filter:="(objectClass=org.apache.jackrabbit.vault.packaging.events.PackageEventListener)";effective:=active;resolution:=optional;cardinality:=multiple,osgi.service;filter:="(objectClass=org.apache.jackrabbit.vault.packaging.events.impl.PackageEventDispatcher)";effective:=active,osgi.service;filter:="(objectClass=org.apache.jackrabbit.vault.packaging.registry.PackageRegistry)";effective:=active;resolution:=optional;cardinality:=multiple,osgi.service;filter:="(objectClass=org.apache.sling.jcr.api.SlingRepository)";effective:=active;resolution:=optional,osgi.extender;filter:="(&(osgi.extender=osgi.component)(version>=1.4.0)(!(version>=2.0.0)))",osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	groupid	apache.jackrabbit.vault	Highest
Vendor	pom	parent-artifactid	parent	Low
Vendor	Manifest	bundle-docurl	https://jackrabbit.apache.org/filevault/	Low
Vendor	Manifest	service-component	OSGI-INF/org.apache.jackrabbit.vault.packaging.events.impl.PackageEventDispatcherImpl.xml,OSGI-INF/org.apache.jackrabbit.vault.packaging.impl.ActivityLog.xml,OSGI-INF/org.apache.jackrabbit.vault.packaging.impl.PackageManagerMBeanImpl.xml,OSGI-INF/org.apache.jackrabbit.vault.packaging.impl.PackagingImpl.xml,OSGI-INF/org.apache.jackrabbit.vault.packaging.registry.impl.FSPackageRegistry.xml	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	pom	name	Apache Jackrabbit FileVault Core Bundle	High
Vendor	Manifest	provide-capability	osgi.service;objectClass:List="javax.management.DynamicMBean";uses:="javax.management",osgi.service;objectClass:List="org.apache.jackrabbit.vault.packaging.Packaging";uses:="org.apache.jackrabbit.vault.packaging",osgi.service;objectClass:List="org.apache.jackrabbit.vault.packaging.events.PackageEventListener";uses:="org.apache.jackrabbit.vault.packaging.events",osgi.service;objectClass:List="org.apache.jackrabbit.vault.packaging.events.impl.PackageEventDispatcher";uses:="org.apache.jackrabbit.vault.packaging.events.impl",osgi.service;objectClass:List="org.apache.jackrabbit.vault.packaging.registry.PackageRegistry";uses:="org.apache.jackrabbit.vault.packaging.registry"	Low
Vendor	Manifest	bundle-category	jackrabbit	Low
Vendor	file	name	org.apache.jackrabbit.vault	High
Vendor	jar	package name	vault	Highest
Vendor	pom	artifactid	apache.jackrabbit.vault	Low
Product	jar	package name	apache	Highest
Product	pom	parent-artifactid	parent	Medium
Product	pom	artifactid	apache.jackrabbit.vault	Highest
Product	pom	groupid	apache.jackrabbit.vault	Highest
Product	jar	package name	xml	Highest
Product	Manifest	bundle-docurl	https://jackrabbit.apache.org/filevault/	Low
Product	Manifest	service-component	OSGI-INF/org.apache.jackrabbit.vault.packaging.events.impl.PackageEventDispatcherImpl.xml,OSGI-INF/org.apache.jackrabbit.vault.packaging.impl.ActivityLog.xml,OSGI-INF/org.apache.jackrabbit.vault.packaging.impl.PackageManagerMBeanImpl.xml,OSGI-INF/org.apache.jackrabbit.vault.packaging.impl.PackagingImpl.xml,OSGI-INF/org.apache.jackrabbit.vault.packaging.registry.impl.FSPackageRegistry.xml	Low
Product	pom	artifactid	org.apache.jackrabbit.vault	Highest
Product	pom	name	Apache Jackrabbit FileVault Core Bundle	High
Product	Manifest	provide-capability	osgi.service;objectClass:List="javax.management.DynamicMBean";uses:="javax.management",osgi.service;objectClass:List="org.apache.jackrabbit.vault.packaging.Packaging";uses:="org.apache.jackrabbit.vault.packaging",osgi.service;objectClass:List="org.apache.jackrabbit.vault.packaging.events.PackageEventListener";uses:="org.apache.jackrabbit.vault.packaging.events",osgi.service;objectClass:List="org.apache.jackrabbit.vault.packaging.events.impl.PackageEventDispatcher";uses:="org.apache.jackrabbit.vault.packaging.events.impl",osgi.service;objectClass:List="org.apache.jackrabbit.vault.packaging.registry.PackageRegistry";uses:="org.apache.jackrabbit.vault.packaging.registry"	Low
Product	file	name	org.apache.jackrabbit.vault	High
Product	jar	package name	vault	Highest
Product	Manifest	Bundle-Name	Apache Jackrabbit FileVault Core Bundle	Medium
Product	jar	package name	jackrabbit	Highest
Product	Manifest	specification-title	Apache Jackrabbit FileVault Core Bundle	Medium
Product	Manifest	bundle-symbolicname	org.apache.jackrabbit.vault	Medium
Product	pom	parent-groupid	org.apache.jackrabbit.vault	Medium
Product	jar	package name	osgi	Highest
Product	Manifest	require-capability	osgi.service;filter:="(objectClass=org.apache.jackrabbit.vault.packaging.events.PackageEventListener)";effective:=active;resolution:=optional;cardinality:=multiple,osgi.service;filter:="(objectClass=org.apache.jackrabbit.vault.packaging.events.impl.PackageEventDispatcher)";effective:=active,osgi.service;filter:="(objectClass=org.apache.jackrabbit.vault.packaging.registry.PackageRegistry)";effective:=active;resolution:=optional;cardinality:=multiple,osgi.service;filter:="(objectClass=org.apache.sling.jcr.api.SlingRepository)";effective:=active;resolution:=optional,osgi.extender;filter:="(&(osgi.extender=osgi.component)(version>=1.4.0)(!(version>=2.0.0)))",osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	packaging	Highest
Product	Manifest	Implementation-Title	Apache Jackrabbit FileVault Core Bundle	High
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	bundle-category	jackrabbit	Low
Product	jar	package name	api	Highest
Version	Manifest	Implementation-Version	3.5.6	High
Version	file	version	3.5.6	High
Version	pom	version	3.5.6	Highest
Version	Manifest	Bundle-Version	3.5.6	High

Identifiers

pkg:maven/org.apache.jackrabbit.vault/org.apache.jackrabbit.vault@3.5.6 (Confidence:High)
cpe:2.3:a:apache:jackrabbit:3.5.6:*:*:*:*:*:*:* (Confidence:Highest)

plexus-utils-3.2.1.jar

Description:

A collection of various utility classes to ease working with strings, files, command lines, XML and
    more.

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-utils/3.2.1/plexus-utils-3.2.1.jar
MD5: a1b7cb2baeae4bb4c3a016417d5d3cb0
SHA1: 13b015768e0d04849d2794e4c47eb02d01a0de32
SHA256:8d07b497bb8deb167ee5329cae87ef2043833bf52e4f15a5a9379cec447a5b2b
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	codehaus	Low
Vendor	jar	package name	plexus	Low
Vendor	pom	parent-groupid	org.codehaus.plexus	Medium
Vendor	pom	artifactid	plexus-utils	Low
Vendor	jar	package name	xml	Highest
Vendor	pom	groupid	org.codehaus.plexus	Highest
Vendor	jar	package name	util	Low
Vendor	pom	groupid	codehaus.plexus	Highest
Vendor	jar	package name	plexus	Highest
Vendor	jar	package name	codehaus	Highest
Vendor	pom	name	Plexus Common Utilities	High
Vendor	pom	parent-artifactid	plexus	Low
Vendor	file	name	plexus-utils	High
Product	jar	package name	plexus	Low
Product	jar	package name	util	Low
Product	pom	groupid	codehaus.plexus	Highest
Product	jar	package name	plexus	Highest
Product	jar	package name	codehaus	Highest
Product	pom	name	Plexus Common Utilities	High
Product	pom	artifactid	plexus-utils	Highest
Product	pom	parent-artifactid	plexus	Medium
Product	pom	parent-groupid	org.codehaus.plexus	Medium
Product	jar	package name	xml	Highest
Product	file	name	plexus-utils	High
Version	file	version	3.2.1	High
Version	pom	parent-version	3.2.1	Low
Version	pom	version	3.2.1	Highest

Identifiers

pkg:maven/org.codehaus.plexus/plexus-utils@3.2.1 (Confidence:High)
cpe:2.3:a:plexus-utils_project:plexus-utils:3.2.1:*:*:*:*:*:*:* (Confidence:Highest)

stax2-api-4.2.jar

Description:

tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php

File Path: /home/runner/.m2/repository/org/codehaus/woodstox/stax2-api/4.2/stax2-api-4.2.jar
MD5: 5d22fe6dbb276d1fd6dab40c386a4f0a
SHA1: 13c2b30926bca0429c704c4b4ca0b5d0432b69cd
SHA256:badf6081a0bb526fd2c01951dfefad91b6846b6dd0eb0048587e30d1dd334e68
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	fasterxml.com	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	jar	package name	typed	Highest
Vendor	Manifest	bundle-symbolicname	stax2-api	Medium
Vendor	Manifest	bundle-docurl	http://github.com/FasterXML/stax2-api	Low
Vendor	Manifest	Implementation-Vendor	fasterxml.com	High
Vendor	pom	organization url	http://fasterxml.com	Medium
Vendor	pom	name	Stax2 API	High
Vendor	pom	url	http://github.com/FasterXML/stax2-api	Highest
Vendor	jar	package name	stax2	Highest
Vendor	Manifest	implementation-build-date	2019-03-13 04:03:16+0000	Low
Vendor	pom	parent-groupid	com.fasterxml	Medium
Vendor	pom	groupid	org.codehaus.woodstox	Highest
Vendor	pom	organization name	fasterxml.com	High
Vendor	jar	package name	codehaus	Highest
Vendor	pom	artifactid	stax2-api	Low
Vendor	Manifest	Implementation-Vendor-Id	org.codehaus.woodstox	Medium
Vendor	jar	package name	validation	Highest
Vendor	pom	parent-artifactid	oss-parent	Low
Vendor	file	name	stax2-api	High
Vendor	Manifest	automatic-module-name	org.codehaus.stax2	Medium
Vendor	pom	groupid	codehaus.woodstox	Highest
Product	pom	organization url	http://fasterxml.com	Low
Product	pom	artifactid	stax2-api	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	jar	package name	typed	Highest
Product	Manifest	bundle-symbolicname	stax2-api	Medium
Product	Manifest	bundle-docurl	http://github.com/FasterXML/stax2-api	Low
Product	pom	name	Stax2 API	High
Product	jar	package name	stax2	Highest
Product	Manifest	specification-title	Stax2 API	Medium
Product	jar	package name	osgi	Highest
Product	Manifest	implementation-build-date	2019-03-13 04:03:16+0000	Low
Product	pom	parent-groupid	com.fasterxml	Medium
Product	pom	url	http://github.com/FasterXML/stax2-api	Medium
Product	pom	parent-artifactid	oss-parent	Medium
Product	Manifest	Bundle-Name	Stax2 API	Medium
Product	jar	package name	codehaus	Highest
Product	pom	organization name	fasterxml.com	Low
Product	jar	package name	validation	Highest
Product	file	name	stax2-api	High
Product	Manifest	Implementation-Title	Stax2 API	High
Product	Manifest	automatic-module-name	org.codehaus.stax2	Medium
Product	pom	groupid	codehaus.woodstox	Highest
Version	pom	version	4.2	Highest
Version	file	version	4.2	High
Version	Manifest	Implementation-Version	4.2	High
Version	pom	parent-version	4.2	Low

Identifiers

pkg:maven/org.codehaus.woodstox/stax2-api@4.2 (Confidence:High)

txw2-2.3.2.jar

Description:

        TXW is a library that allows you to write XML documents.

File Path: /home/runner/.m2/repository/org/glassfish/jaxb/txw2/2.3.2/txw2-2.3.2.jar
MD5: 3f278f148c5d27dc608c25cb7d093b94
SHA1: ce5be7da2e442c25ec14c766cb60cb802741727b
SHA256:4a6a9f483388d461b81aa9a28c685b8b74c0597993bf1884b04eddbca95f48fe
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	txw2	Highest
Vendor	pom	groupid	org.glassfish.jaxb	Highest
Vendor	Manifest	git-revision	ae93d95	Low
Vendor	pom	parent-artifactid	jaxb-txw-parent	Low
Vendor	pom	name	TXW2 Runtime	High
Vendor	file	name	txw2	High
Vendor	jar	package name	sun	Highest
Vendor	jar	package name	xml	Highest
Vendor	pom	groupid	glassfish.jaxb	Highest
Vendor	Manifest	Implementation-Vendor-Id	com.oracle	Medium
Vendor	pom	artifactid	txw2	Low
Vendor	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	jar (hint)	package name	oracle	Highest
Vendor	jar	package name	txw	Highest
Product	pom	artifactid	txw2	Highest
Product	jar	package name	txw2	Highest
Product	Manifest	specification-title	Java Architecture for XML Binding	Medium
Product	Manifest	git-revision	ae93d95	Low
Product	pom	name	TXW2 Runtime	High
Product	file	name	txw2	High
Product	jar	package name	xml	Highest
Product	jar	package name	sun	Highest
Product	pom	groupid	glassfish.jaxb	Highest
Product	pom	parent-artifactid	jaxb-txw-parent	Medium
Product	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Product	Manifest	Implementation-Title	TXW Runtime	High
Product	jar	package name	txw	Highest
Version	pom	version	2.3.2	Highest
Version	Manifest	Implementation-Version	2.3.2	High
Version	Manifest	build-id	2.3.2	Medium
Version	file	version	2.3.2	High
Version	Manifest	major-version	2.3.2	Medium

Identifiers

pkg:maven/org.glassfish.jaxb/txw2@2.3.2 (Confidence:High)

woodstox-core-6.1.1.jar

Description:

        Woodstox is a high-performance XML processor that
        implements Stax (JSR-173), SAX2 and Stax2 APIs

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/runner/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.1.1/woodstox-core-6.1.1.jar
MD5: 992e39013de489a1373f14b7e153f9da
SHA1: 989bb31963ed1758b95c7c4381a91592a9a8df61
SHA256:f250662a245570fdd49c6916c1c3cd3d6511a8e5cd0d7460e989844b1d66ed67
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	pom	name	Woodstox	High
Vendor	pom	url	FasterXML/woodstox	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	organization url	http://fasterxml.com	Medium
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/woodstox	Low
Vendor	pom	groupid	com.fasterxml.woodstox	Highest
Vendor	pom	parent-groupid	com.fasterxml	Medium
Vendor	file	name	woodstox-core	High
Vendor	Manifest	bundle-symbolicname	com.fasterxml.woodstox.woodstox-core	Medium
Vendor	pom	artifactid	woodstox-core	Low
Vendor	pom	organization name	FasterXML	High
Vendor	jar	package name	stax	Highest
Vendor	pom	parent-artifactid	oss-parent	Low
Vendor	Manifest	implementation-build-date	2020-02-28 02:50:45+0000	Low
Vendor	pom	groupid	fasterxml.woodstox	Highest
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.woodstox	Medium
Product	pom	organization url	http://fasterxml.com	Low
Product	pom	name	Woodstox	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/woodstox	Low
Product	jar	package name	osgi	Highest
Product	pom	parent-groupid	com.fasterxml	Medium
Product	pom	url	FasterXML/woodstox	High
Product	pom	parent-artifactid	oss-parent	Medium
Product	pom	artifactid	woodstox-core	Highest
Product	file	name	woodstox-core	High
Product	Manifest	Bundle-Name	Woodstox	Medium
Product	pom	organization name	FasterXML	Low
Product	Manifest	bundle-symbolicname	com.fasterxml.woodstox.woodstox-core	Medium
Product	jar	package name	stax	Highest
Product	Manifest	specification-title	Woodstox	Medium
Product	Manifest	implementation-build-date	2020-02-28 02:50:45+0000	Low
Product	Manifest	Implementation-Title	Woodstox	High
Product	pom	groupid	fasterxml.woodstox	Highest
Version	Manifest	Implementation-Version	6.1.1	High
Version	Manifest	Bundle-Version	6.1.1	High
Version	pom	version	6.1.1	Highest
Version	pom	parent-version	6.1.1	Low
Version	file	version	6.1.1	High

Identifiers

pkg:maven/com.fasterxml.woodstox/woodstox-core@6.1.1 (Confidence:High)

woodstox-core-6.1.1.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)

Description:

Unknown version of isorelax library used in JAXB project

File Path: /home/runner/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.1.1/woodstox-core-6.1.1.jar/META-INF/maven/com.sun.xml.bind.jaxb/isorelax/pom.xml
MD5: 6fbb4bc95fbf2072bc6e3b790553fe81
SHA1: 314ec72948d5c1fc71d553cbbd7a130caa6f9f13
SHA256:cda6451d0231a973352b592ff950e39224ba6ba1a2f35eeab66511b5c225dff1
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	sun.xml.bind.jaxb	Highest
Vendor	pom	artifactid	isorelax	Low
Vendor	pom	name	JAXB isorelax library	High
Vendor	pom	parent-groupid	net.java	Medium
Vendor	pom	parent-artifactid	jvnet-parent	Low
Product	pom	groupid	sun.xml.bind.jaxb	Highest
Product	pom	name	JAXB isorelax library	High
Product	pom	parent-groupid	net.java	Medium
Product	pom	artifactid	isorelax	Highest
Product	pom	parent-artifactid	jvnet-parent	Medium
Version	pom	parent-version	20090621	Low
Version	pom	version	20090621	Highest

Related Dependencies

Identifiers

pkg:maven/com.sun.xml.bind.jaxb/isorelax@20090621 (Confidence:High)

woodstox-core-6.1.1.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)

Description:

XML Schema datatypes library

File Path: /home/runner/.m2/repository/com/fasterxml/woodstox/woodstox-core/6.1.1/woodstox-core-6.1.1.jar/META-INF/maven/net.java.dev.msv/xsdlib/pom.xml
MD5: aaf872ed9d1aabee25e03c2a132ffd8e
SHA1: 47f218a999411ed028f089d59ebef8f14e0fe914
SHA256:d6e83c124436049d83238fc532a26c5d8ccd7e4ab10eba6d96043c850ac82f3c
Referenced In Project/Scope:CRX Package Manager Helper:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	msv	Low
Vendor	pom	name	MSV XML Schema Library	High
Vendor	pom	artifactid	xsdlib	Low
Vendor	pom	groupid	net.java.dev.msv	Highest
Product	pom	name	MSV XML Schema Library	High
Product	pom	parent-artifactid	msv	Medium
Product	pom	artifactid	xsdlib	Highest
Product	pom	groupid	net.java.dev.msv	Highest
Version	pom	version	2013.6.1	Highest

Related Dependencies

Identifiers

pkg:maven/net.java.dev.msv/xsdlib@2013.6.1 (Confidence:High)

How to read the report | Suppressing false positives | Getting Help: github issues Sponsor

Project: CRX Package Manager Helper

io.wcm.tooling.commons:io.wcm.tooling.commons.crx-packmgr-helper:1.7.5-SNAPSHOT

Summary

Dependencies

commons-codec-1.10.jar

Evidence

Identifiers

commons-compress-1.21.jar

Evidence

Identifiers

commons-io-2.5.jar

Evidence

Identifiers

Published Vulnerabilities

commons-lang3-3.6.jar

Evidence

Identifiers

commons-logging-1.2.jar

Evidence

Identifiers

httpclient-4.5.13.jar

Evidence

Identifiers

httpcore-4.4.14.jar

Evidence

Identifiers

httpmime-4.5.13.jar

Evidence

Identifiers

jackrabbit-api-2.19.3.jar

Evidence

Related Dependencies

Identifiers

jaxen-1.1.6.jar

Evidence

Identifiers

jcr-2.0.jar

Evidence

Identifiers

jdom2-2.0.6.jar

Evidence

Identifiers

Published Vulnerabilities

json-20140107.jar

Evidence

Identifiers

maven-artifact-3.8.1.jar

Evidence

Identifiers

org.apache.jackrabbit.vault-3.5.6.jar

Evidence

Identifiers

plexus-utils-3.2.1.jar

Evidence

Identifiers

stax2-api-4.2.jar

Evidence

Identifiers

txw2-2.3.2.jar

Evidence

Identifiers

woodstox-core-6.1.1.jar

Evidence

Identifiers

woodstox-core-6.1.1.jar (shaded: com.sun.xml.bind.jaxb:isorelax:20090621)

Evidence

Related Dependencies

Identifiers

woodstox-core-6.1.1.jar (shaded: net.java.dev.msv:xsdlib:2013.6.1)

Evidence

Related Dependencies

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor