Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Scan Information (
show all ):
dependency-check version : 6.1.6Report Generated On : Mon, 6 Dec 2021 15:05:10 GMTDependencies Scanned : 32 (32 unique)Vulnerable Dependencies : 3 Vulnerabilities Found : 4Vulnerabilities Suppressed : 0... NVD CVE Checked : 2021-12-06T15:04:04NVD CVE Modified : 2021-12-06T13:00:01VersionCheckOn : 2021-12-06T15:04:04Summary Display:
Showing Vulnerable Dependencies (click to show all) Dependencies Description:
AOP Alliance License:
Public Domain File Path: /home/runner/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256: 0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name aopalliance Highest Vendor jar package name aopalliance Low Vendor file name aopalliance High Vendor pom url http://aopalliance.sourceforge.net Highest Vendor pom groupid aopalliance Highest Vendor pom artifactid aopalliance Low Vendor jar package name aop Highest Vendor jar package name intercept Low Vendor pom name AOP alliance High Product jar package name aopalliance Highest Product pom artifactid aopalliance Highest Product file name aopalliance High Product pom url http://aopalliance.sourceforge.net Medium Product pom groupid aopalliance Highest Product jar package name aop Highest Product jar package name intercept Low Product pom name AOP alliance High Version file version 1.0 High Version pom version 1.0 Highest
Description:
APIs for JSR-299: Contexts and Dependency Injection for Java EE File Path: /home/runner/.m2/repository/javax/enterprise/cdi-api/1.0/cdi-api-1.0.jarMD5: 462c0959f0322016495f4598243bc0f2SHA1: 44c453f60909dfc223552ace63e05c694215156bSHA256: 1f10b2204cc77c919301f20ff90461c3df1b6e6cb148be1c2d22107f4851d423Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name javax Highest Vendor pom groupid javax.enterprise Highest Vendor pom parent-artifactid weld-api-parent Low Vendor Manifest implementation-url http://www.seamframework.org/Weld/cdi-api Low Vendor pom name CDI APIs High Vendor Manifest Implementation-Vendor Seam Framework High Vendor pom parent-groupid org.jboss.weld Medium Vendor Manifest specification-vendor Seam Framework Low Vendor pom artifactid cdi-api Low Vendor file name cdi-api High Vendor jar package name enterprise Highest Product Manifest specification-title CDI APIs Medium Product pom artifactid cdi-api Highest Product jar package name javax Highest Product pom parent-artifactid weld-api-parent Medium Product pom groupid javax.enterprise Highest Product Manifest implementation-url http://www.seamframework.org/Weld/cdi-api Low Product pom name CDI APIs High Product pom parent-groupid org.jboss.weld Medium Product file name cdi-api High Product Manifest Implementation-Title CDI APIs High Product jar package name enterprise Highest Version file version 1.0 High Version pom version 1.0 Highest
Description:
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
SHA256: a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor pom groupid commons-io Highest Vendor jar package name apache Highest Vendor file name commons-io High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest implementation-build tags/commons-io-2.5@r1739098; 2016-04-14 09:19:54-0400 Low Vendor pom name Apache Commons IO High Vendor jar package name commons Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom artifactid commons-io Low Vendor pom parent-groupid org.apache.commons Medium Vendor jar package name io Highest Vendor Manifest implementation-url http://commons.apache.org/proper/commons-io/ Low Vendor pom url http://commons.apache.org/proper/commons-io/ Highest Vendor pom parent-artifactid commons-parent Low Vendor Manifest bundle-symbolicname org.apache.commons.io Medium Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-io/ Low Product jar package name apache Highest Product pom groupid commons-io Highest Product file name commons-io High Product pom url http://commons.apache.org/proper/commons-io/ Medium Product Manifest implementation-build tags/commons-io-2.5@r1739098; 2016-04-14 09:19:54-0400 Low Product pom name Apache Commons IO High Product jar package name commons Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom parent-groupid org.apache.commons Medium Product jar package name io Highest Product Manifest specification-title Apache Commons IO Medium Product pom artifactid commons-io Highest Product Manifest implementation-url http://commons.apache.org/proper/commons-io/ Low Product Manifest Implementation-Title Apache Commons IO High Product pom parent-artifactid commons-parent Medium Product Manifest bundle-symbolicname org.apache.commons.io Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-io/ Low Product Manifest Bundle-Name Apache Commons IO Medium Version file version 2.5 High Version pom parent-version 2.5 Low Version pom version 2.5 Highest Version Manifest Implementation-Version 2.5 High
Published Vulnerabilities CVE-2021-29425 suppress
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
Description:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
SHA256: 89c27f03fff18d0b06e7afd7ef25e209766df95b6c1269d6c3ebbdea48d5f284
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor Manifest automatic-module-name org.apache.commons.lang3 Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Vendor pom url http://commons.apache.org/proper/commons-lang/ Highest Vendor jar package name commons Highest Vendor Manifest bundle-symbolicname org.apache.commons.lang3 Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom parent-groupid org.apache.commons Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid commons-lang3 Low Vendor jar package name lang3 Highest Vendor pom parent-artifactid commons-parent Low Vendor pom groupid org.apache.commons Highest Vendor Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Vendor Manifest Implementation-Vendor-Id org.apache.commons Medium Vendor file name commons-lang3 High Vendor pom name Apache Commons Lang High Vendor pom groupid apache.commons Highest Product jar package name apache Highest Product Manifest Bundle-Name Apache Commons Lang Medium Product Manifest automatic-module-name org.apache.commons.lang3 Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Product jar package name commons Highest Product Manifest bundle-symbolicname org.apache.commons.lang3 Medium Product pom artifactid commons-lang3 Highest Product pom parent-groupid org.apache.commons Medium Product Manifest Implementation-Title Apache Commons Lang High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest specification-title Apache Commons Lang Medium Product jar package name lang3 Highest Product Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Product pom parent-artifactid commons-parent Medium Product pom url http://commons.apache.org/proper/commons-lang/ Medium Product file name commons-lang3 High Product pom name Apache Commons Lang High Product pom groupid apache.commons Highest Version pom parent-version 3.6 Low Version file version 3.6 High Version Manifest Implementation-Version 3.6 High Version pom version 3.6 Highest
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has two code dependencies - javax.annotation
per the JSR-305 spec and javax.inject per the JSR-330 spec.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/google/guava/guava/15.0/guava-15.0.jar
MD5: 2c10bb2ca3ac8b55b0e77e54a7eb3744
SHA1: ed727a8d9f247e2050281cb083f1c77b09dcb5cd
SHA256: 7a34575770eebc60a5476616e3676a6cb6f2975c78c415e2a6014ac724ba5783
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor pom groupid com.google.guava Highest Vendor pom groupid google.guava Highest Vendor pom artifactid guava Low Vendor file name guava High Vendor jar package name google Highest Vendor Manifest bundle-symbolicname com.google.guava Medium Vendor pom parent-groupid com.google.guava Medium Vendor pom name Guava: Google Core Libraries for Java High Vendor pom parent-artifactid guava-parent Low Product Manifest Bundle-Name Guava: Google Core Libraries for Java Medium Product pom groupid google.guava Highest Product file name guava High Product jar package name google Highest Product Manifest bundle-symbolicname com.google.guava Medium Product pom parent-groupid com.google.guava Medium Product pom parent-artifactid guava-parent Medium Product pom name Guava: Google Core Libraries for Java High Product pom artifactid guava Highest Version pom version 15.0 Highest Version file version 15.0 High
Published Vulnerabilities CVE-2018-10237 suppress
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion MISC - https://www.oracle.com/security-alerts/cpujan2021.html MISC - https://www.oracle.com/security-alerts/cpujul2020.html MISC - https://www.oracle.com/security-alerts/cpuoct2021.html MLIST - [activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1 MLIST - [activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0 MLIST - [activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar MLIST - [arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version MLIST - [cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3 MLIST - [cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency MLIST - [flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency MLIST - [flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency MLIST - [flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project MLIST - [hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10 MLIST - [hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project MLIST - [kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka MLIST - [lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava MLIST - [lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava MLIST - [lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava MLIST - [maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core MLIST - [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 MLIST - [pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability MLIST - [syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15? N/A - N/A OSSINDEX - [CVE-2018-10237] Deserialization of Untrusted Data REDHAT - RHSA-2018:2423 REDHAT - RHSA-2018:2424 REDHAT - RHSA-2018:2425 REDHAT - RHSA-2018:2428 REDHAT - RHSA-2018:2598 REDHAT - RHSA-2018:2643 REDHAT - RHSA-2018:2740 REDHAT - RHSA-2018:2741 REDHAT - RHSA-2018:2742 REDHAT - RHSA-2018:2743 REDHAT - RHSA-2018:2927 REDHAT - RHSA-2019:2858 REDHAT - RHSA-2019:3149 SECTRACK - 1041707 Vulnerable Software & Versions: (show all )
CVE-2020-8908 suppress
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. CWE-732 Incorrect Permission Assignment for Critical Resource
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
Description:
Guice is a lightweight dependency injection framework for Java 6 and above License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/com/google/inject/guice/4.0/guice-4.0-no_aop.jar
MD5: 64ff538a6b272442aa00a5d0707ca1d9
SHA1: 199b7acaa05b570bbccf31be998f013963e5e752
SHA256: 19393891be59b6feaf7e308bd8a3843b4e552c10cdb687ebffd7695634a250a8
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor pom groupid com.google.inject Highest Vendor Manifest bundle-docurl https://github.com/google/guice Low Vendor Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Vendor file name guice High Vendor Manifest bundle-symbolicname com.google.inject Medium Vendor jar package name google Highest Vendor jar package name inject Low Vendor jar package name google Low Vendor jar package name inject Highest Vendor jar package name internal Low Vendor Manifest eclipse-extensibleapi true Low Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product pom artifactid guice Highest Product Manifest bundle-docurl https://github.com/google/guice Low Product Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Product file name guice High Product Manifest Bundle-Name guice (no_aop) Medium Product Manifest bundle-symbolicname com.google.inject Medium Product jar package name google Highest Product jar package name inject Low Product jar package name dependency Highest Product jar package name inject Highest Product jar package name internal Low Product jar package name guice Highest Product Manifest eclipse-extensibleapi true Low Version file version 4.0 High Version pom version 4.0 Highest
Description:
The javax.inject API License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256: 91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor pom groupid javax.inject Highest Vendor jar package name javax Highest Vendor pom name javax.inject High Vendor pom artifactid javax.inject Low Vendor jar package name javax Low Vendor file name javax.inject-1 High Vendor pom url http://code.google.com/p/atinject/ Highest Vendor jar package name inject Low Vendor jar package name inject Highest Product pom groupid javax.inject Highest Product jar package name javax Highest Product pom name javax.inject High Product pom artifactid javax.inject Highest Product file name javax.inject-1 High Product jar package name inject Low Product jar package name inject Highest Product pom url http://code.google.com/p/atinject/ Medium Version pom version 1 Highest Version file version 1 Medium
Description:
JSR-250 Reference Implementation by Glassfish License:
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html File Path: /home/runner/.m2/repository/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar
MD5: 4cd56b2e4977e541186de69f5126b4a6
SHA1: 5025422767732a1ab45d93abfea846513d742dcf
SHA256: a1a922d0d9b6d183ed3800dfac01d1e1eb159f0e8c6f94736931c1def54a941f
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name javax Highest Vendor pom artifactid jsr250-api Low Vendor jar package name annotation Low Vendor jar package name javax Low Vendor pom groupid javax.annotation Highest Vendor pom url http://jcp.org/aboutJava/communityprocess/final/jsr250/index.html Highest Vendor pom name JSR-250 Common Annotations for the JavaTM Platform High Vendor file name jsr250-api High Vendor jar package name annotation Highest Product jar package name javax Highest Product pom url http://jcp.org/aboutJava/communityprocess/final/jsr250/index.html Medium Product pom artifactid jsr250-api Highest Product jar package name annotation Low Product pom groupid javax.annotation Highest Product pom name JSR-250 Common Annotations for the JavaTM Platform High Product file name jsr250-api High Product jar package name annotation Highest Version file version 1.0 High Version pom version 1.0 Highest
File Path: /home/runner/.m2/repository/org/apache/maven/maven-artifact/3.5.0/maven-artifact-3.5.0.jarMD5: c6989c10f8f2304b47db9fae361ff32bSHA1: 452acdffbb7fcb272db66685dd54983ce2e07f93SHA256: 4eeea2bb80b5e922a138acd01ebbba65f0aa29030806123eae19fc75802805eaReferenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom name Maven Artifact High Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid apache.maven Highest Vendor jar package name artifact Highest Vendor pom groupid org.apache.maven Highest Vendor pom artifactid maven-artifact Low Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor file name maven-artifact High Vendor pom parent-groupid org.apache.maven Medium Product Manifest Implementation-Title Maven Artifact High Product jar package name apache Highest Product pom name Maven Artifact High Product file name maven-artifact High Product jar package name maven Highest Product Manifest specification-title Maven Artifact Medium Product pom groupid apache.maven Highest Product pom parent-groupid org.apache.maven Medium Product pom artifactid maven-artifact Highest Product pom parent-artifactid maven Medium Product jar package name artifact Highest Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Description:
Support for descriptor builders (model, setting, toolchains) File Path: /home/runner/.m2/repository/org/apache/maven/maven-builder-support/3.5.0/maven-builder-support-3.5.0.jarMD5: 50b21e8103297495961107877c61a361SHA1: 9e2c5cfea0b1dd4868633ac0c0a496771219ec82SHA256: 519704818d40d5bffe37341b1c0b55712b55c1c6cb4e4df9d67a6821031d6e3dReferenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid apache.maven Highest Vendor pom name Maven Builder Support High Vendor pom groupid org.apache.maven Highest Vendor pom artifactid maven-builder-support Low Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor file name maven-builder-support High Vendor pom parent-groupid org.apache.maven Medium Product pom artifactid maven-builder-support Highest Product Manifest specification-title Maven Builder Support Medium Product jar package name apache Highest Product Manifest Implementation-Title Maven Builder Support High Product file name maven-builder-support High Product jar package name maven Highest Product pom groupid apache.maven Highest Product pom parent-groupid org.apache.maven Medium Product pom parent-artifactid maven Medium Product pom name Maven Builder Support High Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Description:
Maven Core classes. File Path: /home/runner/.m2/repository/org/apache/maven/maven-core/3.5.0/maven-core-3.5.0.jarMD5: 2c48bcffa98b81a33739d5dd6c6e48f7SHA1: 63e7620b8aaf57fc9b3f38341a18197696faa4a1SHA256: 0fa43109b128574a31cf9f30aefe3b20b40ba677b54bd111fc3724cddd1b7366Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor file name maven-core High Vendor pom artifactid maven-core Low Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid apache.maven Highest Vendor pom groupid org.apache.maven Highest Vendor pom name Maven Core High Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor pom parent-groupid org.apache.maven Medium Product jar package name apache Highest Product pom artifactid maven-core Highest Product file name maven-core High Product pom name Maven Core High Product Manifest Implementation-Title Maven Core High Product jar package name maven Highest Product pom groupid apache.maven Highest Product pom parent-groupid org.apache.maven Medium Product Manifest specification-title Maven Core Medium Product pom parent-artifactid maven Medium Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Published Vulnerabilities CVE-2021-26291 suppress
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html CWE-346 Origin Validation Error
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions: (show all )
Description:
A component to programmatically invoke Maven. File Path: /home/runner/.m2/repository/org/apache/maven/shared/maven-invoker/3.0.1/maven-invoker-3.0.1.jarMD5: 2ddaa20a76df9e72504c4e0f481dc0d9SHA1: d98b7d7aeb575a0d677a3c164232e86c6cd42f11SHA256: d20e5d26c19c04199c73fd4f0b6caebf4bbdc6b872a4504c5e71a192751d9464Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor pom name Apache Maven Invoker High Vendor jar package name apache Highest Vendor pom parent-artifactid maven-shared-components Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.maven.shared Medium Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor file name maven-invoker High Vendor Manifest Implementation-Vendor-Id org.apache.maven.shared Medium Vendor pom artifactid maven-invoker Low Vendor pom groupid org.apache.maven.shared Highest Vendor jar package name invoker Highest Vendor pom groupid apache.maven.shared Highest Vendor jar package name shared Highest Vendor Manifest implementation-url https://maven.apache.org/shared/maven-invoker/ Low Product pom artifactid maven-invoker Highest Product pom name Apache Maven Invoker High Product jar package name apache Highest Product pom parent-groupid org.apache.maven.shared Medium Product jar package name maven Highest Product Manifest specification-title Apache Maven Invoker Medium Product file name maven-invoker High Product Manifest Implementation-Title Apache Maven Invoker High Product jar package name invoker Highest Product pom groupid apache.maven.shared Highest Product jar package name shared Highest Product Manifest implementation-url https://maven.apache.org/shared/maven-invoker/ Low Product pom parent-artifactid maven-shared-components Medium Version pom version 3.0.1 Highest Version file version 3.0.1 High Version Manifest Implementation-Version 3.0.1 High Version pom parent-version 3.0.1 Low
Description:
Model for Maven POM (Project Object Model) File Path: /home/runner/.m2/repository/org/apache/maven/maven-model/3.5.0/maven-model-3.5.0.jarMD5: fffd68a5478a16544db08551c511362cSHA1: 9a190a111f2751941a22a3efeea954d09931ad4eSHA256: fbc2072294c126563aebf2d759881de3e87929c4806a5a5ea35b2490543a3125Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom name Maven Model High Vendor jar package name model Highest Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid apache.maven Highest Vendor pom artifactid maven-model Low Vendor pom groupid org.apache.maven Highest Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor file name maven-model High Vendor pom parent-groupid org.apache.maven Medium Product jar package name apache Highest Product pom name Maven Model High Product jar package name model Highest Product file name maven-model High Product Manifest Implementation-Title Maven Model High Product jar package name maven Highest Product pom groupid apache.maven Highest Product pom parent-groupid org.apache.maven Medium Product Manifest specification-title Maven Model Medium Product pom parent-artifactid maven Medium Product pom artifactid maven-model Highest Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Description:
The effective model builder, with inheritance, profile activation, interpolation, ... File Path: /home/runner/.m2/repository/org/apache/maven/maven-model-builder/3.5.0/maven-model-builder-3.5.0.jarMD5: 47e2b7f37bd9c1da8f12d1b82aa67541SHA1: ecf90ed942898baaeb3edb1a97778b5e7f307c96SHA256: 5c2fde88eea4c5e5ae41d26e8b5aab8192ac76f58b718979865c9c2878641016Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor pom artifactid maven-model-builder Low Vendor file name maven-model-builder High Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom name Maven Model Builder High Vendor jar package name model Highest Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid apache.maven Highest Vendor jar package name interpolation Highest Vendor pom groupid org.apache.maven Highest Vendor jar package name profile Highest Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor pom parent-groupid org.apache.maven Medium Vendor jar package name inheritance Highest Product file name maven-model-builder High Product jar package name apache Highest Product pom name Maven Model Builder High Product jar package name model Highest Product jar package name maven Highest Product Manifest specification-title Maven Model Builder Medium Product pom groupid apache.maven Highest Product jar package name interpolation Highest Product Manifest Implementation-Title Maven Model Builder High Product jar package name profile Highest Product pom parent-groupid org.apache.maven Medium Product jar package name inheritance Highest Product pom parent-artifactid maven Medium Product pom artifactid maven-model-builder Highest Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Description:
The API for plugins - Mojos - development. File Path: /home/runner/.m2/repository/org/apache/maven/maven-plugin-api/3.5.0/maven-plugin-api-3.5.0.jarMD5: 2592297deeaa3e2694f8270dab183ef8SHA1: 3602f2ad2da983ce32bad4f0b5a1af7bc8ed2555SHA256: f9b415b52e813d61e5707eacdea3ced651de7cf0a8d881976d7953d9b5fa8e09Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid maven-plugin-api Low Vendor file name maven-plugin-api High Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid apache.maven Highest Vendor pom groupid org.apache.maven Highest Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor jar package name plugin Highest Vendor pom parent-groupid org.apache.maven Medium Vendor pom name Maven Plugin API High Product Manifest Implementation-Title Maven Plugin API High Product jar package name apache Highest Product Manifest specification-title Maven Plugin API Medium Product file name maven-plugin-api High Product jar package name maven Highest Product jar package name plugin Highest Product pom groupid apache.maven Highest Product pom parent-groupid org.apache.maven Medium Product pom parent-artifactid maven Medium Product pom name Maven Plugin API High Product pom artifactid maven-plugin-api Highest Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Description:
Per-directory local and remote repository metadata. File Path: /home/runner/.m2/repository/org/apache/maven/maven-repository-metadata/3.5.0/maven-repository-metadata-3.5.0.jarMD5: 6a1e0536493f2751a370160864fb0914SHA1: 09a589247647ed96eb6e7dd364711c72a94309cfSHA256: 9cb27a680f75c9d8f4de7e483b5f6b845b2ad08d51f8c12cb3a7287f3d8feaddReferenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name repository Highest Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid apache.maven Highest Vendor pom groupid org.apache.maven Highest Vendor file name maven-repository-metadata High Vendor pom name Maven Repository Metadata Model High Vendor pom artifactid maven-repository-metadata Low Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor pom parent-groupid org.apache.maven Medium Product jar package name apache Highest Product Manifest specification-title Maven Repository Metadata Model Medium Product pom artifactid maven-repository-metadata Highest Product file name maven-repository-metadata High Product pom name Maven Repository Metadata Model High Product jar package name repository Highest Product jar package name maven Highest Product pom groupid apache.maven Highest Product pom parent-groupid org.apache.maven Medium Product pom parent-artifactid maven Medium Product Manifest Implementation-Title Maven Repository Metadata Model High Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Description:
The application programming interface for the repository system.
File Path: /home/runner/.m2/repository/org/apache/maven/resolver/maven-resolver-api/1.0.3/maven-resolver-api-1.0.3.jarMD5: eea62dfa43808a1a94a44d795f9a1897SHA1: d162383a7c06dd967aff68a49577660f1a52e41fSHA256: e2df3cf0ec6fe79b0d86ba5439c6f07879b81188c417d12625f39f30682d7170Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.maven.resolver Medium Vendor jar package name repository Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.maven.resolver Medium Vendor file name maven-resolver-api High Vendor jar package name artifact Highest Vendor pom groupid apache.maven.resolver Highest Vendor pom artifactid maven-resolver-api Low Vendor pom groupid org.apache.maven.resolver Highest Vendor pom name Maven Artifact Resolver API High Vendor pom parent-artifactid maven-resolver Low Product pom groupid apache.maven.resolver Highest Product pom parent-groupid org.apache.maven.resolver Medium Product jar package name repository Highest Product Manifest Implementation-Title Maven Artifact Resolver API High Product Manifest specification-title Maven Artifact Resolver API Medium Product file name maven-resolver-api High Product pom artifactid maven-resolver-api Highest Product pom name Maven Artifact Resolver API High Product jar package name artifact Highest Product pom parent-artifactid maven-resolver Medium Version Manifest Implementation-Version 1.0.3 High Version pom version 1.0.3 Highest Version file version 1.0.3 High
Description:
An implementation of the repository system.
File Path: /home/runner/.m2/repository/org/apache/maven/resolver/maven-resolver-impl/1.0.3/maven-resolver-impl-1.0.3.jarMD5: bf2c92953dd77edc7858ee0eaf3879c9SHA1: 965c004fd9204ccec87ea9fa4744f2b066cb4f14SHA256: 1e64010d15da5feb2b118bccb5b10d565175cd515884da1d210b702630d234a6Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor file name maven-resolver-impl High Vendor pom groupid apache.maven.resolver Highest Vendor pom artifactid maven-resolver-impl Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.maven.resolver Medium Vendor jar package name impl Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.maven.resolver Medium Vendor pom groupid org.apache.maven.resolver Highest Vendor pom parent-artifactid maven-resolver Low Vendor pom name Maven Artifact Resolver Implementation High Product file name maven-resolver-impl High Product Manifest Implementation-Title Maven Artifact Resolver Implementation High Product pom groupid apache.maven.resolver Highest Product pom artifactid maven-resolver-impl Highest Product pom parent-groupid org.apache.maven.resolver Medium Product jar package name impl Highest Product Manifest specification-title Maven Artifact Resolver Implementation Medium Product pom parent-artifactid maven-resolver Medium Product pom name Maven Artifact Resolver Implementation High Version Manifest Implementation-Version 1.0.3 High Version pom version 1.0.3 Highest Version file version 1.0.3 High
Description:
Extensions to Maven Resolver for utilizing Maven POM and repository metadata. File Path: /home/runner/.m2/repository/org/apache/maven/maven-resolver-provider/3.5.0/maven-resolver-provider-3.5.0.jarMD5: 70a08c2721d2125ab9e37401c5beb8b1SHA1: 89cf5f9d5a40d318c97033fdfd2676353f28a51dSHA256: 2fac481ac56d75b53de577da28a19961db2be871a86440c84da513f61c51fce4Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name repository Highest Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor file name maven-resolver-provider High Vendor pom groupid apache.maven Highest Vendor pom groupid org.apache.maven Highest Vendor pom name Maven Artifact Resolver Provider High Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor pom artifactid maven-resolver-provider Low Vendor pom parent-groupid org.apache.maven Medium Product jar package name apache Highest Product pom name Maven Artifact Resolver Provider High Product jar package name repository Highest Product Manifest Implementation-Title Maven Artifact Resolver Provider High Product jar package name maven Highest Product file name maven-resolver-provider High Product Manifest specification-title Maven Artifact Resolver Provider Medium Product pom groupid apache.maven Highest Product pom parent-groupid org.apache.maven Medium Product pom artifactid maven-resolver-provider Highest Product pom parent-artifactid maven Medium Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Description:
The service provider interface for repository system implementations and repository connectors.
File Path: /home/runner/.m2/repository/org/apache/maven/resolver/maven-resolver-spi/1.0.3/maven-resolver-spi-1.0.3.jarMD5: b519d4a026345a27655b4059cd1ebc37SHA1: 88fc571821be248bd930654811be753eafb7bb9eSHA256: 7955cb4e4edc883ed40799f9dc2ab3c2d1d8b57869e042d15c98de623216b0ebReferenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor pom groupid apache.maven.resolver Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.maven.resolver Medium Vendor pom name Maven Artifact Resolver SPI High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom artifactid maven-resolver-spi Low Vendor Manifest Implementation-Vendor-Id org.apache.maven.resolver Medium Vendor file name maven-resolver-spi High Vendor pom groupid org.apache.maven.resolver Highest Vendor jar package name spi Highest Vendor pom parent-artifactid maven-resolver Low Product pom groupid apache.maven.resolver Highest Product pom parent-groupid org.apache.maven.resolver Medium Product pom name Maven Artifact Resolver SPI High Product Manifest Implementation-Title Maven Artifact Resolver SPI High Product file name maven-resolver-spi High Product Manifest specification-title Maven Artifact Resolver SPI Medium Product pom artifactid maven-resolver-spi Highest Product jar package name spi Highest Product pom parent-artifactid maven-resolver Medium Version Manifest Implementation-Version 1.0.3 High Version pom version 1.0.3 Highest Version file version 1.0.3 High
Description:
A collection of utility classes to ease usage of the repository system.
File Path: /home/runner/.m2/repository/org/apache/maven/resolver/maven-resolver-util/1.0.3/maven-resolver-util-1.0.3.jarMD5: a9083786444ab3240f2b41c7c0001ad4SHA1: 5c22b590fb3842db214e549ddef775a9c2e1e7e8SHA256: 7df50d401cefb4e2e5ad96d508421289c3b4274ceda50fb32aae3089af0d5fccReferenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name util Highest Vendor pom parent-groupid org.apache.maven.resolver Medium Vendor jar package name repository Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.maven.resolver Medium Vendor jar package name artifact Highest Vendor pom groupid apache.maven.resolver Highest Vendor pom name Maven Artifact Resolver Utilities High Vendor file name maven-resolver-util High Vendor pom artifactid maven-resolver-util Low Vendor pom groupid org.apache.maven.resolver Highest Vendor pom parent-artifactid maven-resolver Low Product Manifest Implementation-Title Maven Artifact Resolver Utilities High Product pom groupid apache.maven.resolver Highest Product jar package name util Highest Product pom name Maven Artifact Resolver Utilities High Product pom parent-groupid org.apache.maven.resolver Medium Product jar package name repository Highest Product file name maven-resolver-util High Product Manifest specification-title Maven Artifact Resolver Utilities Medium Product pom artifactid maven-resolver-util Highest Product jar package name artifact Highest Product pom parent-artifactid maven-resolver Medium Version Manifest Implementation-Version 1.0.3 High Version pom version 1.0.3 Highest Version file version 1.0.3 High
Description:
Maven Settings model. File Path: /home/runner/.m2/repository/org/apache/maven/maven-settings/3.5.0/maven-settings-3.5.0.jarMD5: bff92e35162e619eb477fe90ad478fddSHA1: 3bee97b7653f28c3f620b1310714ee0a1d566e63SHA256: 322250f009aac4e45466567b4eb17e80a3e86368778e59173b77f09d7fbc4c8fReferenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name settings Highest Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor file name maven-settings High Vendor pom groupid apache.maven Highest Vendor pom groupid org.apache.maven Highest Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor pom artifactid maven-settings Low Vendor pom parent-groupid org.apache.maven Medium Vendor pom name Maven Settings High Product jar package name apache Highest Product Manifest specification-title Maven Settings Medium Product jar package name settings Highest Product Manifest Implementation-Title Maven Settings High Product jar package name maven Highest Product file name maven-settings High Product pom groupid apache.maven Highest Product pom artifactid maven-settings Highest Product pom parent-groupid org.apache.maven Medium Product pom name Maven Settings High Product pom parent-artifactid maven Medium Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Description:
The effective settings builder, with inheritance and password decryption. File Path: /home/runner/.m2/repository/org/apache/maven/maven-settings-builder/3.5.0/maven-settings-builder-3.5.0.jarMD5: f9f3487230ec7c1454e0fbda21f499a1SHA1: 6ece4bb891b02e5ac1a7d057fa264be1f48cc54fSHA256: aebf955582ee7d63f5b4c06dc56c11199f2c3321bb7cccacc61126b6c9f130a5Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor pom parent-artifactid maven Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name settings Highest Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid apache.maven Highest Vendor pom name Maven Settings Builder High Vendor pom groupid org.apache.maven Highest Vendor file name maven-settings-builder High Vendor Manifest Implementation-Vendor-Id org.apache.maven Medium Vendor pom artifactid maven-settings-builder Low Vendor pom parent-groupid org.apache.maven Medium Product Manifest specification-title Maven Settings Builder Medium Product jar package name apache Highest Product file name maven-settings-builder High Product Manifest Implementation-Title Maven Settings Builder High Product jar package name settings Highest Product jar package name maven Highest Product pom groupid apache.maven Highest Product pom parent-groupid org.apache.maven Medium Product pom artifactid maven-settings-builder Highest Product pom parent-artifactid maven Medium Product pom name Maven Settings Builder High Version pom version 3.5.0 Highest Version Manifest Implementation-Version 3.5.0 High Version file version 3.5.0 High
Description:
Shared utils without any further dependencies File Path: /home/runner/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.1.0/maven-shared-utils-3.1.0.jarMD5: fae66822468c5f3e7853d1193f98b849SHA1: 78d8798fe84d5e095577221d299e9a3c8e696bcaSHA256: 88e5334c4c29a6e81c74a1d814c54a9a3b1e4fc6560a95da196fe16928095471Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name utils Highest Vendor jar package name apache Highest Vendor pom parent-artifactid maven-shared-components Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.maven.shared Medium Vendor file name maven-shared-utils High Vendor jar package name maven Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom name Apache Maven Shared Utils High Vendor pom artifactid maven-shared-utils Low Vendor Manifest Implementation-Vendor-Id org.apache.maven.shared Medium Vendor pom groupid org.apache.maven.shared Highest Vendor pom groupid apache.maven.shared Highest Vendor jar package name shared Highest Vendor Manifest implementation-url https://maven.apache.org/shared/maven-shared-utils/ Low Product jar package name utils Highest Product jar package name apache Highest Product pom parent-groupid org.apache.maven.shared Medium Product file name maven-shared-utils High Product jar package name maven Highest Product pom name Apache Maven Shared Utils High Product pom artifactid maven-shared-utils Highest Product Manifest Implementation-Title Apache Maven Shared Utils High Product pom groupid apache.maven.shared Highest Product jar package name shared Highest Product Manifest implementation-url https://maven.apache.org/shared/maven-shared-utils/ Low Product Manifest specification-title Apache Maven Shared Utils Medium Product pom parent-artifactid maven-shared-components Medium Version Manifest Implementation-Version 3.1.0 High Version file version 3.1.0 High Version pom parent-version 3.1.0 Low Version pom version 3.1.0 Highest
License:
http://www.eclipse.org/legal/epl-v10.html File Path: /home/runner/.m2/repository/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.3/org.eclipse.sisu.inject-0.3.3.jar
MD5: 47ff59586827a2e705183c678e70404f
SHA1: b163fc1e714db5f9b389ec11f11950b5913e454c
SHA256: c6935e0b7d362ed4ca768c9b71d5d4d98788ff0a79c0d2bb954c221a078b166b
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor jar package name eclipse Highest Vendor file name org.eclipse.sisu.inject High Vendor pom groupid eclipse.sisu Highest Vendor Manifest bundle-symbolicname org.eclipse.sisu.inject;singleton:=true Medium Vendor Manifest bundle-docurl http://www.eclipse.org/sisu/ Low Vendor pom groupid org.eclipse.sisu Highest Vendor pom parent-artifactid sisu-inject Low Vendor pom parent-groupid org.eclipse.sisu Medium Vendor pom artifactid eclipse.sisu.inject Low Vendor jar package name inject Highest Vendor Manifest bundle-copyright Copyright (c) 2010, 2015 Sonatype, Inc. and others Low Vendor jar package name sisu Highest Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product jar package name eclipse Highest Product file name org.eclipse.sisu.inject High Product pom groupid eclipse.sisu Highest Product Manifest bundle-symbolicname org.eclipse.sisu.inject;singleton:=true Medium Product Manifest bundle-docurl http://www.eclipse.org/sisu/ Low Product jar package name sonatype Highest Product pom artifactid eclipse.sisu.inject Highest Product pom parent-groupid org.eclipse.sisu Medium Product pom artifactid org.eclipse.sisu.inject Highest Product pom parent-artifactid sisu-inject Medium Product jar package name inject Highest Product Manifest Bundle-Name Sisu-Inject (Incubation) Medium Product Manifest bundle-copyright Copyright (c) 2010, 2015 Sonatype, Inc. and others Low Product jar package name sisu Highest Version file version 0.3.3 High Version Manifest Bundle-Version 0.3.3 High Version pom version 0.3.3 Highest
License:
http://www.eclipse.org/legal/epl-v10.html File Path: /home/runner/.m2/repository/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.3/org.eclipse.sisu.plexus-0.3.3.jar
MD5: 02eeaf9f89f7249f9f7bbab2771f5ef5
SHA1: 2c892c1fe0cd2dabcc729e1cbff3524b4847b1fe
SHA256: 98045f5ecd802d6a96ba00394f8cb61259f9ac781ec2cb51ca0cb7b2c94ac720
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor Manifest bundle-symbolicname org.eclipse.sisu.plexus;singleton:=true Medium Vendor jar package name eclipse Highest Vendor pom parent-artifactid sisu-plexus Low Vendor pom groupid eclipse.sisu Highest Vendor Manifest bundle-docurl http://www.eclipse.org/sisu/ Low Vendor pom groupid org.eclipse.sisu Highest Vendor pom artifactid eclipse.sisu.plexus Low Vendor pom parent-groupid org.eclipse.sisu Medium Vendor jar package name plexus Highest Vendor file name org.eclipse.sisu.plexus High Vendor Manifest bundle-copyright Copyright (c) 2010, 2015 Sonatype, Inc. and others Low Vendor jar package name sisu Highest Product pom artifactid org.eclipse.sisu.plexus Highest Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product Manifest bundle-symbolicname org.eclipse.sisu.plexus;singleton:=true Medium Product jar package name eclipse Highest Product pom groupid eclipse.sisu Highest Product Manifest bundle-docurl http://www.eclipse.org/sisu/ Low Product pom parent-artifactid sisu-plexus Medium Product pom parent-groupid org.eclipse.sisu Medium Product pom artifactid eclipse.sisu.plexus Highest Product jar package name plexus Highest Product Manifest Bundle-Name Sisu-Plexus (Incubation) Medium Product file name org.eclipse.sisu.plexus High Product Manifest bundle-copyright Copyright (c) 2010, 2015 Sonatype, Inc. and others Low Product jar package name sisu Highest Version file version 0.3.3 High Version Manifest Bundle-Version 0.3.3 High Version pom version 0.3.3 Highest
File Path: /home/runner/.m2/repository/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jarMD5: 7b2d6fcf0d5800d5b1ce09d98d98dcafSHA1: 50ade46f23bb38cd984b4ec560c46223432aac38SHA256: 5a15fdba22669e0fdd06e10dcce6320879e1f7398fbc910cd0677b50672a78c4Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name plexus Low Vendor pom parent-artifactid spice-parent Low Vendor jar package name sonatype Highest Vendor jar package name cipher Highest Vendor jar package name components Low Vendor jar package name sonatype Low Vendor pom parent-groupid org.sonatype.spice Medium Vendor pom groupid org.sonatype.plexus Highest Vendor pom artifactid plexus-cipher Low Vendor pom url http://spice.sonatype.org/${project.artifactId} Highest Vendor jar package name plexus Highest Vendor file name plexus-cipher High Vendor pom groupid sonatype.plexus Highest Vendor pom name Plexus Cipher: encryption/decryption Component High Product jar package name plexus Low Product pom parent-artifactid spice-parent Medium Product jar package name sonatype Highest Product pom url http://spice.sonatype.org/${project.artifactId} Medium Product jar package name cipher Highest Product jar package name components Low Product pom parent-groupid org.sonatype.spice Medium Product jar package name plexus Highest Product jar package name cipher Low Product file name plexus-cipher High Product pom groupid sonatype.plexus Highest Product pom name Plexus Cipher: encryption/decryption Component High Product pom artifactid plexus-cipher Highest Version file version 1.4 High Version pom version 1.4 Highest Version pom parent-version 1.4 Low
Description:
A class loader framework License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-classworlds/2.5.2/plexus-classworlds-2.5.2.jar
MD5: 53b54feee8cef6b843bd6748bda4bfa7
SHA1: 4abb111bfdace5b8167db4c0ef74644f3f88f142
SHA256: b2931d41740490a8d931cbe0cfe9ac20deb66cca606e679f52522f7f534c9fd7
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor file name plexus-classworlds High Vendor pom artifactid plexus-classworlds Low Vendor Manifest bundle-docurl http://www.codehaus.org/ Low Vendor pom parent-groupid org.codehaus.plexus Medium Vendor pom groupid org.codehaus.plexus Highest Vendor Manifest bundle-symbolicname org.codehaus.plexus.classworlds Medium Vendor pom name Plexus Classworlds High Vendor jar package name classworlds Highest Vendor jar package name plexus Highest Vendor pom groupid codehaus.plexus Highest Vendor jar package name codehaus Highest Vendor pom parent-artifactid plexus Low Product file name plexus-classworlds High Product Manifest bundle-docurl http://www.codehaus.org/ Low Product pom parent-artifactid plexus Medium Product pom parent-groupid org.codehaus.plexus Medium Product Manifest bundle-symbolicname org.codehaus.plexus.classworlds Medium Product pom artifactid plexus-classworlds Highest Product pom name Plexus Classworlds High Product jar package name classworlds Highest Product jar package name plexus Highest Product pom groupid codehaus.plexus Highest Product jar package name codehaus Highest Product Manifest Bundle-Name Plexus Classworlds Medium Version pom parent-version 2.5.2 Low Version file version 2.5.2 High Version pom version 2.5.2 Highest Version Manifest Bundle-Version 2.5.2 High
Description:
Plexus Component "Java 5" Annotations, to describe plexus components properties in java sources with
standard annotations instead of javadoc annotations.
File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-component-annotations/1.7.1/plexus-component-annotations-1.7.1.jarMD5: 8674737da39fb173a2f290c6798e7cc9SHA1: 862abca6deff0fff241a835a33d22559e9132069SHA256: a7fee9435db716bff593e9fb5622bcf9f25e527196485929b0cd4065c43e61dfReferenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name codehaus Low Vendor jar package name plexus Low Vendor file name plexus-component-annotations High Vendor pom parent-groupid org.codehaus.plexus Medium Vendor jar package name annotations Highest Vendor pom name Plexus :: Component Annotations High Vendor pom groupid org.codehaus.plexus Highest Vendor pom groupid codehaus.plexus Highest Vendor jar package name plexus Highest Vendor jar package name codehaus Highest Vendor jar package name component Highest Vendor pom artifactid plexus-component-annotations Low Vendor pom parent-artifactid plexus-containers Low Vendor jar package name component Low Product jar package name plexus Low Product pom parent-artifactid plexus-containers Medium Product file name plexus-component-annotations High Product pom parent-groupid org.codehaus.plexus Medium Product jar package name annotations Highest Product pom name Plexus :: Component Annotations High Product jar package name annotations Low Product pom artifactid plexus-component-annotations Highest Product pom groupid codehaus.plexus Highest Product jar package name plexus Highest Product jar package name codehaus Highest Product jar package name component Highest Product jar package name component Low Version pom version 1.7.1 Highest Version file version 1.7.1 High
Description:
The Plexus project provides a full software stack for creating and executing software projects. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.24/plexus-interpolation-1.24.jar
MD5: 85989fb1e6474a168207e47ccea8eb5e
SHA1: ff3f217127fbd6846bba831ab156e227db2cf347
SHA256: 8fe2be04b067a75d02fb8a1a9caf6c1c8615f0d5577cced02e90b520763d2f77
Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name interpolation Highest Vendor pom name Plexus Interpolation API High Vendor pom parent-groupid org.codehaus.plexus Medium Vendor pom groupid org.codehaus.plexus Highest Vendor Manifest bundle-symbolicname org.codehaus.plexus.interpolation Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Vendor jar package name plexus Highest Vendor pom groupid codehaus.plexus Highest Vendor jar package name codehaus Highest Vendor file name plexus-interpolation High Vendor pom artifactid plexus-interpolation Low Vendor Manifest bundle-docurl http://codehaus-plexus.github.io/ Low Vendor pom parent-artifactid plexus Low Product pom parent-artifactid plexus Medium Product jar package name interpolation Highest Product pom name Plexus Interpolation API High Product pom parent-groupid org.codehaus.plexus Medium Product pom artifactid plexus-interpolation Highest Product Manifest Bundle-Name Plexus Interpolation API Medium Product Manifest bundle-symbolicname org.codehaus.plexus.interpolation Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Product jar package name plexus Highest Product pom groupid codehaus.plexus Highest Product jar package name codehaus Highest Product file name plexus-interpolation High Product Manifest bundle-docurl http://codehaus-plexus.github.io/ Low Version pom version 1.24 Highest Version file version 1.24 High Version pom parent-version 1.24 Low
File Path: /home/runner/.m2/repository/org/sonatype/plexus/plexus-sec-dispatcher/1.4/plexus-sec-dispatcher-1.4.jarMD5: 0a46e5bc9bc2fbd3b68091066aff2737SHA1: 43fde524e9b94c883727a9fddb8669181b890ea7SHA256: da73e32b58132e64daf12269fd9d011c0b303f234840f179908725a632b6b57cReferenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name plexus Low Vendor pom parent-artifactid spice-parent Low Vendor jar package name sec Highest Vendor jar package name sonatype Highest Vendor jar package name components Low Vendor jar package name sonatype Low Vendor file name plexus-sec-dispatcher High Vendor pom parent-groupid org.sonatype.spice Medium Vendor pom groupid org.sonatype.plexus Highest Vendor pom url http://spice.sonatype.org/${project.artifactId} Highest Vendor jar package name plexus Highest Vendor pom name Plexus Security Dispatcher Component High Vendor pom artifactid plexus-sec-dispatcher Low Vendor pom groupid sonatype.plexus Highest Product jar package name plexus Low Product jar package name sec Highest Product pom parent-artifactid spice-parent Medium Product jar package name sonatype Highest Product pom url http://spice.sonatype.org/${project.artifactId} Medium Product jar package name components Low Product file name plexus-sec-dispatcher High Product pom parent-groupid org.sonatype.spice Medium Product jar package name plexus Highest Product pom name Plexus Security Dispatcher Component High Product pom artifactid plexus-sec-dispatcher Highest Product jar package name sec Low Product pom groupid sonatype.plexus Highest Version file version 1.4 High Version pom version 1.4 Highest Version pom parent-version 1.4 Low
Description:
A collection of various utility classes to ease working with strings, files, command lines, XML and
more.
File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.24/plexus-utils-3.0.24.jarMD5: fbefd8983c6bb4928c27c680463ff355SHA1: b4ac9780b37cb1b736eae9fbcef27609b7c911efSHA256: 83ee748b12d06afb0ad4050a591132b3e8025fbb1990f1ed002e8b73293e69b4Referenced In Project/Scope: CQ Maven Plugin:compile
Evidence Type Source Name Value Confidence Vendor jar package name codehaus Low Vendor jar package name plexus Low Vendor pom parent-groupid org.codehaus.plexus Medium Vendor pom artifactid plexus-utils Low Vendor jar package name xml Highest Vendor pom groupid org.codehaus.plexus Highest Vendor jar package name util Low Vendor pom groupid codehaus.plexus Highest Vendor jar package name plexus Highest Vendor jar package name codehaus Highest Vendor pom name Plexus Common Utilities High Vendor pom parent-artifactid plexus Low Vendor file name plexus-utils High Product jar package name plexus Low Product jar package name util Low Product pom groupid codehaus.plexus Highest Product jar package name plexus Highest Product jar package name codehaus Highest Product pom name Plexus Common Utilities High Product pom artifactid plexus-utils Highest Product pom parent-artifactid plexus Medium Product pom parent-groupid org.codehaus.plexus Medium Product jar package name xml Highest Product file name plexus-utils High Version file version 3.0.24 High Version pom version 3.0.24 Highest Version pom parent-version 3.0.24 Low