Dependency-Check Report

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
FastInfoset-1.2.15.jar	cpe:2.3:a:fast_ber_project:fast_ber:1.2.15:::::::*	pkg:maven/com.sun.xml.fastinfoset/FastInfoset@1.2.15		0	Low	44
XmlSchema-1.4.7.jar	cpe:2.3:a:apache:commons_net:1.4.7:::::::*	pkg:maven/org.apache.ws.commons.schema/XmlSchema@1.4.7	MEDIUM	1	Highest	38
accessors-smart-2.4.8.jar	cpe:2.3:a:json-smart_project:json-smart-v2:2.4.8:::::::*	pkg:maven/net.minidev/accessors-smart@2.4.8		0	Low	43
activation-1.1.1.jar	cpe:2.3:a:oracle:java_se:1.1.1:::::::*	pkg:maven/javax.activation/activation@1.1.1		0	Low	26
animal-sniffer-annotations-1.9.jar		pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.9		0		23
annotations-2.0.1.jar		pkg:maven/com.google.code.findbugs/annotations@2.0.1		0		24
ant-1.10.12.jar	cpe:2.3:a:apache:ant:1.10.12:::::::*	pkg:maven/org.apache.ant/ant@1.10.12		0	Highest	24
antlr-2.7.7.jar		pkg:maven/antlr/antlr@2.7.7		0		24
antlr4-runtime-4.7.1.jar		pkg:maven/org.antlr/antlr4-runtime@4.7.1		0		31
aopalliance-repackaged-2.6.1.jar	cpe:2.3:a:oracle:java_se:2.6.1:::::::*	pkg:maven/org.glassfish.hk2.external/aopalliance-repackaged@2.6.1		0	Low	25
apache-mime4j-core-0.7.2.jar		pkg:maven/org.apache.james/apache-mime4j-core@0.7.2		0		35
asm-7.1.jar		pkg:maven/org.ow2.asm/asm@7.1		0		53
aws-java-sdk-core-1.12.267.jar	cpe:2.3:a:amazon:aws-sdk-java:1.12.267:::::::*	pkg:maven/com.amazonaws/aws-java-sdk-core@1.12.267		0	Highest	22
axiom-api-1.2.15.jar	cpe:2.3:a:apache:commons_net:1.2.15:::::::*	pkg:maven/org.apache.ws.commons.axiom/axiom-api@1.2.15	MEDIUM	1	Highest	35
axiom-dom-1.2.14.jar (shaded: org.apache.ws.commons.axiom:axiom-common-impl:1.2.14)	cpe:2.3:a:apache:commons_net:1.2.14:::::::*	pkg:maven/org.apache.ws.commons.axiom/axiom-common-impl@1.2.14	MEDIUM	1	Highest	13
axiom-dom-1.2.14.jar	cpe:2.3:a:apache:commons_net:1.2.14:::::::*	pkg:maven/org.apache.ws.commons.axiom/axiom-dom@1.2.14	MEDIUM	1	Highest	33
axiom-impl-1.2.15.jar (shaded: org.apache.ws.commons.axiom:core-aspects:1.2.15)	cpe:2.3:a:apache:commons_net:1.2.15:::::::*	pkg:maven/org.apache.ws.commons.axiom/core-aspects@1.2.15	MEDIUM	1	Highest	13
axis2-adb-1.6.1.jar	cpe:2.3:a:apache:axis2:1.6.1:::::::*	pkg:maven/org.apache.axis2/axis2-adb@1.6.1	MEDIUM	1	Highest	25
axis2-kernel-1.6.4.jar	cpe:2.3:a:apache:axis2:1.6.4:::::::*	pkg:maven/org.apache.axis2/axis2-kernel@1.6.4		0	Highest	31
axis2-mtompolicy-1.6.3.jar	cpe:2.3:a:apache:axis2:1.6.3:::::::*	pkg:maven/org.apache.axis2/axis2-mtompolicy@1.6.3		0	Highest	27
backport-util-concurrent-3.1.jar		pkg:maven/backport-util-concurrent/backport-util-concurrent@3.1		0		25
bcpkix-jdk18on-1.72.jar	cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:::::::*	pkg:maven/org.bouncycastle/bcpkix-jdk18on@1.72		0	Low	66
bcprov-jdk15on-1.59.jar	cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.59:::::::* cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.59:::::::* cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.59:::::::* cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.59:::::::* cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.59:::::::*	pkg:maven/org.bouncycastle/bcprov-jdk15on@1.59	CRITICAL	5	Low	54
bcprov-jdk15on-1.70.jar	cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.70:::::::* cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.70:::::::* cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.70:::::::* cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.70:::::::* cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.70:::::::*	pkg:maven/org.bouncycastle/bcprov-jdk15on@1.70		0	Low	60
bcprov-jdk18on-1.72.jar	cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.72:::::::* cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.72:::::::* cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:::::::* cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.72:::::::* cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.72:::::::*	pkg:maven/org.bouncycastle/bcprov-jdk18on@1.72		0	Low	60
bcutil-jdk18on-1.72.jar	cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:::::::*	pkg:maven/org.bouncycastle/bcutil-jdk18on@1.72		0	Low	50
bsh-2.0b5.jar	cpe:2.3:a:beanshell:beanshell:2.0:b5::::::	pkg:maven/org.beanshell/bsh@2.0b5	HIGH	1	Highest	27
byte-buddy-1.12.9.jar (shaded: net.bytebuddy:byte-buddy-dep:1.12.9)		pkg:maven/net.bytebuddy/byte-buddy-dep@1.12.9		0		9
byte-buddy-1.12.9.jar		pkg:maven/net.bytebuddy/byte-buddy@1.12.9		0		27
c3p0-0.9.5.4.jar	cpe:2.3:a:mchange:c3p0:0.9.5.4:::::::*	pkg:maven/com.mchange/c3p0@0.9.5.4		0	Highest	31
c3p0-oracle-thin-extras-0.9.5.jar	cpe:2.3:a:mchange:c3p0:0.9.5:::::::*	pkg:maven/com.google.code.maven-play-plugin.com.mchange/c3p0-oracle-thin-extras@0.9.5	HIGH	1	Highest	29
cglib-3.3.0.jar		pkg:maven/cglib/cglib@3.3.0		0		18
checker-qual-3.5.0.jar		pkg:maven/org.checkerframework/checker-qual@3.5.0		0		60
classmate-1.5.1.jar		pkg:maven/com.fasterxml/classmate@1.5.1		0		57
commons-beanutils-1.9.4.jar	cpe:2.3:a:apache:commons_beanutils:1.9.4:::::::* cpe:2.3:a:apache:commons_net:1.9.4:::::::*	pkg:maven/commons-beanutils/commons-beanutils@1.9.4	MEDIUM	1	Highest	170
commons-cli-1.4.jar	cpe:2.3:a:apache:commons_net:1.4:::::::*	pkg:maven/commons-cli/commons-cli@1.4	MEDIUM	1	Highest	87
commons-codec-1.15.jar	cpe:2.3:a:apache:commons_net:1.15:::::::*	pkg:maven/commons-codec/commons-codec@1.15	MEDIUM	1	Highest	110
commons-collections-3.2.2.jar	cpe:2.3:a:apache:commons_collections:3.2.2:::::::* cpe:2.3:a:apache:commons_net:3.2.2:::::::*	pkg:maven/commons-collections/commons-collections@3.2.2	MEDIUM	1	Highest	86
commons-collections4-4.0.jar	cpe:2.3:a:apache:commons_collections:4.0:::::::* cpe:2.3:a:apache:commons_net:4.0:::::::*	pkg:maven/org.apache.commons/commons-collections4@4.0	HIGH	1	Highest	99
commons-csv-1.6.jar	cpe:2.3:a:apache:commons_net:1.6:::::::*	pkg:maven/org.apache.commons/commons-csv@1.6	MEDIUM	1	Highest	85
commons-dbcp-1.4.jar	cpe:2.3:a:apache:commons_net:1.4:::::::*	pkg:maven/commons-dbcp/commons-dbcp@1.4	MEDIUM	1	Highest	96
commons-digester-2.1.jar	cpe:2.3:a:apache:commons_net:2.1:::::::*	pkg:maven/commons-digester/commons-digester@2.1	MEDIUM	1	Highest	98
commons-digester3-3.2.jar	cpe:2.3:a:apache:commons_net:3.2:::::::*	pkg:maven/org.apache.commons/commons-digester3@3.2	MEDIUM	1	Highest	105
commons-exec-1.3.jar	cpe:2.3:a:apache:commons_net:1.3:::::::*	pkg:maven/org.apache.commons/commons-exec@1.3	MEDIUM	1	Highest	61
commons-fileupload-1.4.jar	cpe:2.3:a:apache:commons_fileupload:1.4:::::::* cpe:2.3:a:apache:commons_net:1.4:::::::*	pkg:maven/commons-fileupload/commons-fileupload@1.4	MEDIUM	1	Highest	117
commons-httpclient-3.1.jar	cpe:2.3:a:apache:commons-httpclient:3.1:::::::* cpe:2.3:a:apache:commons_net:3.1:::::::* cpe:2.3:a:apache:httpclient:3.1:::::::*	pkg:maven/commons-httpclient/commons-httpclient@3.1	MEDIUM	3	Highest	91
commons-io-2.11.0.jar	cpe:2.3:a:apache:commons_io:2.11.0:::::::* cpe:2.3:a:apache:commons_net:2.11.0:::::::*	pkg:maven/commons-io/commons-io@2.11.0	MEDIUM	1	Highest	125
commons-jaxrs-1.30.jar		pkg:maven/edu.psu.swe.commons/commons-jaxrs@1.30		0		67
commons-jexl-2.1.1.jar	cpe:2.3:a:apache:commons_net:2.1.1:::::::*	pkg:maven/org.apache.commons/commons-jexl@2.1.1	MEDIUM	1	Highest	90
commons-jexl3-3.0.jar	cpe:2.3:a:apache:commons_net:3.0:::::::*	pkg:maven/org.apache.commons/commons-jexl3@3.0	MEDIUM	1	Highest	93
commons-lang-2.6.jar	cpe:2.3:a:apache:commons_net:2.6:::::::*	pkg:maven/commons-lang/commons-lang@2.6	MEDIUM	1	Highest	122
commons-lang3-3.12.0.jar	cpe:2.3:a:apache:commons_net:3.12.0:::::::*	pkg:maven/org.apache.commons/commons-lang3@3.12.0		0	Highest	141
commons-logging-1.2.jar	cpe:2.3:a:apache:commons_net:1.2:::::::*	pkg:maven/commons-logging/commons-logging@1.2	MEDIUM	1	Highest	117
commons-math-1.2.jar	cpe:2.3:a:apache:commons_net:1.2:::::::*	pkg:maven/commons-math/commons-math@1.2	MEDIUM	1	Highest	82
commons-net-3.6.jar	cpe:2.3:a:apache:commons_net:3.6:::::::*	pkg:maven/commons-net/commons-net@3.6	MEDIUM	1	Highest	97
commons-pool-1.6.jar	cpe:2.3:a:apache:commons_net:1.6:::::::*	pkg:maven/commons-pool/commons-pool@1.6	MEDIUM	1	Highest	75
commons-text-1.10.0.jar	cpe:2.3:a:apache:commons_net:1.10.0:::::::* cpe:2.3:a:apache:commons_text:1.10.0:::::::*	pkg:maven/org.apache.commons/commons-text@1.10.0	MEDIUM	1	Highest	73
commons-validator-1.6.jar	cpe:2.3:a:apache:commons_net:1.6:::::::*	pkg:maven/commons-validator/commons-validator@1.6	MEDIUM	1	Highest	127
commons-vfs2-2.4.1.jar	cpe:2.3:a:apache:commons_net:2.4.1:::::::*	pkg:maven/org.apache.commons/commons-vfs2@2.4.1	MEDIUM	1	Highest	42
content-type-2.2.jar		pkg:maven/com.nimbusds/content-type@2.2		0		47
cron-parser-core-3.4.jar		pkg:maven/net.redhogs.cronparser/cron-parser-core@3.4		0		24
dom4j-2.1.3.jar	cpe:2.3:a:dom4j_project:dom4j:2.1.3:::::::*	pkg:maven/org.dom4j/dom4j@2.1.3		0	Highest	20
edu.internet2.middleware.grouper:grouper-ws-java-generated-client:2.6.0-SNAPSHOT	cpe:2.3:a:internet2:grouper:2.6.0:snapshot::::::	pkg:maven/edu.internet2.middleware.grouper/grouper-ws-java-generated-client@2.6.0-SNAPSHOT		0	Highest	6
edu.internet2.middleware.grouper:grouper-ws:2.6.0-SNAPSHOT	cpe:2.3:a:internet2:grouper:2.6.0:snapshot::::::	pkg:maven/edu.internet2.middleware.grouper/grouper-ws@2.6.0-SNAPSHOT		0	Highest	6
edu.internet2.middleware.grouper:grouper:2.6.0-SNAPSHOT	cpe:2.3:a:internet2:grouper:2.6.0:snapshot::::::	pkg:maven/edu.internet2.middleware.grouper/grouper@2.6.0-SNAPSHOT		0	Highest	6
edu.internet2.middleware.grouper:grouperClient:2.6.0-SNAPSHOT	cpe:2.3:a:internet2:grouper:2.6.0:snapshot::::::	pkg:maven/edu.internet2.middleware.grouper/grouperClient@2.6.0-SNAPSHOT		0	Highest	6
ehcache-core-2.6.10.jar		pkg:maven/net.sf.ehcache/ehcache-core@2.6.10		0		22
ehcache-core-2.6.10.jar: sizeof-agent.jar		pkg:maven/net.sf.ehcache/sizeof-agent@1.0.1		0		28
ezmorph-1.0.6.jar		pkg:maven/net.sf.ezmorph/ezmorph@1.0.6		0		32
geronimo-activation_1.1_spec-1.0.2.jar		pkg:maven/org.apache.geronimo.specs/geronimo-activation_1.1_spec@1.0.2		0		23
geronimo-javamail_1.4_spec-1.7.1.jar		pkg:maven/org.apache.geronimo.specs/geronimo-javamail_1.4_spec@1.7.1		0		33
geronimo-jta_1.1_spec-1.1.jar		pkg:maven/org.apache.geronimo.specs/geronimo-jta_1.1_spec@1.1		0		16
geronimo-stax-api_1.0_spec-1.0.1.jar		pkg:maven/org.apache.geronimo.specs/geronimo-stax-api_1.0_spec@1.0.1		0		23
geronimo-ws-metadata_2.0_spec-1.1.2.jar	cpe:2.3:a:web_project:web:1.1.2:::::::*	pkg:maven/org.apache.geronimo.specs/geronimo-ws-metadata_2.0_spec@1.1.2		0	Low	23
groovy-2.5.18.jar	cpe:2.3:a:apache:groovy:2.5.18:::::::*	pkg:maven/org.codehaus.groovy/groovy@2.5.18		0	Highest	294
groovy-xml-2.5.18.jar	cpe:2.3:a:apache:groovy:2.5.18:::::::*	pkg:maven/org.codehaus.groovy/groovy-xml@2.5.18		0	High	289
guava-18.0.jar	cpe:2.3:a:google:guava:18.0:::::::*	pkg:maven/com.google.guava/guava@18.0	MEDIUM	2	Highest	20
hibernate-commons-annotations-5.1.2.Final.jar		pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final		0		47
hibernate-core-5.6.10.Final.jar	cpe:2.3:a:hibernate:hibernate_orm:5.6.10:::::::*	pkg:maven/org.hibernate/hibernate-core@5.6.10.Final		0	Low	48
hk2-api-2.6.1.jar	cpe:2.3:a:oracle:java_se:2.6.1:::::::*	pkg:maven/org.glassfish.hk2/hk2-api@2.6.1		0	Low	28
hk2-locator-2.6.1.jar	cpe:2.3:a:service_project:service:2.6.1:::::::*	pkg:maven/org.glassfish.hk2/hk2-locator@2.6.1		0	Low	23
hk2-utils-2.6.1.jar	cpe:2.3:a:utils_project:utils:2.6.1:::::::*	pkg:maven/org.glassfish.hk2/hk2-utils@2.6.1	MEDIUM	1	Highest	29
httpclient-4.5.13.jar	cpe:2.3:a:apache:httpclient:4.5.13:::::::*	pkg:maven/org.apache.httpcomponents/httpclient@4.5.13		0	Highest	32
httpcore-4.4.14.jar		pkg:maven/org.apache.httpcomponents/httpcore@4.4.14		0		32
httpmime-4.5.13.jar		pkg:maven/org.apache.httpcomponents/httpmime@4.5.13		0		30
ion-java-1.0.2.jar		pkg:maven/software.amazon.ion/ion-java@1.0.2		0		34
istack-commons-runtime-3.0.7.jar	cpe:2.3:a:apache:commons_net:3.0.7:::::::* cpe:2.3:a:oracle:java_se:3.0.7:::::::*	pkg:maven/com.sun.istack/istack-commons-runtime@3.0.7	MEDIUM	1	Low	34
jackson-annotations-2.13.3.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.13.3:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.3		0	Low	42
jackson-annotations-2.9.0.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.9.0:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0	MEDIUM	1	Low	39
jackson-core-2.14.0.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0		0	Low	49
jackson-databind-2.14.0.jar	cpe:2.3:a:fasterxml:jackson-databind:2.14.0:::::::* cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0		0	Highest	43
jackson-dataformat-cbor-2.12.6.jar	cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.6:::::::*	pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor@2.12.6		0	Low	41
jackson-dataformat-yaml-2.4.2.jar (shaded: org.yaml:snakeyaml:1.12)	cpe:2.3:a:snakeyaml_project:snakeyaml:1.12:::::::* cpe:2.3:a:yaml_project:yaml:1.12:::::::*	pkg:maven/org.yaml/snakeyaml@1.12	HIGH	10	Highest	21
jackson-dataformat-yaml-2.4.2.jar	cpe:2.3:a:fasterxml:jackson-dataformat-xml:2.4.2:::::::* cpe:2.3:a:yaml_project:yaml:2.4.2:::::::*	pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.4.2		0	Highest	40
jackson-datatype-joda-2.4.2.jar		pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-joda@2.4.2		0		40
jackson-jaxrs-base-2.14.0.jar		pkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base@2.14.0		0		39
jackson-jaxrs-json-provider-2.14.0.jar		pkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider@2.14.0		0		39
jackson-module-jaxb-annotations-2.14.0.jar		pkg:maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations@2.14.0		0		41
jakarta.activation-api-1.2.2.jar		pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2		0		33
jakarta.annotation-api-1.3.5.jar	cpe:2.3:a:oracle:java_se:1.3.5:::::::* cpe:2.3:a:oracle:projects:1.3.5:::::::*	pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5		0	Low	37
jakarta.inject-2.6.1.jar	cpe:2.3:a:oracle:java_se:2.6.1:::::::*	pkg:maven/org.glassfish.hk2.external/jakarta.inject@2.6.1		0	Low	27
jakarta.validation-api-2.0.2.jar		pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2		0		58
jakarta.ws.rs-api-2.1.6.jar	cpe:2.3:a:web_project:web:2.1.6:::::::*	pkg:maven/jakarta.ws.rs/jakarta.ws.rs-api@2.1.6		0	Low	45
jakarta.xml.bind-api-2.3.3.jar		pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3		0		35
jandex-2.0.4.Final.jar		pkg:maven/org.jboss/jandex@2.0.4.Final		0		40
java-ipv6-0.17.jar		pkg:maven/com.googlecode.java-ipv6/java-ipv6@0.17		0		20
java-jwt-3.10.3.jar		pkg:maven/com.auth0/java-jwt@3.10.3		0		37
javaee-api-7.0.jar		pkg:maven/javax/javaee-api@7.0 pkg:maven/org.glassfish.main/javaee-api@4.0-SNAPSHOT		0		35
javassist-3.22.0-GA.jar		pkg:maven/org.javassist/javassist@3.22.0-GA		0		58
javax.activation-api-1.2.0.jar		pkg:maven/javax.activation/javax.activation-api@1.2.0		0		39
javax.mail-1.5.0.jar		pkg:maven/com.sun.mail/javax.mail@1.5.0		0		40
javax.mail-api-1.6.0.jar		pkg:maven/javax.mail/javax.mail-api@1.6.0		0		39
javax.persistence-api-2.2.jar	cpe:2.3:a:oracle:java_se:2.2:::::::*	pkg:maven/javax.persistence/javax.persistence-api@2.2		0	Low	34
javax.servlet-api-3.1.0.jar	cpe:2.3:a:oracle:java_se:3.1.0:::::::*	pkg:maven/javax.servlet/javax.servlet-api@3.1.0		0	Medium	49
jaxb-api-2.3.1.jar	cpe:2.3:a:oracle:java_se:2.3.1:::::::*	pkg:maven/javax.xml.bind/jaxb-api@2.3.1		0	Low	37
jaxb-runtime-2.3.1.jar		pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1		0		32
jaxen-1.1.6.jar		pkg:maven/jaxen/jaxen@1.1.6		0		117
jboss-logging-3.3.1.Final.jar		pkg:maven/org.jboss.logging/jboss-logging@3.3.1.Final		0		42
jboss-transaction-api_1.2_spec-1.1.1.Final.jar		pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.2_spec@1.1.1.Final		0		41
jcip-annotations-1.0-1.jar		pkg:maven/com.github.stephenc.jcip/jcip-annotations@1.0-1		0		25
jersey-server-2.36.jar	cpe:2.3:a:jersey_project:jersey:2.36:::::::*	pkg:maven/org.glassfish.jersey.core/jersey-server@2.36		0	Highest	31
jetty-6.1.26.jar	cpe:2.3:a:jetty:jetty:6.1.26:::::::* cpe:2.3:a:mortbay:jetty:6.1.26:::::::* cpe:2.3:a:mortbay_jetty:jetty:6.1.26:::::::*	pkg:maven/org.mortbay.jetty/jetty@6.1.26	MEDIUM	2	Highest	34
jline-2.14.5.jar		pkg:maven/jline/jline@2.14.5		0		37
jmespath-java-1.12.267.jar	cpe:2.3:a:amazon:aws-sdk-java:1.12.267:::::::*	pkg:maven/com.amazonaws/jmespath-java@1.12.267		0	Low	28
joda-time-2.9.9.jar	cpe:2.3:a:time_project:time:2.9.9:::::::*	pkg:maven/joda-time/joda-time@2.9.9		0	Highest	45
jsch-0.1.55.jar	cpe:2.3:a:jcraft:jsch:0.1.55:::::::*	pkg:maven/com.jcraft/jsch@0.1.55		0	Highest	34
json-lib-2.4-jdk15.jar		pkg:maven/net.sf.json-lib/json-lib@2.4		0		13
json-smart-2.4.8.jar	cpe:2.3:a:ini-parser_project:ini-parser:2.4.8:::::::* cpe:2.3:a:json-smart_project:json-smart-v2:2.4.8:::::::*	pkg:maven/net.minidev/json-smart@2.4.8		0	Low	51
jsoup-1.15.3.jar	cpe:2.3:a:jsoup:jsoup:1.15.3:::::::*	pkg:maven/org.jsoup/jsoup@1.15.3		0	Highest	42
jsr311-api-1.1.1.jar	cpe:2.3:a:web_project:web:1.1.1:::::::*	pkg:maven/javax.ws.rs/jsr311-api@1.1.1		0	Low	36
jta-1.1.jar		pkg:maven/javax.transaction/jta@1.1		0		22
lang-tag-1.7.jar		pkg:maven/com.nimbusds/lang-tag@1.7		0		49
ldaptive-1.2.4.jar	cpe:2.3:a:ldaptive:ldaptive:1.2.4:::::::*	pkg:maven/org.ldaptive/ldaptive@1.2.4		0	Highest	23
log4j-core-2.17.1.jar	cpe:2.3:a:apache:log4j:2.17.1:::::::*	pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1		0	Highest	50
log4j-slf4j-impl-2.17.1.jar		pkg:maven/org.apache.logging.log4j/log4j-slf4j-impl@2.17.1		0		46
lombok-1.14.8.jar		pkg:maven/org.projectlombok/lombok@1.14.8		0		40
mail-1.4.7.jar		pkg:maven/javax.mail/mail@1.4.7		0		44
mchange-commons-java-0.2.15.jar		pkg:maven/com.mchange/mchange-commons-java@0.2.15		0		29
mex-1.6.3-impl.jar	cpe:2.3:a:apache:axis:1.6.3:::::::* cpe:2.3:a:apache:axis2:1.6.3:::::::*	pkg:maven/org.apache.axis2/mex@1.6.3		0	Highest	27
mxparser-1.2.2.jar		pkg:maven/io.github.x-stream/mxparser@1.2.2		0		58
mysql-connector-java-8.0.28.jar	cpe:2.3:a:mysql:mysql:8.0.28:::::::* cpe:2.3:a:oracle:mysql_connector\/j:8.0.28:::::::*	pkg:maven/mysql/mysql-connector-java@8.0.28		0	Highest	44
neethi-3.0.2.jar		pkg:maven/org.apache.neethi/neethi@3.0.2		0		86
nimbus-jose-jwt-9.24.4.jar (shaded: com.google.code.gson:gson:2.9.1)	cpe:2.3:a:google:gson:2.9.1:::::::*	pkg:maven/com.google.code.gson/gson@2.9.1		0	Highest	9
nimbus-jose-jwt-9.24.4.jar	cpe:2.3:a:connect2id:nimbus_jose\+jwt:9.24.4:::::::*	pkg:maven/com.nimbusds/nimbus-jose-jwt@9.24.4		0	Highest	55
oauth2-oidc-sdk-9.43.1.jar		pkg:maven/com.nimbusds/oauth2-oidc-sdk@9.43.1		0		59
opensaml-2.6.4.jar	cpe:2.3:a:shibboleth:opensaml:2.6.4:::::::*	pkg:maven/org.opensaml/opensaml@2.6.4		0	Highest	83
openws-1.5.4.jar		pkg:maven/org.opensaml/openws@1.5.4		0		80
org.apache.felix.framework-7.0.3.jar	cpe:2.3:a:sun:sun_ftp:7.0.3:::::::*	pkg:maven/org.apache.felix/org.apache.felix.framework@7.0.3		0	Low	41
oro-2.0.8.jar		pkg:maven/oro/oro@2.0.8		0		16
osgi-resource-locator-1.0.3.jar	cpe:2.3:a:oracle:java_se:1.0.3:::::::*	pkg:maven/org.glassfish.hk2/osgi-resource-locator@1.0.3		0	Low	36
picocli-4.3.2.jar		pkg:maven/info.picocli/picocli@4.3.2		0		36
postgresql-42.5.1.jar	cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.1:::::::*	pkg:maven/org.postgresql/postgresql@42.5.1		0	Low	71
protobuf-java-3.11.4.jar	cpe:2.3:a:google:protobuf-java:3.11.4:::::::*	pkg:maven/com.google.protobuf/protobuf-java@3.11.4	HIGH	4	Highest	27
quartz-2.3.2.jar	cpe:2.3:a:softwareag:quartz:2.3.2:::::::*	pkg:maven/org.quartz-scheduler/quartz@2.3.2		0	Highest	33
rampart-core-1.6.3.jar		pkg:maven/org.apache.rampart/rampart-core@1.6.3		0		23
rampart-policy-1.6.3.jar		pkg:maven/org.apache.rampart/rampart-policy@1.6.3		0		21
rampart-trust-1.6.3.jar		pkg:maven/org.apache.rampart/rampart-trust@1.6.3		0		21
reflections-0.9.9.jar		pkg:maven/org.reflections/reflections@0.9.9		0		18
scim-common-2.22.jar		pkg:maven/edu.psu.swe.scim/scim-common@2.22		0		29
scim-server-common-2.22.jar		pkg:maven/edu.psu.swe.scim/scim-server-common@2.22		0		29
scim-spec-protocol-2.22.jar		pkg:maven/edu.psu.swe.scim/scim-spec-protocol@2.22		0		29
scim-spec-schema-2.22.jar		pkg:maven/edu.psu.swe.scim/scim-spec-schema@2.22		0		29
scim2-sdk-client-2.3.7.jar		pkg:maven/com.unboundid.product.scim2/scim2-sdk-client@2.3.7		0		37
scim2-sdk-common-2.3.7.jar		pkg:maven/com.unboundid.product.scim2/scim2-sdk-common@2.3.7		0		38
scim2-sdk-server-2.3.7.jar		pkg:maven/com.unboundid.product.scim2/scim2-sdk-server@2.3.7		0		37
serializer-2.7.1.jar	cpe:2.3:a:apache:xalan-java:2.7.1:::::::*	pkg:maven/xalan/serializer@2.7.1	HIGH	2	Low	32
servlet-api-2.3.jar		pkg:maven/javax.servlet/servlet-api@2.3		0		16
slf4j-api-1.7.32.jar		pkg:maven/org.slf4j/slf4j-api@1.7.32		0		27
smack-3.1.0.jar		pkg:maven/jivesoftware/smack@3.1.0	MEDIUM	2		22
stax-ex-1.8.jar	cpe:2.3:a:oracle:java_se:1.8:::::::*	pkg:maven/org.jvnet.staxex/stax-ex@1.8		0	Low	48
stax2-api-3.1.1.jar		pkg:maven/org.codehaus.woodstox/stax2-api@3.1.1		0		36
swagger-annotations-1.5.0.jar		pkg:maven/io.swagger/swagger-annotations@1.5.0		0		31
swagger-annotations-1.6.3.jar		pkg:maven/io.swagger/swagger-annotations@1.6.3		0		31
swagger-core-1.5.0.jar		pkg:maven/io.swagger/swagger-core@1.5.0		0		24
swagger-jaxrs-1.5.0.jar		pkg:maven/io.swagger/swagger-jaxrs@1.5.0		0		24
swagger-models-1.5.0.jar		pkg:maven/io.swagger/swagger-models@1.5.0		0		30
txw2-2.3.1.jar		pkg:maven/org.glassfish.jaxb/txw2@2.3.1		0		34
unboundid-ldapsdk-4.0.9.jar	cpe:2.3:a:pingidentity:ldapsdk:4.0.9:::::::*	pkg:maven/com.unboundid/unboundid-ldapsdk@4.0.9		0	Highest	49
validation-api-1.1.0.Final.jar		pkg:maven/javax.validation/validation-api@1.1.0.Final		0		42
woden-api-1.0M9.jar		pkg:maven/org.apache.woden/woden-api@1.0M9		0		27
woden-impl-commons-1.0M9.jar	cpe:2.3:a:apache:commons_net:1.0:m9::::::	pkg:maven/org.apache.woden/woden-impl-commons@1.0M9	MEDIUM	1	Highest	27
woden-impl-dom-1.0M9.jar		pkg:maven/org.apache.woden/woden-impl-dom@1.0M9		0		27
woodstox-core-asl-4.1.4.jar		pkg:maven/org.codehaus.woodstox/woodstox-core-asl@4.1.4		0		31
woodstox-core-asl-4.2.0.jar		pkg:maven/org.codehaus.woodstox/woodstox-core-asl@4.2.0		0		37
wsdl4j-1.6.2.jar		pkg:maven/wsdl4j/wsdl4j@1.6.2		0		20
wss4j-1.6.19.jar	cpe:2.3:a:apache:wss4j:1.6.19:::::::*	pkg:maven/org.apache.ws.security/wss4j@1.6.19		0	Highest	42
xalan-2.7.1.jar	cpe:2.3:a:apache:xalan-java:2.7.1:::::::*	pkg:maven/xalan/xalan@2.7.1	HIGH	2	Low	66
xml-apis-1.4.01.jar	cpe:2.3:a:apache:commons_net:1.4.01:::::::*	pkg:maven/xml-apis/xml-apis@1.4.01	MEDIUM	1	Low	87
xmlpull-1.1.3.1.jar		pkg:maven/xmlpull/xmlpull@1.1.3.1		0		18
xmlsec-1.5.8.jar	cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.8:::::::* cpe:2.3:a:apache:xml_security_for_java:1.5.8:::::::*	pkg:maven/org.apache.santuario/xmlsec@1.5.8	HIGH	1	Low	44
xmltooling-1.4.4.jar	cpe:2.3:a:xmltooling_project:xmltooling:1.4.4:::::::*	pkg:maven/org.opensaml/xmltooling@1.4.4	MEDIUM	1	Highest	74
xstream-1.4.19.jar	cpe:2.3:a:xstream_project:xstream:1.4.19:::::::*	pkg:maven/com.thoughtworks.xstream/xstream@1.4.19	HIGH	3	Highest	55
zjsonpatch-0.2.4.jar		pkg:maven/com.flipkart.zjsonpatch/zjsonpatch@0.2.4		0		26

Description:

Open Source implementation of the Fast Infoset Standard for Binary XML (http://www.itu.int/ITU-T/asn1/).

License:

http://www.opensource.org/licenses/apache2.0.php

File Path: /home/grprdist/.m2/repository/com/sun/xml/fastinfoset/FastInfoset/1.2.15/FastInfoset-1.2.15.jar
MD5: 57f3894ad7e069ae740b277d92d10fa0
SHA1: bb7b7ec0379982b97c62cd17465cb6d9155f68e8
SHA256:785861db11ca1bd0d1956682b974ad73eb19cd3e01a4b3fa82d62eca97210aec
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	FastInfoset	High
Vendor	jar	package name	fastinfoset	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	com.sun.xml.fastinfoset.FastInfoset	Medium
Vendor	Manifest	extension-name	com.sun.xml.fastinfoset	Medium
Vendor	Manifest	implementation-build-id	${scmBranch}-${buildNumber}, ${timestamp}	Low
Vendor	Manifest	implementation-url	http://fi.java.net	Low
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.oracle	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Vendor	Manifest	url	http://fi.java.net	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	pom	artifactid	FastInfoset	Highest
Vendor	pom	artifactid	FastInfoset	Low
Vendor	pom	groupid	com.sun.xml.fastinfoset	Highest
Vendor	pom	name	fastinfoset	High
Vendor	pom	parent-artifactid	fastinfoset-project	Low
Vendor	pom	url	http://fi.java.net	Highest
Product	file	name	FastInfoset	High
Product	jar	package name	fastinfoset	Highest
Product	jar	package name	sun	Highest
Product	jar	package name	xml	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	fastinfoset	Medium
Product	Manifest	bundle-symbolicname	com.sun.xml.fastinfoset.FastInfoset	Medium
Product	Manifest	extension-name	com.sun.xml.fastinfoset	Medium
Product	Manifest	implementation-build-id	${scmBranch}-${buildNumber}, ${timestamp}	Low
Product	Manifest	Implementation-Title	Fast Infoset Implementation	High
Product	Manifest	implementation-url	http://fi.java.net	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Product	Manifest	specification-title	ITU-T Rec. X.891 \| ISO/IEC 24824-1 (Fast Infoset)	Medium
Product	Manifest	url	http://fi.java.net	Low
Product	pom	artifactid	FastInfoset	Highest
Product	pom	groupid	com.sun.xml.fastinfoset	Highest
Product	pom	name	fastinfoset	High
Product	pom	parent-artifactid	fastinfoset-project	Medium
Product	pom	url	http://fi.java.net	Medium
Version	file	version	1.2.15	High
Version	Manifest	Bundle-Version	1.2.15	High
Version	Manifest	Implementation-Version	1.2.15	High
Version	pom	version	1.2.15	Highest

Identifiers

pkg:maven/com.sun.xml.fastinfoset/FastInfoset@1.2.15 (Confidence:High)
cpe:2.3:a:fast_ber_project:fast_ber:1.2.15:*:*:*:*:*:*:* (Confidence:Low)

Description:

Commons XMLSchema is a light weight schema object model that can be used to manipulate or
        generate a schema. It has a clean, easy to use API and can easily be integrated into an existing project
        since it has almost no dependencies on third party libraries.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/ws/commons/schema/XmlSchema/1.4.7/XmlSchema-1.4.7.jar
MD5: e3dce6afd6690efc9436f0b2147cc584
SHA1: a667ab231d6333105db86efe4a96724f50913e1f
SHA256:aae47bc270758cc6c641b624e670c6702ded4f6cd5e452298ad28bc65c14e00d
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	XmlSchema	High
Vendor	hint analyzer	vendor	web services	Medium
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	schema	Highest
Vendor	jar	package name	ws	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.ws.commons.schema.XmlSchema	Medium
Vendor	pom	artifactid	XmlSchema	Highest
Vendor	pom	artifactid	XmlSchema	Low
Vendor	pom	groupid	org.apache.ws.commons.schema	Highest
Vendor	pom	name	XmlSchema	High
Vendor	pom	organization name	The Apache Software Foundation	High
Vendor	pom	organization url	http://www.apache.org/	Medium
Vendor	pom	parent-artifactid	apache	Low
Vendor	pom	parent-groupid	org.apache	Medium
Vendor	pom	url	http://ws.apache.org/commons/XmlSchema	Highest
Product	file	name	XmlSchema	High
Product	hint analyzer	product	web services	Medium
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	schema	Highest
Product	jar	package name	ws	Highest
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	XmlSchema	Medium
Product	Manifest	bundle-symbolicname	org.apache.ws.commons.schema.XmlSchema	Medium
Product	pom	artifactid	XmlSchema	Highest
Product	pom	groupid	org.apache.ws.commons.schema	Highest
Product	pom	name	XmlSchema	High
Product	pom	organization name	The Apache Software Foundation	Low
Product	pom	organization url	http://www.apache.org/	Low
Product	pom	parent-artifactid	apache	Medium
Product	pom	parent-groupid	org.apache	Medium
Product	pom	url	http://ws.apache.org/commons/XmlSchema	Medium
Version	file	version	1.4.7	High
Version	Manifest	Bundle-Version	1.4.7	High
Version	pom	parent-version	1.4.7	Low
Version	pom	version	1.4.7	Highest

Identifiers

pkg:maven/org.apache.ws.commons.schema/XmlSchema@1.4.7 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.4.7:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Java reflect give poor performance on getter setter an constructor calls, accessors-smart use ASM to speed up those calls.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/net/minidev/accessors-smart/2.4.8/accessors-smart-2.4.8.jar
MD5: e5761631acc11ded0255af1249937e85
SHA1: 6e1bee5a530caba91893604d6ab41d0edcecca9a
SHA256:7dd705aa1ac0e030f8ee2624e8e77239ae1eef6ccc2621c0b8c189866ee1c42c
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	accessors-smart	High
Vendor	jar	package name	asm	Highest
Vendor	jar	package name	minidev	Highest
Vendor	jar	package name	net	Highest
Vendor	Manifest	bundle-docurl	https://urielch.github.io/	Low
Vendor	Manifest	bundle-symbolicname	net.minidev.accessors-smart	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	accessors-smart	Highest
Vendor	pom	artifactid	accessors-smart	Low
Vendor	pom	developer email	shoothzj@gmail.com	Low
Vendor	pom	developer email	uchemouni@gmail.com	Low
Vendor	pom	developer id	Shoothzj	Medium
Vendor	pom	developer id	uriel	Medium
Vendor	pom	developer name	Uriel Chemouni	Medium
Vendor	pom	developer name	ZhangJian He	Medium
Vendor	pom	groupid	net.minidev	Highest
Vendor	pom	name	ASM based accessors helper used by json-smart	High
Vendor	pom	organization name	Chemouni Uriel	High
Vendor	pom	organization url	https://urielch.github.io/	Medium
Vendor	pom	url	https://urielch.github.io/	Highest
Product	file	name	accessors-smart	High
Product	jar	package name	asm	Highest
Product	jar	package name	minidev	Highest
Product	jar	package name	net	Highest
Product	Manifest	bundle-docurl	https://urielch.github.io/	Low
Product	Manifest	Bundle-Name	accessors-smart	Medium
Product	Manifest	bundle-symbolicname	net.minidev.accessors-smart	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	accessors-smart	Highest
Product	pom	developer email	shoothzj@gmail.com	Low
Product	pom	developer email	uchemouni@gmail.com	Low
Product	pom	developer id	Shoothzj	Low
Product	pom	developer id	uriel	Low
Product	pom	developer name	Uriel Chemouni	Low
Product	pom	developer name	ZhangJian He	Low
Product	pom	groupid	net.minidev	Highest
Product	pom	name	ASM based accessors helper used by json-smart	High
Product	pom	organization name	Chemouni Uriel	Low
Product	pom	organization url	https://urielch.github.io/	Low
Product	pom	url	https://urielch.github.io/	Medium
Version	file	version	2.4.8	High
Version	Manifest	Bundle-Version	2.4.8	High
Version	pom	version	2.4.8	Highest

Identifiers

pkg:maven/net.minidev/accessors-smart@2.4.8 (Confidence:High)
cpe:2.3:a:json-smart_project:json-smart-v2:2.4.8:*:*:*:*:*:*:* (Confidence:Low)

Description:

The JavaBeans(TM) Activation Framework is used by the JavaMail(TM) API to manage MIME data

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html

File Path: /home/grprdist/.m2/repository/javax/activation/activation/1.1.1/activation-1.1.1.jar
MD5: 46a37512971d8eca81c3fcf245bf07d2
SHA1: 485de3a253e23f645037828c07f1d7f1af40763a
SHA256:ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	activation	High
Vendor	jar	package name	activation	Highest
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	extension-name	javax.activation	Medium
Vendor	Manifest	Implementation-Vendor	Sun Microsystems, Inc.	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	specification-vendor	Sun Microsystems, Inc.	Low
Vendor	pom	artifactid	activation	Highest
Vendor	pom	artifactid	activation	Low
Vendor	pom	groupid	javax.activation	Highest
Vendor	pom	name	JavaBeans(TM) Activation Framework	High
Vendor	pom	url	http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp	Highest
Product	file	name	activation	High
Product	jar	package name	activation	Highest
Product	jar	package name	javax	Highest
Product	Manifest	extension-name	javax.activation	Medium
Product	Manifest	specification-title	JavaBeans(TM) Activation Framework Specification	Medium
Product	pom	artifactid	activation	Highest
Product	pom	groupid	javax.activation	Highest
Product	pom	name	JavaBeans(TM) Activation Framework	High
Product	pom	url	http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp	Medium
Version	file	version	1.1.1	High
Version	Manifest	Implementation-Version	1.1.1	High
Version	pom	version	1.1.1	Highest

Identifiers

pkg:maven/javax.activation/activation@1.1.1 (Confidence:High)
cpe:2.3:a:oracle:java_se:1.1.1:*:*:*:*:*:*:* (Confidence:Low)

File Path: /home/grprdist/.m2/repository/org/codehaus/mojo/animal-sniffer-annotations/1.9/animal-sniffer-annotations-1.9.jar
MD5: 41f47a4c81b5a9f76bc7f12af69e4fbe
SHA1: c29299253a087898aaff7f4eac57effa46b1910a
SHA256:cd96feeb47f34b2559704715db7b179a03a3721f9dc4092c345c718e29b42de4
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	animal-sniffer-annotations	High
Vendor	jar	package name	animal_sniffer	Low
Vendor	jar	package name	codehaus	Highest
Vendor	jar	package name	codehaus	Low
Vendor	jar	package name	mojo	Highest
Vendor	jar	package name	mojo	Low
Vendor	pom	artifactid	animal-sniffer-annotations	Highest
Vendor	pom	artifactid	animal-sniffer-annotations	Low
Vendor	pom	groupid	org.codehaus.mojo	Highest
Vendor	pom	name	Animal Sniffer Annotations	High
Vendor	pom	parent-artifactid	animal-sniffer-parent	Low
Product	file	name	animal-sniffer-annotations	High
Product	jar	package name	animal_sniffer	Low
Product	jar	package name	codehaus	Highest
Product	jar	package name	ignorejrerequirement	Low
Product	jar	package name	mojo	Highest
Product	jar	package name	mojo	Low
Product	pom	artifactid	animal-sniffer-annotations	Highest
Product	pom	groupid	org.codehaus.mojo	Highest
Product	pom	name	Animal Sniffer Annotations	High
Product	pom	parent-artifactid	animal-sniffer-parent	Medium
Version	file	version	1.9	High
Version	pom	version	1.9	Highest

Identifiers

pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.9 (Confidence:High)

Description:

Annotation supports the FindBugs tool

License:

GNU Lesser Public License: http://www.gnu.org/licenses/lgpl.html

File Path: /home/grprdist/.m2/repository/com/google/code/findbugs/annotations/2.0.1/annotations-2.0.1.jar
MD5: 35ef911c85603829ded63f211feb2d68
SHA1: 9ef6656259841cebfb9fb0697bb122ada4485498
SHA256:893b2203a27e4a8ba9d16cd6ed6e9f730736b4878a6bfffeff06861f32e6631b
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	annotations	High
Vendor	jar	package name	annotation	Highest
Vendor	jar	package name	annotations	Highest
Vendor	jar	package name	findbugs	Highest
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	findbugsAnnotations	Medium
Vendor	pom	artifactid	annotations	Highest
Vendor	pom	artifactid	annotations	Low
Vendor	pom	groupid	com.google.code.findbugs	Highest
Vendor	pom	name	FindBugs-Annotations	High
Vendor	pom	url	http://findbugs.sourceforge.net/	Highest
Product	file	name	annotations	High
Product	jar	package name	annotation	Highest
Product	jar	package name	annotations	Highest
Product	jar	package name	findbugs	Highest
Product	Manifest	Bundle-Name	FindbugsAnnotations	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	findbugsAnnotations	Medium
Product	pom	artifactid	annotations	Highest
Product	pom	groupid	com.google.code.findbugs	Highest
Product	pom	name	FindBugs-Annotations	High
Product	pom	url	http://findbugs.sourceforge.net/	Medium
Version	file	version	2.0.1	High
Version	pom	version	2.0.1	Highest

Identifiers

pkg:maven/com.google.code.findbugs/annotations@2.0.1 (Confidence:High)

File Path: /home/grprdist/.m2/repository/org/apache/ant/ant/1.10.12/ant-1.10.12.jar
MD5: f5b97fb267862b35d1eb398defe1831a
SHA1: be08c4f63e92e03bac761404cf77bc270928b6c5
SHA256:5c6a438c3ebe7a306eba452b09fa307b0e60314926177920bca896c4a504eaf6
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ant	High
Vendor	jar	package name	ant	Highest
Vendor	jar	package name	apache	Highest
Vendor	manifest: org/apache/tools/ant/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	pom	artifactid	ant	Highest
Vendor	pom	artifactid	ant	Low
Vendor	pom	groupid	org.apache.ant	Highest
Vendor	pom	name	Apache Ant Core	High
Vendor	pom	parent-artifactid	ant-parent	Low
Vendor	pom	url	https://ant.apache.org/	Highest
Product	file	name	ant	High
Product	jar	package name	ant	Highest
Product	jar	package name	apache	Highest
Product	jar	package name	tools	Highest
Product	manifest: org/apache/tools/ant/	Implementation-Title	org.apache.tools.ant	Medium
Product	manifest: org/apache/tools/ant/	Specification-Title	Apache Ant	Medium
Product	pom	artifactid	ant	Highest
Product	pom	groupid	org.apache.ant	Highest
Product	pom	name	Apache Ant Core	High
Product	pom	parent-artifactid	ant-parent	Medium
Product	pom	url	https://ant.apache.org/	Medium
Version	file	version	1.10.12	High
Version	manifest: org/apache/tools/ant/	Implementation-Version	1.10.12	Medium
Version	pom	version	1.10.12	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.ant/ant@1.10.12 (Confidence:High)
cpe:2.3:a:apache:ant:1.10.12:*:*:*:*:*:*:* (Confidence:Highest)

Description:

    A framework for constructing recognizers, compilers,
    and translators from grammatical descriptions containing
    Java, C#, C++, or Python actions.

License:

BSD License: http://www.antlr.org/license.html

File Path: /home/grprdist/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	antlr	High
Vendor	jar	package name	actions	Highest
Vendor	jar	package name	antlr	Highest
Vendor	jar	package name	antlr	Low
Vendor	jar	package name	java	Highest
Vendor	jar	package name	parser	Highest
Vendor	jar	package name	python	Highest
Vendor	pom	artifactid	antlr	Highest
Vendor	pom	artifactid	antlr	Low
Vendor	pom	groupid	antlr	Highest
Vendor	pom	name	AntLR Parser Generator	High
Vendor	pom	url	http://www.antlr.org/	Highest
Product	file	name	antlr	High
Product	jar	package name	actions	Highest
Product	jar	package name	antlr	Highest
Product	jar	package name	java	Highest
Product	jar	package name	parser	Highest
Product	jar	package name	python	Highest
Product	pom	artifactid	antlr	Highest
Product	pom	groupid	antlr	Highest
Product	pom	name	AntLR Parser Generator	High
Product	pom	url	http://www.antlr.org/	Medium
Version	file	version	2.7.7	High
Version	pom	version	2.7.7	Highest

Identifiers

pkg:maven/antlr/antlr@2.7.7 (Confidence:High)

Description:

The ANTLR 4 Runtime

License:

http://www.antlr.org/license.html

File Path: /home/grprdist/.m2/repository/org/antlr/antlr4-runtime/4.7.1/antlr4-runtime-4.7.1.jar
MD5: 0223e36b3a3fadd05a52221828a4fcf1
SHA1: 946f8aa9daa917dd81a8b818111bec7e288f821a
SHA256:43516d19beae35909e04d06af6c0c58c17bc94e0070c85e8dc9929ca640dc91d
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	antlr4-runtime	High
Vendor	jar	package name	antlr	Highest
Vendor	jar	package name	runtime	Highest
Vendor	Manifest	bundle-docurl	http://www.antlr.org	Low
Vendor	Manifest	bundle-symbolicname	org.antlr.antlr4-runtime	Medium
Vendor	Manifest	implementation-url	http://www.antlr.org/runtime/antlr4-runtime	Low
Vendor	Manifest	Implementation-Vendor	ANTLR	High
Vendor	Manifest	Implementation-Vendor-Id	org.antlr	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	artifactid	antlr4-runtime	Highest
Vendor	pom	artifactid	antlr4-runtime	Low
Vendor	pom	groupid	org.antlr	Highest
Vendor	pom	name	ANTLR 4 Runtime	High
Vendor	pom	parent-artifactid	antlr4-master	Low
Product	file	name	antlr4-runtime	High
Product	jar	package name	antlr	Highest
Product	jar	package name	runtime	Highest
Product	Manifest	bundle-docurl	http://www.antlr.org	Low
Product	Manifest	Bundle-Name	ANTLR 4 Runtime	Medium
Product	Manifest	bundle-symbolicname	org.antlr.antlr4-runtime	Medium
Product	Manifest	Implementation-Title	ANTLR 4 Runtime	High
Product	Manifest	implementation-url	http://www.antlr.org/runtime/antlr4-runtime	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	artifactid	antlr4-runtime	Highest
Product	pom	groupid	org.antlr	Highest
Product	pom	name	ANTLR 4 Runtime	High
Product	pom	parent-artifactid	antlr4-master	Medium
Version	file	version	4.7.1	High
Version	Manifest	Bundle-Version	4.7.1	High
Version	Manifest	Implementation-Version	4.7.1	High
Version	pom	version	4.7.1	Highest

Identifiers

pkg:maven/org.antlr/antlr4-runtime@4.7.1 (Confidence:High)

Description:

Dependency Injection Kernel

License:

http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html

File Path: /home/grprdist/.m2/repository/org/glassfish/hk2/external/aopalliance-repackaged/2.6.1/aopalliance-repackaged-2.6.1.jar
MD5: 0237846ebdaa7db36b356044a373ffba
SHA1: b2eb0a83bcbb44cc5d25f8b18f23be116313a638
SHA256:bad77f9278d753406360af9e4747bd9b3161554ea9cd3d62411a0ae1f2c141fd
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	aopalliance-repackaged	High
Vendor	jar	package name	aopalliance	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	org.glassfish.hk2.external.aopalliance-repackaged	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	aopalliance-repackaged	Highest
Vendor	pom	artifactid	aopalliance-repackaged	Low
Vendor	pom	groupid	org.glassfish.hk2.external	Highest
Vendor	pom	name	aopalliance version ${aopalliance.version} repackaged as a module	High
Vendor	pom	parent-artifactid	external	Low
Vendor	pom	parent-groupid	org.glassfish.hk2	Medium
Product	file	name	aopalliance-repackaged	High
Product	jar	package name	aopalliance	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	aopalliance version 1.0 repackaged as a module	Medium
Product	Manifest	bundle-symbolicname	org.glassfish.hk2.external.aopalliance-repackaged	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	aopalliance-repackaged	Highest
Product	pom	groupid	org.glassfish.hk2.external	Highest
Product	pom	name	aopalliance version ${aopalliance.version} repackaged as a module	High
Product	pom	parent-artifactid	external	Medium
Product	pom	parent-groupid	org.glassfish.hk2	Medium
Version	file	version	2.6.1	High
Version	Manifest	Bundle-Version	2.6.1	High
Version	pom	version	2.6.1	Highest

Identifiers

pkg:maven/org.glassfish.hk2.external/aopalliance-repackaged@2.6.1 (Confidence:High)
cpe:2.3:a:oracle:java_se:2.6.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

Java stream based MIME message parser

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/james/apache-mime4j-core/0.7.2/apache-mime4j-core-0.7.2.jar
MD5: 88f799546eca803c53eee01a4ce5edcd
SHA1: a81264fe0265ebe8fd1d8128aad06dc320de6eef
SHA256:4d7434c68f94b81a253c12f28e6bbb4d6239c361d6086a46e22e594bb43ac660
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	apache-mime4j-core	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	james	Highest
Vendor	jar	package name	mime4j	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.james.apache-mime4j-core	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	url	http://james.apache.org/mime4j/apache-mime4j-core	Low
Vendor	pom	artifactid	apache-mime4j-core	Highest
Vendor	pom	artifactid	apache-mime4j-core	Low
Vendor	pom	groupid	org.apache.james	Highest
Vendor	pom	name	Apache JAMES Mime4j (Core)	High
Vendor	pom	parent-artifactid	apache-mime4j-project	Low
Product	file	name	apache-mime4j-core	High
Product	jar	package name	apache	Highest
Product	jar	package name	james	Highest
Product	jar	package name	mime4j	Highest
Product	jar	package name	parser	Highest
Product	jar	package name	stream	Highest
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache JAMES Mime4j (Core)	Medium
Product	Manifest	bundle-symbolicname	org.apache.james.apache-mime4j-core	Medium
Product	Manifest	Implementation-Title	Apache Mime4j	High
Product	Manifest	specification-title	Apache Mime4j	Medium
Product	Manifest	url	http://james.apache.org/mime4j/apache-mime4j-core	Low
Product	pom	artifactid	apache-mime4j-core	Highest
Product	pom	groupid	org.apache.james	Highest
Product	pom	name	Apache JAMES Mime4j (Core)	High
Product	pom	parent-artifactid	apache-mime4j-project	Medium
Version	file	version	0.7.2	High
Version	Manifest	Bundle-Version	0.7.2	High
Version	Manifest	Implementation-Version	0.7.2	High
Version	pom	version	0.7.2	Highest

Identifiers

pkg:maven/org.apache.james/apache-mime4j-core@0.7.2 (Confidence:High)

Description:

ASM, a very small and fast Java bytecode manipulation framework

License:

BSD: http://asm.ow2.org/license.html

File Path: /home/grprdist/.m2/repository/org/ow2/asm/asm/7.1/asm-7.1.jar
MD5: 04fc92647ce25b41121683674a50dfdf
SHA1: fa29aa438674ff19d5e1386d2c3527a0267f291e
SHA256:4ab2fa2b6d2cc9ccb1eaa05ea329c407b47b13ed2915f62f8c4b8cc96258d4de
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	asm	High
Vendor	jar	package name	asm	Highest
Vendor	jar	package name	objectweb	Highest
Vendor	Manifest	bundle-docurl	http://asm.ow2.org	Low
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	org.objectweb.asm	Medium
Vendor	pom	artifactid	asm	Highest
Vendor	pom	artifactid	asm	Low
Vendor	pom	developer email	ebruneton@free.fr	Low
Vendor	pom	developer email	eu@javatx.org	Low
Vendor	pom	developer email	forax@univ-mlv.fr	Low
Vendor	pom	developer id	ebruneton	Medium
Vendor	pom	developer id	eu	Medium
Vendor	pom	developer id	forax	Medium
Vendor	pom	developer name	Eric Bruneton	Medium
Vendor	pom	developer name	Eugene Kuleshov	Medium
Vendor	pom	developer name	Remi Forax	Medium
Vendor	pom	groupid	org.ow2.asm	Highest
Vendor	pom	name	asm	High
Vendor	pom	organization name	OW2	High
Vendor	pom	organization url	http://www.ow2.org/	Medium
Vendor	pom	parent-artifactid	ow2	Low
Vendor	pom	parent-groupid	org.ow2	Medium
Vendor	pom	url	http://asm.ow2.org/	Highest
Product	file	name	asm	High
Product	jar	package name	asm	Highest
Product	jar	package name	objectweb	Highest
Product	Manifest	bundle-docurl	http://asm.ow2.org	Low
Product	Manifest	Bundle-Name	org.objectweb.asm	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	org.objectweb.asm	Medium
Product	Manifest	Implementation-Title	ASM, a very small and fast Java bytecode manipulation framework	High
Product	pom	artifactid	asm	Highest
Product	pom	developer email	ebruneton@free.fr	Low
Product	pom	developer email	eu@javatx.org	Low
Product	pom	developer email	forax@univ-mlv.fr	Low
Product	pom	developer id	ebruneton	Low
Product	pom	developer id	eu	Low
Product	pom	developer id	forax	Low
Product	pom	developer name	Eric Bruneton	Low
Product	pom	developer name	Eugene Kuleshov	Low
Product	pom	developer name	Remi Forax	Low
Product	pom	groupid	org.ow2.asm	Highest
Product	pom	name	asm	High
Product	pom	organization name	OW2	Low
Product	pom	organization url	http://www.ow2.org/	Low
Product	pom	parent-artifactid	ow2	Medium
Product	pom	parent-groupid	org.ow2	Medium
Product	pom	url	http://asm.ow2.org/	Medium
Version	file	version	7.1	High
Version	Manifest	Implementation-Version	7.1	High
Version	pom	parent-version	7.1	Low
Version	pom	version	7.1	Highest

Identifiers

pkg:maven/org.ow2.asm/asm@7.1 (Confidence:High)

Description:

The AWS SDK for Java - Core module holds the classes that are used by the individual service clients to interact with Amazon Web Services. Users need to depend on aws-java-sdk artifact for accessing individual client classes.

File Path: /home/grprdist/.m2/repository/com/amazonaws/aws-java-sdk-core/1.12.267/aws-java-sdk-core-1.12.267.jar
MD5: e6f847980566ec95e838933ab1609c69
SHA1: 2562b87f3af418751c2d0bcbe4209dbefa263484
SHA256:0f06b44909ff2d30b2a61229839e3619fe2ac7bc4c5f52536299a8cc8a1ffd51
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	aws-java-sdk-core	High
Vendor	jar	package name	amazonaws	Highest
Vendor	jar	package name	amazonaws	Low
Vendor	jar	package name	classes	Highest
Vendor	jar	package name	service	Highest
Vendor	pom	artifactid	aws-java-sdk-core	Highest
Vendor	pom	artifactid	aws-java-sdk-core	Low
Vendor	pom	groupid	com.amazonaws	Highest
Vendor	pom	name	AWS SDK for Java - Core	High
Vendor	pom	parent-artifactid	aws-java-sdk-pom	Low
Vendor	pom	url	https://aws.amazon.com/sdkforjava	Highest
Product	file	name	aws-java-sdk-core	High
Product	jar	package name	amazonaws	Highest
Product	jar	package name	classes	Highest
Product	jar	package name	service	Highest
Product	pom	artifactid	aws-java-sdk-core	Highest
Product	pom	groupid	com.amazonaws	Highest
Product	pom	name	AWS SDK for Java - Core	High
Product	pom	parent-artifactid	aws-java-sdk-pom	Medium
Product	pom	url	https://aws.amazon.com/sdkforjava	Medium
Version	file	version	1.12.267	High
Version	pom	version	1.12.267	Highest

Related Dependencies

Identifiers

pkg:maven/com.amazonaws/aws-java-sdk-core@1.12.267 (Confidence:High)
cpe:2.3:a:amazon:aws-sdk-java:1.12.267:*:*:*:*:*:*:* (Confidence:Highest)

Description:

The Axiom API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/ws/commons/axiom/axiom-api/1.2.15/axiom-api-1.2.15.jar
MD5: 56b93a28558783f249d4f1b18629fdf0
SHA1: e5f4f2a8ba280e0cee2029f8dbf4ac3856281bbd
SHA256:7b1000806a83240e370d852f53071bdc4b247dfe240aa1bc8ae91e439215cc12
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	axiom-api	High
Vendor	hint analyzer	vendor	web services	Medium
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	axiom	Highest
Vendor	Manifest	bundle-activationpolicy	lazy	Low
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.ws.commons.axiom.axiom-api	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.ws.commons.axiom	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	axiom-api	Highest
Vendor	pom	artifactid	axiom-api	Low
Vendor	pom	groupid	org.apache.ws.commons.axiom	Highest
Vendor	pom	name	Axiom API	High
Vendor	pom	parent-artifactid	axiom	Low
Vendor	pom	url	http://ws.apache.org/axiom/	Highest
Product	file	name	axiom-api	High
Product	hint analyzer	product	web services	Medium
Product	jar	package name	apache	Highest
Product	jar	package name	axiom	Highest
Product	Manifest	bundle-activationpolicy	lazy	Low
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	Axiom API	Medium
Product	Manifest	bundle-symbolicname	org.apache.ws.commons.axiom.axiom-api	Medium
Product	Manifest	Implementation-Title	Axiom API	High
Product	Manifest	specification-title	Axiom API	Medium
Product	pom	artifactid	axiom-api	Highest
Product	pom	groupid	org.apache.ws.commons.axiom	Highest
Product	pom	name	Axiom API	High
Product	pom	parent-artifactid	axiom	Medium
Product	pom	url	http://ws.apache.org/axiom/	Medium
Version	file	version	1.2.15	High
Version	Manifest	Bundle-Version	1.2.15	High
Version	Manifest	Implementation-Version	1.2.15	High
Version	pom	version	1.2.15	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.ws.commons.axiom/axiom-api@1.2.15 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.2.15:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Contains implementation classes shared by LLOM and DOOM.

File Path: /home/grprdist/.m2/repository/org/apache/ws/commons/axiom/axiom-dom/1.2.14/axiom-dom-1.2.14.jar/META-INF/maven/org.apache.ws.commons.axiom/axiom-common-impl/pom.xml
MD5: 2bdf56db06a2eadf10c2dfb68be7e6ef
SHA1: 41758129abfa2f6e871b468d2bcc78a541bd8952
SHA256:d33a322665052f8ddf9c2fa62cae421c673bea9bbec2c21674582e9d971caa0d
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	hint analyzer	vendor	web services	Medium
Vendor	pom	artifactid	axiom-common-impl	Low
Vendor	pom	groupid	org.apache.ws.commons.axiom	Highest
Vendor	pom	name	Axiom Common Implementation Classes	High
Vendor	pom	parent-artifactid	axiom-parent	Low
Vendor	pom	url	http://ws.apache.org/axiom/	Highest
Product	hint analyzer	product	web services	Medium
Product	pom	artifactid	axiom-common-impl	Highest
Product	pom	groupid	org.apache.ws.commons.axiom	Highest
Product	pom	name	Axiom Common Implementation Classes	High
Product	pom	parent-artifactid	axiom-parent	Medium
Product	pom	url	http://ws.apache.org/axiom/	Medium
Version	pom	version	1.2.14	Highest

Identifiers

pkg:maven/org.apache.ws.commons.axiom/axiom-common-impl@1.2.14 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.2.14:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The Axiom DOM implementation.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/ws/commons/axiom/axiom-dom/1.2.14/axiom-dom-1.2.14.jar
MD5: 0a769345ff3aa13e1348a64a069bf4e5
SHA1: e56bb2b1e532967818cfcb0c3d17922380db24c2
SHA256:7f3aaf83dfbcfbec5d5ad915f77349d884323f6a28134e1a11e28de0d1792bb1
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	axiom-dom	High
Vendor	hint analyzer	vendor	web services	Medium
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	axiom	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.ws.commons.axiom.axiom-dom	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.ws.commons.axiom	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	axiom-dom	Highest
Vendor	pom	artifactid	axiom-dom	Low
Vendor	pom	groupid	org.apache.ws.commons.axiom	Highest
Vendor	pom	name	Axiom DOM	High
Vendor	pom	parent-artifactid	axiom-parent	Low
Vendor	pom	url	http://ws.apache.org/axiom/	Highest
Product	file	name	axiom-dom	High
Product	hint analyzer	product	web services	Medium
Product	jar	package name	apache	Highest
Product	jar	package name	axiom	Highest
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	Axiom DOM	Medium
Product	Manifest	bundle-symbolicname	org.apache.ws.commons.axiom.axiom-dom	Medium
Product	Manifest	Implementation-Title	Axiom DOM	High
Product	Manifest	specification-title	Axiom DOM	Medium
Product	pom	artifactid	axiom-dom	Highest
Product	pom	groupid	org.apache.ws.commons.axiom	Highest
Product	pom	name	Axiom DOM	High
Product	pom	parent-artifactid	axiom-parent	Medium
Product	pom	url	http://ws.apache.org/axiom/	Medium
Version	file	version	1.2.14	High
Version	Manifest	Bundle-Version	1.2.14	High
Version	Manifest	Implementation-Version	1.2.14	High
Version	pom	version	1.2.14	Highest

Identifiers

pkg:maven/org.apache.ws.commons.axiom/axiom-dom@1.2.14 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.2.14:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

File Path: /home/grprdist/.m2/repository/org/apache/ws/commons/axiom/axiom-impl/1.2.15/axiom-impl-1.2.15.jar/META-INF/maven/org.apache.ws.commons.axiom/core-aspects/pom.xml
MD5: 4447f584852d04df2322dbcddbe25f58
SHA1: 060acec50c33e97c9b9c1d6837dc52494644273a
SHA256:635931a703e4fbf361b3752c0250b35f51a4df226df29d2226c47e7bad0f2330
Referenced In Projects/Scopes:

Grouper WS Generated Client:runtime
Grouper WS:runtime
Grouper WS Test:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	hint analyzer	vendor	web services	Medium
Vendor	pom	artifactid	core-aspects	Low
Vendor	pom	groupid	org.apache.ws.commons.axiom	Highest
Vendor	pom	name	Core Aspects	High
Vendor	pom	parent-artifactid	aspects	Low
Vendor	pom	url	http://ws.apache.org/axiom/	Highest
Product	hint analyzer	product	web services	Medium
Product	pom	artifactid	core-aspects	Highest
Product	pom	groupid	org.apache.ws.commons.axiom	Highest
Product	pom	name	Core Aspects	High
Product	pom	parent-artifactid	aspects	Medium
Product	pom	url	http://ws.apache.org/axiom/	Medium
Version	pom	version	1.2.15	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.ws.commons.axiom/core-aspects@1.2.15 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.2.15:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Axis2 Data Binding module

File Path: /home/grprdist/.m2/repository/org/apache/axis2/axis2-adb/1.6.1/axis2-adb-1.6.1.jar
MD5: 23ee2609a2f6d28e7f83b79b17b40b77
SHA1: 4b97034369d6d94bda9c98d7445d93e548f39ba5
SHA256:fbf32fb63dd4f58395e988ab1f48504612713b25b0eb5a5ebf7d90865fa52090
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	axis2-adb	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	axis2	Highest
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.axis2	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	axis2-adb	Highest
Vendor	pom	artifactid	axis2-adb	Low
Vendor	pom	groupid	org.apache.axis2	Highest
Vendor	pom	name	Apache Axis2 - Data Binding	High
Vendor	pom	parent-artifactid	axis2-parent	Low
Vendor	pom	url	http://axis.apache.org/axis2/java/core/	Highest
Product	file	name	axis2-adb	High
Product	jar	package name	apache	Highest
Product	jar	package name	axis2	Highest
Product	Manifest	Implementation-Title	Apache Axis2 - Data Binding	High
Product	Manifest	specification-title	Apache Axis2 - Data Binding	Medium
Product	pom	artifactid	axis2-adb	Highest
Product	pom	groupid	org.apache.axis2	Highest
Product	pom	name	Apache Axis2 - Data Binding	High
Product	pom	parent-artifactid	axis2-parent	Medium
Product	pom	url	http://axis.apache.org/axis2/java/core/	Medium
Version	file	version	1.6.1	High
Version	Manifest	Implementation-Version	1.6.1	High
Version	pom	version	1.6.1	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.axis2/axis2-adb@1.6.1 (Confidence:High)
cpe:2.3:a:apache:axis2:1.6.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2012-5785

Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

BID - 56408
MISC - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
SECUNIA - 51219
XF - apache-axis2-ssl-spoofing(79830)

Vulnerable Software & Versions: (show all)

Description:

Core Parts of Axis2. This includes Axis2 engine, Client API, Addressing support, etc.,

File Path: /home/grprdist/.m2/repository/org/apache/axis2/axis2-kernel/1.6.4/axis2-kernel-1.6.4.jar
MD5: 6feb481699a3da0605e90a376236fb6a
SHA1: 10c0675d66fa311c29a879bcaaa5d202802f7d2e
SHA256:5a0e236e0aba70b31166accd09af7714ab4c7d76f94555887527a3789d4fdb07
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	axis2-kernel	High
Vendor	jar	package name	addressing	Highest
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	axis2	Highest
Vendor	jar	package name	client	Highest
Vendor	jar	package name	engine	Highest
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.axis2	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	axis2-kernel	Highest
Vendor	pom	artifactid	axis2-kernel	Low
Vendor	pom	groupid	org.apache.axis2	Highest
Vendor	pom	name	Apache Axis2 - Kernel	High
Vendor	pom	parent-artifactid	axis2	Low
Vendor	pom	url	http://axis.apache.org/axis2/java/core/	Highest
Product	file	name	axis2-kernel	High
Product	jar	package name	addressing	Highest
Product	jar	package name	apache	Highest
Product	jar	package name	axis2	Highest
Product	jar	package name	client	Highest
Product	jar	package name	engine	Highest
Product	Manifest	Implementation-Title	Apache Axis2 - Kernel	High
Product	Manifest	specification-title	Apache Axis2 - Kernel	Medium
Product	pom	artifactid	axis2-kernel	Highest
Product	pom	groupid	org.apache.axis2	Highest
Product	pom	name	Apache Axis2 - Kernel	High
Product	pom	parent-artifactid	axis2	Medium
Product	pom	url	http://axis.apache.org/axis2/java/core/	Medium
Version	file	version	1.6.4	High
Version	Manifest	Implementation-Version	1.6.4	High
Version	pom	version	1.6.4	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.axis2/axis2-kernel@1.6.4 (Confidence:High)
cpe:2.3:a:apache:axis2:1.6.4:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Axis2 : MTOM Policy

File Path: /home/grprdist/.m2/repository/org/apache/axis2/axis2-mtompolicy/1.6.3/axis2-mtompolicy-1.6.3.jar
MD5: 1b36029c6d4a0db8c3c6b8c97cd8d99c
SHA1: 5ac00ff3025f6ae62f51b0e303124b55af9f8a73
SHA256:3312c4e17aa01e2bd0dcf4bd3378ab2c7c5e054d4a61f37807c260666f6cf505
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	axis2-mtompolicy	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	axis2	Highest
Vendor	jar	package name	policy	Highest
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.axis2	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	axis2-mtompolicy	Highest
Vendor	pom	artifactid	axis2-mtompolicy	Low
Vendor	pom	groupid	org.apache.axis2	Highest
Vendor	pom	name	Apache Axis2 - MTOM Policy	High
Vendor	pom	parent-artifactid	axis2-parent	Low
Vendor	pom	url	http://axis.apache.org/axis2/java/core/	Highest
Product	file	name	axis2-mtompolicy	High
Product	jar	package name	apache	Highest
Product	jar	package name	axis2	Highest
Product	jar	package name	policy	Highest
Product	Manifest	Implementation-Title	Apache Axis2 - MTOM Policy	High
Product	Manifest	specification-title	Apache Axis2 - MTOM Policy	Medium
Product	pom	artifactid	axis2-mtompolicy	Highest
Product	pom	groupid	org.apache.axis2	Highest
Product	pom	name	Apache Axis2 - MTOM Policy	High
Product	pom	parent-artifactid	axis2-parent	Medium
Product	pom	url	http://axis.apache.org/axis2/java/core/	Medium
Version	file	version	1.6.3	High
Version	Manifest	Implementation-Version	1.6.3	High
Version	pom	version	1.6.3	Highest

Identifiers

pkg:maven/org.apache.axis2/axis2-mtompolicy@1.6.3 (Confidence:High)
cpe:2.3:a:apache:axis2:1.6.3:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Dawid Kurzyniec's backport of JSR 166

License:

Public Domain: http://creativecommons.org/licenses/publicdomain

File Path: /home/grprdist/.m2/repository/backport-util-concurrent/backport-util-concurrent/3.1/backport-util-concurrent-3.1.jar
MD5: 748bb0cbf4780b2e3121dc9c12e10cd9
SHA1: 682f7ac17fed79e92f8e87d8455192b63376347b
SHA256:f5759b7fcdfc83a525a036deedcbd32e5b536b625ebc282426f16ca137eb5902
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	backport-util-concurrent	High
Vendor	jar	package name	backport	Highest
Vendor	jar	package name	edu	Low
Vendor	jar	package name	emory	Low
Vendor	jar	package name	mathcs	Low
Vendor	pom	artifactid	backport-util-concurrent	Highest
Vendor	pom	artifactid	backport-util-concurrent	Low
Vendor	pom	groupid	backport-util-concurrent	Highest
Vendor	pom	name	Backport of JSR 166	High
Vendor	pom	organization name	Dawid Kurzyniec	High
Vendor	pom	organization url	http://www.mathcs.emory.edu/~dawidk/	Medium
Vendor	pom	url	http://backport-jsr166.sourceforge.net/	Highest
Product	file	name	backport-util-concurrent	High
Product	jar	package name	backport	Highest
Product	jar	package name	backport	Low
Product	jar	package name	emory	Low
Product	jar	package name	mathcs	Low
Product	pom	artifactid	backport-util-concurrent	Highest
Product	pom	groupid	backport-util-concurrent	Highest
Product	pom	name	Backport of JSR 166	High
Product	pom	organization name	Dawid Kurzyniec	Low
Product	pom	organization url	http://www.mathcs.emory.edu/~dawidk/	Low
Product	pom	url	http://backport-jsr166.sourceforge.net/	Medium
Version	file	version	3.1	High
Version	pom	version	3.1	Highest

Identifiers

pkg:maven/backport-util-concurrent/backport-util-concurrent@3.1 (Confidence:High)

Description:

The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html

File Path: /home/grprdist/.m2/repository/org/bouncycastle/bcpkix-jdk18on/1.72/bcpkix-jdk18on-1.72.jar
MD5: 4bb2ace2ca16e7fd42a0a0c13d017464
SHA1: bb3fdb5162ccd5085e8d7e57fada4d8eaa571f5a
SHA256:56a054cb170d41fb1f8ba0b29568806258b7ffefdc5e98b77ef96d4740f3d6bc
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bcpkix-jdk18on	High
Vendor	jar	package name	bouncycastle	Highest
Vendor	jar	package name	cmp	Highest
Vendor	jar	package name	cms	Highest
Vendor	jar	package name	crmf	Highest
Vendor	jar	package name	eac	Highest
Vendor	jar	package name	ocsp	Highest
Vendor	jar	package name	pkcs	Highest
Vendor	jar	package name	pkix	Highest
Vendor	jar	package name	tsp	Highest
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	Manifest	application-name	Bouncy Castle PKIX API	Medium
Vendor	Manifest	automatic-module-name	org.bouncycastle.pkix	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	bcpkix	Medium
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcpkix	Medium
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Vendor	Manifest	permissions	all-permissions	Low
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	Manifest	trusted-library	true	Low
Vendor	pom	artifactid	bcpkix-jdk18on	Highest
Vendor	pom	artifactid	bcpkix-jdk18on	Low
Vendor	pom	developer email	feedback-crypto@bouncycastle.org	Low
Vendor	pom	developer id	feedback-crypto	Medium
Vendor	pom	developer name	The Legion of the Bouncy Castle Inc.	Medium
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	pom	name	Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs	High
Vendor	pom	url	https://www.bouncycastle.org/java.html	Highest
Product	file	name	bcpkix-jdk18on	High
Product	jar	package name	bouncycastle	Highest
Product	jar	package name	cmp	Highest
Product	jar	package name	cms	Highest
Product	jar	package name	crmf	Highest
Product	jar	package name	eac	Highest
Product	jar	package name	ocsp	Highest
Product	jar	package name	pkcs	Highest
Product	jar	package name	pkix	Highest
Product	jar	package name	tsp	Highest
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	application-name	Bouncy Castle PKIX API	Medium
Product	Manifest	automatic-module-name	org.bouncycastle.pkix	Medium
Product	Manifest	Bundle-Name	bcpkix	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	bcpkix	Medium
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	codebase	*	Low
Product	Manifest	extension-name	org.bouncycastle.bcpkix	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Product	Manifest	permissions	all-permissions	Low
Product	Manifest	trusted-library	true	Low
Product	pom	artifactid	bcpkix-jdk18on	Highest
Product	pom	developer email	feedback-crypto@bouncycastle.org	Low
Product	pom	developer id	feedback-crypto	Low
Product	pom	developer name	The Legion of the Bouncy Castle Inc.	Low
Product	pom	groupid	org.bouncycastle	Highest
Product	pom	name	Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs	High
Product	pom	url	https://www.bouncycastle.org/java.html	Medium
Version	file	version	1.72	High
Version	Manifest	Bundle-Version	1.72	High
Version	pom	version	1.72	Highest

Identifiers

pkg:maven/org.bouncycastle/bcpkix-jdk18on@1.72 (Confidence:High)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:*:*:*:*:*:*:* (Confidence:Low)

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html

File Path: /home/grprdist/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.59/bcprov-jdk15on-1.59.jar
MD5: 7c7e9a51e0c86e26e3cc39b2ed678c4f
SHA1: 2507204241ab450456bdb8e8c0a8f986e418bd99
SHA256:1c31e44e331d25e46d293b3e8ee2d07028a67db011e74cb2443285aed1d59c85
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bcprov-jdk15on	High
Vendor	jar	package name	bouncycastle	Highest
Vendor	jar	package name	crypto	Highest
Vendor	jar	package name	jce	Highest
Vendor	jar	package name	provider	Highest
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	Manifest	application-name	Bouncy Castle Provider	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	bcprov	Medium
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	originally-created-by	25.151-b12 (Oracle Corporation)	Low
Vendor	Manifest	permissions	all-permissions	Low
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	Manifest	trusted-library	true	Low
Vendor	pom	artifactid	bcprov-jdk15on	Highest
Vendor	pom	artifactid	bcprov-jdk15on	Low
Vendor	pom	developer email	feedback-crypto@bouncycastle.org	Low
Vendor	pom	developer id	feedback-crypto	Medium
Vendor	pom	developer name	The Legion of the Bouncy Castle Inc.	Medium
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	pom	name	Bouncy Castle Provider	High
Vendor	pom	url	http://www.bouncycastle.org/java.html	Highest
Product	file	name	bcprov-jdk15on	High
Product	hint analyzer	product	legion-of-the-bouncy-castle-java-crytography-api	High
Product	hint analyzer	product	the_bouncy_castle_crypto_package_for_java	High
Product	jar	package name	bouncycastle	Highest
Product	jar	package name	crypto	Highest
Product	jar	package name	jce	Highest
Product	jar	package name	provider	Highest
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	application-name	Bouncy Castle Provider	Medium
Product	Manifest	Bundle-Name	bcprov	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	bcprov	Medium
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	codebase	*	Low
Product	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Product	Manifest	originally-created-by	25.151-b12 (Oracle Corporation)	Low
Product	Manifest	permissions	all-permissions	Low
Product	Manifest	trusted-library	true	Low
Product	pom	artifactid	bcprov-jdk15on	Highest
Product	pom	developer email	feedback-crypto@bouncycastle.org	Low
Product	pom	developer id	feedback-crypto	Low
Product	pom	developer name	The Legion of the Bouncy Castle Inc.	Low
Product	pom	groupid	org.bouncycastle	Highest
Product	pom	name	Bouncy Castle Provider	High
Product	pom	url	http://www.bouncycastle.org/java.html	Medium
Version	file	version	1.59	High
Version	Manifest	Bundle-Version	1.59	High
Version	pom	version	1.59	Highest

Identifiers

pkg:maven/org.bouncycastle/bcprov-jdk15on@1.59 (Confidence:High)
cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.59:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.59:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.59:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.59:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.59:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2018-1000613

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

CWE-502 Deserialization of Untrusted Data, CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1000180

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

BID - 106567
CONFIRM - https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55ad
CONFIRM - https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839
CONFIRM - https://security.netapp.com/advisory/ntap-20190204-0003/
CONFIRM - https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
DEBIAN - DSA-4233
MISC - https://github.com/bcgit/bc-java/wiki/CVE-2018-1000180
MISC - https://www.bountysource.com/issues/58293083-rsa-key-generation-computation-of-iterations-for-mr-primality-test
MISC - https://www.oracle.com/security-alerts/cpuApr2021.html
MISC - https://www.oracle.com/security-alerts/cpuoct2020.html
MISC - https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MISC - https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
MLIST - [lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report
N/A - N/A
OSSINDEX - [CVE-2018-1000180] CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000180
OSSIndex - https://www.bouncycastle.org/jira/browse/BJA-694
REDHAT - RHSA-2018:2423
REDHAT - RHSA-2018:2424
REDHAT - RHSA-2018:2425
REDHAT - RHSA-2018:2428
REDHAT - RHSA-2018:2643
REDHAT - RHSA-2018:2669
REDHAT - RHSA-2019:0877

Vulnerable Software & Versions: (show all)

CVE-2020-15522

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-0187 (OSSINDEX)

In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148517383

CWE-310 Cryptographic Issues

CVSSv2:

Base Score: MEDIUM (5.5)
Vector: /AV:L/AC:L/Au:/C:H/I:N/A:N

References:

OSSINDEX - [CVE-2020-0187] CWE-310
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0187
OSSIndex - https://android.googlesource.com/platform/external/bouncycastle/+/14ceec126e49f2f4748f0d540be820515cc725a6
OSSIndex - https://source.android.com/security/bulletin/pixel/2020-06-01

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.59:*:*:*:*:*:*:*

CVE-2020-26939

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html

File Path: /home/grprdist/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar
MD5: 1809d0449a6374279c01fdd3be26cd92
SHA1: 4636a0d01f74acaf28082fb62b317f1080118371
SHA256:8f3c20e3e2d565d26f33e8d4857a37d0d7f8ac39b62a7026496fcab1bdac30d4
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bcprov-jdk15on	High
Vendor	jar	package name	bouncycastle	Highest
Vendor	jar	package name	crypto	Highest
Vendor	jar	package name	jce	Highest
Vendor	jar	package name	org	Highest
Vendor	jar	package name	provider	Highest
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	Manifest	application-name	Bouncy Castle Provider	Medium
Vendor	Manifest	automatic-module-name	org.bouncycastle.provider	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	bcprov	Medium
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	originally-created-by	25.292-b10 (Private Build)	Low
Vendor	Manifest	permissions	all-permissions	Low
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	Manifest	trusted-library	true	Low
Vendor	pom	artifactid	bcprov-jdk15on	Highest
Vendor	pom	artifactid	bcprov-jdk15on	Low
Vendor	pom	developer email	feedback-crypto@bouncycastle.org	Low
Vendor	pom	developer id	feedback-crypto	Medium
Vendor	pom	developer name	The Legion of the Bouncy Castle Inc.	Medium
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	pom	name	Bouncy Castle Provider	High
Vendor	pom	url	https://www.bouncycastle.org/java.html	Highest
Product	file	name	bcprov-jdk15on	High
Product	hint analyzer	product	legion-of-the-bouncy-castle-java-crytography-api	High
Product	hint analyzer	product	the_bouncy_castle_crypto_package_for_java	High
Product	jar	package name	bouncycastle	Highest
Product	jar	package name	crypto	Highest
Product	jar	package name	jce	Highest
Product	jar	package name	org	Highest
Product	jar	package name	provider	Highest
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	application-name	Bouncy Castle Provider	Medium
Product	Manifest	automatic-module-name	org.bouncycastle.provider	Medium
Product	Manifest	Bundle-Name	bcprov	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	bcprov	Medium
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	codebase	*	Low
Product	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	originally-created-by	25.292-b10 (Private Build)	Low
Product	Manifest	permissions	all-permissions	Low
Product	Manifest	trusted-library	true	Low
Product	pom	artifactid	bcprov-jdk15on	Highest
Product	pom	developer email	feedback-crypto@bouncycastle.org	Low
Product	pom	developer id	feedback-crypto	Low
Product	pom	developer name	The Legion of the Bouncy Castle Inc.	Low
Product	pom	groupid	org.bouncycastle	Highest
Product	pom	name	Bouncy Castle Provider	High
Product	pom	url	https://www.bouncycastle.org/java.html	Medium
Version	file	version	1.70	High
Version	Manifest	Bundle-Version	1.70	High
Version	pom	version	1.70	Highest

Identifiers

pkg:maven/org.bouncycastle/bcprov-jdk15on@1.70 (Confidence:High)
cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.70:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.70:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.70:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.70:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.70:*:*:*:*:*:*:* (Confidence:Low)

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html

File Path: /home/grprdist/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.72/bcprov-jdk18on-1.72.jar
MD5: eb4ed3b81359fb50a828723a4a9ab0b6
SHA1: d8dc62c28a3497d29c93fee3e71c00b27dff41b4
SHA256:39287f2208a753db419f5ca529d6c80f094614aa74d790331126b3c9c6b85fda
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bcprov-jdk18on	High
Vendor	jar	package name	bouncycastle	Highest
Vendor	jar	package name	crypto	Highest
Vendor	jar	package name	jce	Highest
Vendor	jar	package name	org	Highest
Vendor	jar	package name	provider	Highest
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	Manifest	application-name	Bouncy Castle Provider	Medium
Vendor	Manifest	automatic-module-name	org.bouncycastle.provider	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	bcprov	Medium
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Vendor	Manifest	permissions	all-permissions	Low
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	Manifest	trusted-library	true	Low
Vendor	pom	artifactid	bcprov-jdk18on	Highest
Vendor	pom	artifactid	bcprov-jdk18on	Low
Vendor	pom	developer email	feedback-crypto@bouncycastle.org	Low
Vendor	pom	developer id	feedback-crypto	Medium
Vendor	pom	developer name	The Legion of the Bouncy Castle Inc.	Medium
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	pom	name	Bouncy Castle Provider	High
Vendor	pom	url	https://www.bouncycastle.org/java.html	Highest
Product	file	name	bcprov-jdk18on	High
Product	hint analyzer	product	legion-of-the-bouncy-castle-java-crytography-api	High
Product	hint analyzer	product	the_bouncy_castle_crypto_package_for_java	High
Product	jar	package name	bouncycastle	Highest
Product	jar	package name	crypto	Highest
Product	jar	package name	jce	Highest
Product	jar	package name	org	Highest
Product	jar	package name	provider	Highest
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	application-name	Bouncy Castle Provider	Medium
Product	Manifest	automatic-module-name	org.bouncycastle.provider	Medium
Product	Manifest	Bundle-Name	bcprov	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	bcprov	Medium
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	codebase	*	Low
Product	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Product	Manifest	permissions	all-permissions	Low
Product	Manifest	trusted-library	true	Low
Product	pom	artifactid	bcprov-jdk18on	Highest
Product	pom	developer email	feedback-crypto@bouncycastle.org	Low
Product	pom	developer id	feedback-crypto	Low
Product	pom	developer name	The Legion of the Bouncy Castle Inc.	Low
Product	pom	groupid	org.bouncycastle	Highest
Product	pom	name	Bouncy Castle Provider	High
Product	pom	url	https://www.bouncycastle.org/java.html	Medium
Version	file	version	1.72	High
Version	Manifest	Bundle-Version	1.72	High
Version	pom	version	1.72	Highest

Identifiers

pkg:maven/org.bouncycastle/bcprov-jdk18on@1.72 (Confidence:High)
cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.72:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.72:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.72:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.72:*:*:*:*:*:*:* (Confidence:Low)

Description:

The Bouncy Castle Java APIs for ASN.1 extension and utility APIs used to support bcpkix and bctls. This jar contains APIs for JDK 1.8 and up.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html

File Path: /home/grprdist/.m2/repository/org/bouncycastle/bcutil-jdk18on/1.72/bcutil-jdk18on-1.72.jar
MD5: cade3651656670f716a430c4e3899d93
SHA1: 41f19a69ada3b06fa48781120d8bebe1ba955c77
SHA256:45377fdb6560a971eea725f507d91fd6b8fbd0797d61bfc86f2cb653c58186a4
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bcutil-jdk18on	High
Vendor	jar	package name	bouncycastle	Highest
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	Manifest	application-name	Bouncy Castle Utility APIs	Medium
Vendor	Manifest	automatic-module-name	org.bouncycastle.util	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	bcutil	Medium
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcutil	Medium
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Vendor	Manifest	permissions	all-permissions	Low
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	Manifest	trusted-library	true	Low
Vendor	pom	artifactid	bcutil-jdk18on	Highest
Vendor	pom	artifactid	bcutil-jdk18on	Low
Vendor	pom	developer email	feedback-crypto@bouncycastle.org	Low
Vendor	pom	developer id	feedback-crypto	Medium
Vendor	pom	developer name	The Legion of the Bouncy Castle Inc.	Medium
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	pom	name	Bouncy Castle ASN.1 Extension and Utility APIs	High
Vendor	pom	url	https://www.bouncycastle.org/java.html	Highest
Product	file	name	bcutil-jdk18on	High
Product	jar	package name	bouncycastle	Highest
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	application-name	Bouncy Castle Utility APIs	Medium
Product	Manifest	automatic-module-name	org.bouncycastle.util	Medium
Product	Manifest	Bundle-Name	bcutil	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	bcutil	Medium
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	codebase	*	Low
Product	Manifest	extension-name	org.bouncycastle.bcutil	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	originally-created-by	25.342-b07 (Private Build)	Low
Product	Manifest	permissions	all-permissions	Low
Product	Manifest	trusted-library	true	Low
Product	pom	artifactid	bcutil-jdk18on	Highest
Product	pom	developer email	feedback-crypto@bouncycastle.org	Low
Product	pom	developer id	feedback-crypto	Low
Product	pom	developer name	The Legion of the Bouncy Castle Inc.	Low
Product	pom	groupid	org.bouncycastle	Highest
Product	pom	name	Bouncy Castle ASN.1 Extension and Utility APIs	High
Product	pom	url	https://www.bouncycastle.org/java.html	Medium
Version	file	version	1.72	High
Version	Manifest	Bundle-Version	1.72	High
Version	pom	version	1.72	Highest

Identifiers

pkg:maven/org.bouncycastle/bcutil-jdk18on@1.72 (Confidence:High)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.72:*:*:*:*:*:*:* (Confidence:Low)

Description:

BeanShell is a small, free, embeddable Java source interpreter with object scripting language features,
        written in Java. BeanShell dynamically executes standard Java syntax and extends it with common scripting
        conveniences such as loose types, commands, and method closures like those in Perl and JavaScript.

License:

GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/copyleft/lesser.html

File Path: /home/grprdist/.m2/repository/org/beanshell/bsh/2.0b5/bsh-2.0b5.jar
MD5: 02f72336919d06a8491e82346e10b4d5
SHA1: fdc2ab6ae8b53e0d4761b296c116df747cd85199
SHA256:6232199563807354b3bcb5aceb3dc136502f022c6b0ef743987a83f66fee5a5c
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	bsh	High
Vendor	hint analyzer	vendor	beanshell_project	Highest
Vendor	jar	package name	bsh	Highest
Vendor	jar	package name	interpreter	Highest
Vendor	jar	package name	org	Highest
Vendor	Manifest	Implementation-Vendor	Pat Niemeyer (pat@pat.net)	High
Vendor	Manifest	specification-vendor	http://www.beanshell.org/	Low
Vendor	pom	artifactid	bsh	Highest
Vendor	pom	artifactid	bsh	Low
Vendor	pom	developer id	pat	Medium
Vendor	pom	developer name	Pat Niemeyer	Medium
Vendor	pom	groupid	org.beanshell	Highest
Vendor	pom	name	BeanShell	High
Vendor	pom	url	http://www.beanshell.org/	Highest
Product	file	name	bsh	High
Product	hint analyzer	product	beanshell	Highest
Product	jar	package name	bsh	Highest
Product	jar	package name	interpreter	Highest
Product	jar	package name	org	Highest
Product	Manifest	specification-title	BeanShell	Medium
Product	pom	artifactid	bsh	Highest
Product	pom	developer id	pat	Low
Product	pom	developer name	Pat Niemeyer	Low
Product	pom	groupid	org.beanshell	Highest
Product	pom	name	BeanShell	High
Product	pom	url	http://www.beanshell.org/	Medium
Version	pom	version	2.0b5	Highest

Identifiers

pkg:maven/org.beanshell/bsh@2.0b5 (Confidence:High)
cpe:2.3:a:beanshell:beanshell:2.0:b5:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2016-2510

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

CWE-19 Data Processing Errors

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: HIGH (8.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

BID - 84139
CONFIRM - https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
CONFIRM - https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
CONFIRM - https://github.com/beanshell/beanshell/releases/tag/2.0b6
DEBIAN - DSA-3504
GENTOO - GLSA-201607-17
MISC - https://github.com/frohoff/ysoserial/pull/13
MISC - https://www.oracle.com/security-alerts/cpuoct2020.html
MISC - https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
OSSINDEX - [CVE-2016-2510] CWE-19
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2510
OSSIndex - https://github.com/beanshell/beanshell/releases/tag/2.0b6
REDHAT - RHSA-2016:0539
REDHAT - RHSA-2016:0540
REDHAT - RHSA-2016:1135
REDHAT - RHSA-2016:1376
REDHAT - RHSA-2016:2035
REDHAT - RHSA-2019:1545
SECTRACK - 1035440
SUSE - openSUSE-SU-2016:0788
SUSE - openSUSE-SU-2016:0833
UBUNTU - USN-2923-1

Vulnerable Software & Versions: (show all)

Description:

        Byte Buddy is a Java library for creating Java classes at run time.
        This artifact is a build of Byte Buddy with a remaining dependency onto ASM.
        You should never depend on this module without repackaging Byte Buddy and ASM into your own namespace.

File Path: /home/grprdist/.m2/repository/net/bytebuddy/byte-buddy/1.12.9/byte-buddy-1.12.9.jar/META-INF/maven/net.bytebuddy/byte-buddy-dep/pom.xml
MD5: f252b6a3ad73a2fe8b82d4e5e252b6e7
SHA1: bd386dc86918b6f7769ad855aa2636b40b639c76
SHA256:71c523053fd9cd841080a5bc89a4740b49f5dedd648e8de0ab064456e3113c14
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	byte-buddy-dep	Low
Vendor	pom	groupid	net.bytebuddy	Highest
Vendor	pom	name	Byte Buddy (with dependencies)	High
Vendor	pom	parent-artifactid	byte-buddy-parent	Low
Product	pom	artifactid	byte-buddy-dep	Highest
Product	pom	groupid	net.bytebuddy	Highest
Product	pom	name	Byte Buddy (with dependencies)	High
Product	pom	parent-artifactid	byte-buddy-parent	Medium
Version	pom	version	1.12.9	Highest

Identifiers

pkg:maven/net.bytebuddy/byte-buddy-dep@1.12.9 (Confidence:High)

Description:

        Byte Buddy is a Java library for creating Java classes at run time.
        This artifact is a build of Byte Buddy with all ASM dependencies repackaged into its own name space.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/net/bytebuddy/byte-buddy/1.12.9/byte-buddy-1.12.9.jar
MD5: a120a37aba17a10766b9bc869f90fd2b
SHA1: 424ded9ef3496b0d997ce066f2166a4f7ec7b07a
SHA256:e305b6b5bdf8602bc5012efaa50c96b0fb922a3c60308ee1af85605b74d82710
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	byte-buddy	High
Vendor	jar	package name	asm	Highest
Vendor	jar	package name	build	Highest
Vendor	jar	package name	bytebuddy	Highest
Vendor	jar	package name	net	Highest
Vendor	Manifest	bundle-symbolicname	net.bytebuddy.byte-buddy	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	pom	artifactid	byte-buddy	Highest
Vendor	pom	artifactid	byte-buddy	Low
Vendor	pom	groupid	net.bytebuddy	Highest
Vendor	pom	name	Byte Buddy (without dependencies)	High
Vendor	pom	parent-artifactid	byte-buddy-parent	Low
Product	file	name	byte-buddy	High
Product	jar	package name	asm	Highest
Product	jar	package name	build	Highest
Product	jar	package name	bytebuddy	Highest
Product	jar	package name	net	Highest
Product	Manifest	Bundle-Name	Byte Buddy (without dependencies)	Medium
Product	Manifest	bundle-symbolicname	net.bytebuddy.byte-buddy	Medium
Product	Manifest	multi-release	true	Low
Product	pom	artifactid	byte-buddy	Highest
Product	pom	groupid	net.bytebuddy	Highest
Product	pom	name	Byte Buddy (without dependencies)	High
Product	pom	parent-artifactid	byte-buddy-parent	Medium
Version	file	version	1.12.9	High
Version	Manifest	Bundle-Version	1.12.9	High
Version	pom	version	1.12.9	Highest

Identifiers

pkg:maven/net.bytebuddy/byte-buddy@1.12.9 (Confidence:High)

Description:

a JDBC Connection pooling / Statement caching library

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.php

File Path: /home/grprdist/.m2/repository/com/mchange/c3p0/0.9.5.4/c3p0-0.9.5.4.jar
MD5: 45fd4a89c9fd671a0d1dc97c0ec77abe
SHA1: a21a1d37ae0b59efce99671544f51c34ed1e8def
SHA256:60cf2906cd6ad6771f514a3e848b74b3e3da99c1806f2a63c38e2dd8da5ef11f
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	c3p0	High
Vendor	jar	package name	c3p0	Highest
Vendor	jar	package name	mchange	Highest
Vendor	jar	package name	v2	Highest
Vendor	Manifest	extension-name	com.mchange.v2.c3p0	Medium
Vendor	Manifest	Implementation-Vendor	Machinery For Change, Inc.	High
Vendor	Manifest	Implementation-Vendor-Id	com.mchange	Medium
Vendor	Manifest	specification-vendor	Machinery For Change, Inc.	Low
Vendor	pom	artifactid	c3p0	Highest
Vendor	pom	artifactid	c3p0	Low
Vendor	pom	developer email	swaldman@mchange.com	Low
Vendor	pom	developer id	swaldman	Medium
Vendor	pom	developer name	Steve Waldman	Medium
Vendor	pom	groupid	com.mchange	Highest
Vendor	pom	name	c3p0	High
Vendor	pom	url	swaldman/c3p0	Highest
Product	file	name	c3p0	High
Product	jar	package name	c3p0	Highest
Product	jar	package name	mchange	Highest
Product	jar	package name	v2	Highest
Product	Manifest	extension-name	com.mchange.v2.c3p0	Medium
Product	pom	artifactid	c3p0	Highest
Product	pom	developer email	swaldman@mchange.com	Low
Product	pom	developer id	swaldman	Low
Product	pom	developer name	Steve Waldman	Low
Product	pom	groupid	com.mchange	Highest
Product	pom	name	c3p0	High
Product	pom	url	swaldman/c3p0	High
Version	file	version	0.9.5.4	High
Version	Manifest	Implementation-Version	0.9.5.4	High
Version	pom	version	0.9.5.4	Highest

Identifiers

pkg:maven/com.mchange/c3p0@0.9.5.4 (Confidence:High)
cpe:2.3:a:mchange:c3p0:0.9.5.4:*:*:*:*:*:*:* (Confidence:Highest)

Description:

a JDBC Connection pooling / Statement caching library

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.php

File Path: /home/grprdist/.m2/repository/com/google/code/maven-play-plugin/com/mchange/c3p0-oracle-thin-extras/0.9.5/c3p0-oracle-thin-extras-0.9.5.jar
MD5: 06b6bb3df31e56a391a5815d0f132715
SHA1: ae706b22bae360f5d360b2a5d207f804a3729ec2
SHA256:d185e4fb6a0165a39a2b85650efa18722ca9b4badef52a7701f081d9ae5ac321
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	c3p0-oracle-thin-extras	High
Vendor	jar	package name	c3p0	Highest
Vendor	jar	package name	c3p0	Low
Vendor	jar	package name	mchange	Highest
Vendor	jar	package name	mchange	Low
Vendor	jar	package name	v2	Low
Vendor	pom	artifactid	c3p0-oracle-thin-extras	Highest
Vendor	pom	artifactid	c3p0-oracle-thin-extras	Low
Vendor	pom	developer email	swaldman@mchange.com	Low
Vendor	pom	developer id	swaldman	Medium
Vendor	pom	developer name	Steve Waldman	Medium
Vendor	pom	groupid	com.google.code.maven-play-plugin.com.mchange	Highest
Vendor	pom	name	c3p0-oracle-thin-extras	High
Vendor	pom	url	swaldman/c3p0	Highest
Product	file	name	c3p0-oracle-thin-extras	High
Product	jar	package name	c3p0	Highest
Product	jar	package name	c3p0	Low
Product	jar	package name	dbms	Low
Product	jar	package name	mchange	Highest
Product	jar	package name	v2	Low
Product	pom	artifactid	c3p0-oracle-thin-extras	Highest
Product	pom	developer email	swaldman@mchange.com	Low
Product	pom	developer id	swaldman	Low
Product	pom	developer name	Steve Waldman	Low
Product	pom	groupid	com.google.code.maven-play-plugin.com.mchange	Highest
Product	pom	name	c3p0-oracle-thin-extras	High
Product	pom	url	swaldman/c3p0	High
Version	file	version	0.9.5	High
Version	pom	version	0.9.5	Highest

Identifiers

pkg:maven/com.google.code.maven-play-plugin.com.mchange/c3p0-oracle-thin-extras@0.9.5 (Confidence:High)
cpe:2.3:a:mchange:c3p0:0.9.5:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2019-5427

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

FEDORA - FEDORA-2019-063672154a
FEDORA - FEDORA-2019-cb14e234fc
MISC - https://hackerone.com/reports/509315
MISC - https://www.oracle.com/security-alerts/cpujan2021.html
MISC - https://www.oracle.com/security-alerts/cpujul2020.html
MISC - https://www.oracle.com/security-alerts/cpuoct2020.html
MISC - https://www.oracle.com/security-alerts/cpuoct2021.html
N/A - N/A

Vulnerable Software & Versions: (show all)

File Path: /home/grprdist/.m2/repository/cglib/cglib/3.3.0/cglib-3.3.0.jar
MD5: 6ff304cc2874dd20277a8206fee5fd9a
SHA1: c956b9f9708af5901e9cf05701e9b2b1c25027cc
SHA256:9fe0c26d7464140ccdfe019ac687be1fb906122b508ab54beb810db0f09a9212
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	cglib	High
Vendor	jar	package name	cglib	Highest
Vendor	jar	package name	cglib	Low
Vendor	jar	package name	net	Low
Vendor	jar	package name	sf	Low
Vendor	pom	artifactid	cglib	Highest
Vendor	pom	artifactid	cglib	Low
Vendor	pom	groupid	cglib	Highest
Vendor	pom	parent-artifactid	cglib-parent	Low
Product	file	name	cglib	High
Product	jar	package name	cglib	Highest
Product	jar	package name	cglib	Low
Product	jar	package name	sf	Low
Product	pom	artifactid	cglib	Highest
Product	pom	groupid	cglib	Highest
Product	pom	parent-artifactid	cglib-parent	Medium
Version	file	version	3.3.0	High
Version	pom	version	3.3.0	Highest

Identifiers

pkg:maven/cglib/cglib@3.3.0 (Confidence:High)

Description:

        Checker Qual is the set of annotations (qualifiers) and supporting classes
        used by the Checker Framework to type check Java source code.

        Please
        see artifact:
        org.checkerframework:checker

License:

The MIT License: http://opensource.org/licenses/MIT

File Path: /home/grprdist/.m2/repository/org/checkerframework/checker-qual/3.5.0/checker-qual-3.5.0.jar
MD5: 4464def1ed5c10f248ebfe1bccbedf1a
SHA1: 2f50520c8abea66fbd8d26e481d3aef5c673b510
SHA256:729990b3f18a95606fc2573836b6958bcdb44cb52bfbd1b7aa9c339cff35a5a4
Referenced In Projects/Scopes:

Grouper WS Generated Client:runtime
Grouper WS:runtime
Grouper WS Test:runtime
Grouper WS SCIM:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	checker-qual	High
Vendor	jar	package name	checker	Highest
Vendor	jar	package name	checkerframework	Highest
Vendor	jar	package name	framework	Highest
Vendor	jar	package name	qual	Highest
Vendor	Manifest	automatic-module-name	org.checkerframework.checker.qual	Medium
Vendor	Manifest	bundle-symbolicname	checker-qual	Medium
Vendor	Manifest	implementation-url	https://checkerframework.org	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	checker-qual	Highest
Vendor	pom	artifactid	checker-qual	Low
Vendor	pom	developer email	mernst@cs.washington.edu	Low
Vendor	pom	developer email	smillst@cs.washington.edu	Low
Vendor	pom	developer email	wdietl@uwaterloo.ca	Low
Vendor	pom	developer id	mernst	Medium
Vendor	pom	developer id	smillst	Medium
Vendor	pom	developer id	wmdietl	Medium
Vendor	pom	developer name	Michael Ernst	Medium
Vendor	pom	developer name	Suzanne Millstein	Medium
Vendor	pom	developer name	Werner M. Dietl	Medium
Vendor	pom	developer org	University of Washington	Medium
Vendor	pom	developer org	University of Waterloo	Medium
Vendor	pom	developer org URL	http://uwaterloo.ca/	Medium
Vendor	pom	developer org URL	https://www.cs.washington.edu/	Medium
Vendor	pom	developer org URL	https://www.cs.washington.edu/research/plse/	Medium
Vendor	pom	groupid	org.checkerframework	Highest
Vendor	pom	name	Checker Qual	High
Vendor	pom	url	https://checkerframework.org	Highest
Product	file	name	checker-qual	High
Product	jar	package name	checker	Highest
Product	jar	package name	checkerframework	Highest
Product	jar	package name	framework	Highest
Product	jar	package name	qual	Highest
Product	Manifest	automatic-module-name	org.checkerframework.checker.qual	Medium
Product	Manifest	Bundle-Name	checker-qual	Medium
Product	Manifest	bundle-symbolicname	checker-qual	Medium
Product	Manifest	implementation-url	https://checkerframework.org	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	checker-qual	Highest
Product	pom	developer email	mernst@cs.washington.edu	Low
Product	pom	developer email	smillst@cs.washington.edu	Low
Product	pom	developer email	wdietl@uwaterloo.ca	Low
Product	pom	developer id	mernst	Low
Product	pom	developer id	smillst	Low
Product	pom	developer id	wmdietl	Low
Product	pom	developer name	Michael Ernst	Low
Product	pom	developer name	Suzanne Millstein	Low
Product	pom	developer name	Werner M. Dietl	Low
Product	pom	developer org	University of Washington	Low
Product	pom	developer org	University of Waterloo	Low
Product	pom	developer org URL	http://uwaterloo.ca/	Low
Product	pom	developer org URL	https://www.cs.washington.edu/	Low
Product	pom	developer org URL	https://www.cs.washington.edu/research/plse/	Low
Product	pom	groupid	org.checkerframework	Highest
Product	pom	name	Checker Qual	High
Product	pom	url	https://checkerframework.org	Medium
Version	file	version	3.5.0	High
Version	Manifest	Bundle-Version	3.5.0	High
Version	Manifest	Implementation-Version	3.5.0	High
Version	pom	version	3.5.0	Highest

Identifiers

pkg:maven/org.checkerframework/checker-qual@3.5.0 (Confidence:High)

Description:

Library for introspecting types with full generic information
        including resolving of field and method types.

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/classmate/1.5.1/classmate-1.5.1.jar
MD5: e91fcd30ba329fd1b0b6dc5321fd067c
SHA1: 3fe0bed568c62df5e89f4f174c101eab25345b6c
SHA256:aab4de3006808c09d25dd4ff4a3611cfb63c95463cfd99e73d2e1680d229a33b
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	classmate	High
Vendor	jar	package name	classmate	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	types	Highest
Vendor	Manifest	automatic-module-name	com.fasterxml.classmate	Medium
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/java-classmate	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.classmate	Medium
Vendor	Manifest	implementation-build-date	2019-10-19 22:46:35+0000	Low
Vendor	Manifest	Implementation-Vendor	fasterxml.com	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	fasterxml.com	Low
Vendor	pom	artifactid	classmate	Highest
Vendor	pom	artifactid	classmate	Low
Vendor	pom	developer email	blangel@ocheyedan.net	Low
Vendor	pom	developer email	tatu@fasterxml.com	Low
Vendor	pom	developer id	blangel	Medium
Vendor	pom	developer id	tatu	Medium
Vendor	pom	developer name	Brian Langel	Medium
Vendor	pom	developer name	Tatu Saloranta	Medium
Vendor	pom	groupid	com.fasterxml	Highest
Vendor	pom	name	ClassMate	High
Vendor	pom	organization name	fasterxml.com	High
Vendor	pom	organization url	https://fasterxml.com	Medium
Vendor	pom	parent-artifactid	oss-parent	Low
Vendor	pom	url	FasterXML/java-classmate	Highest
Product	file	name	classmate	High
Product	jar	package name	classmate	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	types	Highest
Product	Manifest	automatic-module-name	com.fasterxml.classmate	Medium
Product	Manifest	bundle-docurl	https://github.com/FasterXML/java-classmate	Low
Product	Manifest	Bundle-Name	ClassMate	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.classmate	Medium
Product	Manifest	implementation-build-date	2019-10-19 22:46:35+0000	Low
Product	Manifest	Implementation-Title	ClassMate	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	ClassMate	Medium
Product	pom	artifactid	classmate	Highest
Product	pom	developer email	blangel@ocheyedan.net	Low
Product	pom	developer email	tatu@fasterxml.com	Low
Product	pom	developer id	blangel	Low
Product	pom	developer id	tatu	Low
Product	pom	developer name	Brian Langel	Low
Product	pom	developer name	Tatu Saloranta	Low
Product	pom	groupid	com.fasterxml	Highest
Product	pom	name	ClassMate	High
Product	pom	organization name	fasterxml.com	Low
Product	pom	organization url	https://fasterxml.com	Low
Product	pom	parent-artifactid	oss-parent	Medium
Product	pom	url	FasterXML/java-classmate	High
Version	file	version	1.5.1	High
Version	Manifest	Bundle-Version	1.5.1	High
Version	Manifest	Implementation-Version	1.5.1	High
Version	pom	parent-version	1.5.1	Low
Version	pom	version	1.5.1	Highest

Identifiers

pkg:maven/com.fasterxml/classmate@1.5.1 (Confidence:High)

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256:7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-beanutils	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	beanutils	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-beanutils/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-beanutils	Medium
Vendor	Manifest	implementation-build	UNKNOWN_BRANCH@r??????; 2019-07-28 22:14:44+0000	Low
Vendor	Manifest	implementation-url	https://commons.apache.org/proper/commons-beanutils/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-beanutils	Highest
Vendor	pom	artifactid	commons-beanutils	Low
Vendor	pom	developer email	britter@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	dion@apache.org	Low
Vendor	pom	developer email	epugh@apache.org	Low
Vendor	pom	developer email	geirm@apache.org	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	jcarman@apache.org	Low
Vendor	pom	developer email	jconlon@apache.org	Low
Vendor	pom	developer email	jstrachan@apache.org	Low
Vendor	pom	developer email	morgand@apache.org	Low
Vendor	pom	developer email	mvdb@apache.org	Low
Vendor	pom	developer email	niallp@apache.org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	rwaldhoff@apache.org	Low
Vendor	pom	developer email	sanders@apache.org	Low
Vendor	pom	developer email	scolebourne@apache.org	Low
Vendor	pom	developer email	skitching@apache.org	Low
Vendor	pom	developer email	stain@apache.org	Low
Vendor	pom	developer email	tobrien@apache.org	Low
Vendor	pom	developer email	yoavs@apache.org	Low
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	epugh	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	jconlon	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	mvdb	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer id	skitching	Medium
Vendor	pom	developer id	stain	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer id	yoavs	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	David Eric Pugh	Medium
Vendor	pom	developer name	Dion Gillard	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Geir Magnusson Jr.	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	John E. Conlon	Medium
Vendor	pom	developer name	Martin van den Bemt	Medium
Vendor	pom	developer name	Morgan James Delagrange	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Simon Kitching	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer name	Stian Soiland-Reyes	Medium
Vendor	pom	developer name	Tim O'Brien	Medium
Vendor	pom	developer name	Yoav Shapira	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	groupid	commons-beanutils	Highest
Vendor	pom	name	Apache Commons BeanUtils	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	https://commons.apache.org/proper/commons-beanutils/	Highest
Product	file	name	commons-beanutils	High
Product	jar	package name	apache	Highest
Product	jar	package name	beanutils	Highest
Product	jar	package name	commons	Highest
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-beanutils/	Low
Product	Manifest	Bundle-Name	Apache Commons BeanUtils	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-beanutils	Medium
Product	Manifest	implementation-build	UNKNOWN_BRANCH@r??????; 2019-07-28 22:14:44+0000	Low
Product	Manifest	Implementation-Title	Apache Commons BeanUtils	High
Product	Manifest	implementation-url	https://commons.apache.org/proper/commons-beanutils/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Apache Commons BeanUtils	Medium
Product	pom	artifactid	commons-beanutils	Highest
Product	pom	developer email	britter@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	dion@apache.org	Low
Product	pom	developer email	epugh@apache.org	Low
Product	pom	developer email	geirm@apache.org	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	jcarman@apache.org	Low
Product	pom	developer email	jconlon@apache.org	Low
Product	pom	developer email	jstrachan@apache.org	Low
Product	pom	developer email	morgand@apache.org	Low
Product	pom	developer email	mvdb@apache.org	Low
Product	pom	developer email	niallp@apache.org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	rwaldhoff@apache.org	Low
Product	pom	developer email	sanders@apache.org	Low
Product	pom	developer email	scolebourne@apache.org	Low
Product	pom	developer email	skitching@apache.org	Low
Product	pom	developer email	stain@apache.org	Low
Product	pom	developer email	tobrien@apache.org	Low
Product	pom	developer email	yoavs@apache.org	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	epugh	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	jconlon	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	mvdb	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer id	skitching	Low
Product	pom	developer id	stain	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer id	yoavs	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	David Eric Pugh	Low
Product	pom	developer name	Dion Gillard	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Geir Magnusson Jr.	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	John E. Conlon	Low
Product	pom	developer name	Martin van den Bemt	Low
Product	pom	developer name	Morgan James Delagrange	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Simon Kitching	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer name	Stian Soiland-Reyes	Low
Product	pom	developer name	Tim O'Brien	Low
Product	pom	developer name	Yoav Shapira	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	groupid	commons-beanutils	Highest
Product	pom	name	Apache Commons BeanUtils	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	https://commons.apache.org/proper/commons-beanutils/	Medium
Version	file	version	1.9.4	High
Version	Manifest	Bundle-Version	1.9.4	High
Version	Manifest	Implementation-Version	1.9.4	High
Version	pom	parent-version	1.9.4	Low
Version	pom	version	1.9.4	Highest

Identifiers

pkg:maven/commons-beanutils/commons-beanutils@1.9.4 (Confidence:High)
cpe:2.3:a:apache:commons_beanutils:1.9.4:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:1.9.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-cli/commons-cli/1.4/commons-cli-1.4.jar
MD5: c966d7e03507c834d5b09b848560174e
SHA1: c51c00206bb913cd8612b24abd9fa98ae89719b1
SHA256:fd3c7c9545a9cdb2051d1f9155c4f76b1e4ac5a57304404a6eedb578ffba7328
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-cli	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	cli	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-cli/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.cli	Medium
Vendor	Manifest	implementation-build	tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-cli/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-cli	Highest
Vendor	pom	artifactid	commons-cli	Low
Vendor	pom	developer email	bob@werken.com	Low
Vendor	pom	developer email	ebourg@apache.org	Low
Vendor	pom	developer email	jbjk@mac.com	Low
Vendor	pom	developer email	jstrachan@apache.org	Low
Vendor	pom	developer email	roxspring@imapmail.org	Low
Vendor	pom	developer email	tn@apache.org	Low
Vendor	pom	developer id	bob	Medium
Vendor	pom	developer id	ebourg	Medium
Vendor	pom	developer id	jkeyes	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	roxspring	Medium
Vendor	pom	developer id	tn	Medium
Vendor	pom	developer name	Bob McWhirter	Medium
Vendor	pom	developer name	Emmanuel Bourg	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	John Keyes	Medium
Vendor	pom	developer name	Rob Oxspring	Medium
Vendor	pom	developer name	Thomas Neidhart	Medium
Vendor	pom	developer org	Ariane Software	Medium
Vendor	pom	developer org	Indigo Stone	Medium
Vendor	pom	developer org	integral Source	Medium
Vendor	pom	developer org	SpiritSoft, Inc.	Medium
Vendor	pom	developer org	Werken	Medium
Vendor	pom	groupid	commons-cli	Highest
Vendor	pom	name	Apache Commons CLI	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-cli/	Highest
Product	file	name	commons-cli	High
Product	jar	package name	apache	Highest
Product	jar	package name	cli	Highest
Product	jar	package name	commons	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-cli/	Low
Product	Manifest	Bundle-Name	Apache Commons CLI	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.cli	Medium
Product	Manifest	implementation-build	tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000	Low
Product	Manifest	Implementation-Title	Apache Commons CLI	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-cli/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	Manifest	specification-title	Apache Commons CLI	Medium
Product	pom	artifactid	commons-cli	Highest
Product	pom	developer email	bob@werken.com	Low
Product	pom	developer email	ebourg@apache.org	Low
Product	pom	developer email	jbjk@mac.com	Low
Product	pom	developer email	jstrachan@apache.org	Low
Product	pom	developer email	roxspring@imapmail.org	Low
Product	pom	developer email	tn@apache.org	Low
Product	pom	developer id	bob	Low
Product	pom	developer id	ebourg	Low
Product	pom	developer id	jkeyes	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	roxspring	Low
Product	pom	developer id	tn	Low
Product	pom	developer name	Bob McWhirter	Low
Product	pom	developer name	Emmanuel Bourg	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	John Keyes	Low
Product	pom	developer name	Rob Oxspring	Low
Product	pom	developer name	Thomas Neidhart	Low
Product	pom	developer org	Ariane Software	Low
Product	pom	developer org	Indigo Stone	Low
Product	pom	developer org	integral Source	Low
Product	pom	developer org	SpiritSoft, Inc.	Low
Product	pom	developer org	Werken	Low
Product	pom	groupid	commons-cli	Highest
Product	pom	name	Apache Commons CLI	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/proper/commons-cli/	Medium
Version	file	version	1.4	High
Version	Manifest	Implementation-Version	1.4	High
Version	pom	parent-version	1.4	Low
Version	pom	version	1.4	Highest

Identifiers

pkg:maven/commons-cli/commons-cli@1.4 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-codec/commons-codec/1.15/commons-codec-1.15.jar
MD5: 303baf002ce6d382198090aedd9d79a2
SHA1: 49d94806b6e3dc933dacbd8acb0fdbab8ebd1e5d
SHA256:b3e9f6d63a790109bf0d056611fbed1cf69055826defeb9894a71369d246ed63
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile
Grouper WS Manual Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-codec	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	codec	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	encoder	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.codec	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-codec/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-codec	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-codec	Highest
Vendor	pom	artifactid	commons-codec	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	dgraham@apache.org	Low
Vendor	pom	developer email	dlr@finemaltcoding.com	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	jon@collab.net	Low
Vendor	pom	developer email	julius@apache.org	Low
Vendor	pom	developer email	rwaldhoff@apache.org	Low
Vendor	pom	developer email	sanders@totalsync.com	Low
Vendor	pom	developer email	tn@apache.org	Low
Vendor	pom	developer email	tobrien@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	dgraham	Medium
Vendor	pom	developer id	dlr	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jon	Medium
Vendor	pom	developer id	julius	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	tn	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	Daniel Rall	Medium
Vendor	pom	developer name	David Graham	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	Jon S. Stevens	Medium
Vendor	pom	developer name	Julius Davies	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Thomas Neidhart	Medium
Vendor	pom	developer name	Tim OBrien	Medium
Vendor	pom	developer org URL	http://juliusdavies.ca/	Medium
Vendor	pom	groupid	commons-codec	Highest
Vendor	pom	name	Apache Commons Codec	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	https://commons.apache.org/proper/commons-codec/	Highest
Product	file	name	commons-codec	High
Product	jar	package name	apache	Highest
Product	jar	package name	codec	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	encoder	Highest
Product	Manifest	automatic-module-name	org.apache.commons.codec	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-codec/	Low
Product	Manifest	Bundle-Name	Apache Commons Codec	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-codec	Medium
Product	Manifest	Implementation-Title	Apache Commons Codec	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Apache Commons Codec	Medium
Product	pom	artifactid	commons-codec	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	dgraham@apache.org	Low
Product	pom	developer email	dlr@finemaltcoding.com	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	jon@collab.net	Low
Product	pom	developer email	julius@apache.org	Low
Product	pom	developer email	rwaldhoff@apache.org	Low
Product	pom	developer email	sanders@totalsync.com	Low
Product	pom	developer email	tn@apache.org	Low
Product	pom	developer email	tobrien@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	dgraham	Low
Product	pom	developer id	dlr	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jon	Low
Product	pom	developer id	julius	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	tn	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	Daniel Rall	Low
Product	pom	developer name	David Graham	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	Jon S. Stevens	Low
Product	pom	developer name	Julius Davies	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Thomas Neidhart	Low
Product	pom	developer name	Tim OBrien	Low
Product	pom	developer org URL	http://juliusdavies.ca/	Low
Product	pom	groupid	commons-codec	Highest
Product	pom	name	Apache Commons Codec	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	https://commons.apache.org/proper/commons-codec/	Medium
Version	file	version	1.15	High
Version	Manifest	Implementation-Version	1.15	High
Version	pom	parent-version	1.15	Low
Version	pom	version	1.15	Highest

Identifiers

pkg:maven/commons-codec/commons-codec@1.15 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.15:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-collections	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	collections	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/collections/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.collections	Medium
Vendor	Manifest	implementation-build	tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/collections/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-collections	Highest
Vendor	pom	artifactid	commons-collections	Low
Vendor	pom	developer id	amamment	Medium
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	matth	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	psteitz	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer name	Arun M. Thomas	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	Geir Magnusson	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	Matthew Hawthorne	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Phil Steitz	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	groupid	commons-collections	Highest
Vendor	pom	name	Apache Commons Collections	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/collections/	Highest
Product	file	name	commons-collections	High
Product	jar	package name	apache	Highest
Product	jar	package name	collections	Highest
Product	jar	package name	commons	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/collections/	Low
Product	Manifest	Bundle-Name	Apache Commons Collections	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.collections	Medium
Product	Manifest	implementation-build	tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100	Low
Product	Manifest	Implementation-Title	Apache Commons Collections	High
Product	Manifest	implementation-url	http://commons.apache.org/collections/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))"	Low
Product	Manifest	specification-title	Apache Commons Collections	Medium
Product	pom	artifactid	commons-collections	Highest
Product	pom	developer id	amamment	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	matth	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	psteitz	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer name	Arun M. Thomas	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	Geir Magnusson	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	Matthew Hawthorne	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Phil Steitz	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	groupid	commons-collections	Highest
Product	pom	name	Apache Commons Collections	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/collections/	Medium
Version	file	version	3.2.2	High
Version	Manifest	Bundle-Version	3.2.2	High
Version	Manifest	Implementation-Version	3.2.2	High
Version	pom	parent-version	3.2.2	Low
Version	pom	version	3.2.2	Highest

Identifiers

pkg:maven/commons-collections/commons-collections@3.2.2 (Confidence:High)
cpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-collections4/4.0/commons-collections4-4.0.jar
MD5: a18f2d0153b5607dff8c5becbdd76dd1
SHA1: da217367fd25e88df52ba79e47658d4cf928b0d1
SHA256:93f8dfcd20831a28d092427723f696bceb70b28e7fb89d7914f14d5ea492ce5a
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-collections4	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	collections4	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-collections/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.collections4	Medium
Vendor	Manifest	implementation-build	tags/COLLECTIONS_4_0_RC5@r1543977; 2013-11-20 23:44:45+0100	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-collections4	Highest
Vendor	pom	artifactid	commons-collections4	Low
Vendor	pom	developer id	adriannistor	Medium
Vendor	pom	developer id	amamment	Medium
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	luc	Medium
Vendor	pom	developer id	matth	Medium
Vendor	pom	developer id	mbenson	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	psteitz	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer id	tn	Medium
Vendor	pom	developer name	Adrian Nistor	Medium
Vendor	pom	developer name	Arun M. Thomas	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	Gary D. Gregory	Medium
Vendor	pom	developer name	Geir Magnusson	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	Luc Maisonobe	Medium
Vendor	pom	developer name	Matt Benson	Medium
Vendor	pom	developer name	Matthew Hawthorne	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Phil Steitz	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer name	Thomas Neidhart	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Collections	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-collections/	Highest
Product	file	name	commons-collections4	High
Product	jar	package name	apache	Highest
Product	jar	package name	collections4	Highest
Product	jar	package name	commons	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-collections/	Low
Product	Manifest	Bundle-Name	Apache Commons Collections	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.collections4	Medium
Product	Manifest	implementation-build	tags/COLLECTIONS_4_0_RC5@r1543977; 2013-11-20 23:44:45+0100	Low
Product	Manifest	Implementation-Title	Apache Commons Collections	High
Product	Manifest	specification-title	Apache Commons Collections	Medium
Product	pom	artifactid	commons-collections4	Highest
Product	pom	developer id	adriannistor	Low
Product	pom	developer id	amamment	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	luc	Low
Product	pom	developer id	matth	Low
Product	pom	developer id	mbenson	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	psteitz	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer id	tn	Low
Product	pom	developer name	Adrian Nistor	Low
Product	pom	developer name	Arun M. Thomas	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	Gary D. Gregory	Low
Product	pom	developer name	Geir Magnusson	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	Luc Maisonobe	Low
Product	pom	developer name	Matt Benson	Low
Product	pom	developer name	Matthew Hawthorne	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Phil Steitz	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer name	Thomas Neidhart	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Collections	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/proper/commons-collections/	Medium
Version	file	version	4.0	High
Version	Manifest	Implementation-Version	4.0	High
Version	pom	parent-version	4.0	Low
Version	pom	version	4.0	Highest

Identifiers

pkg:maven/org.apache.commons/commons-collections4@4.0 (Confidence:High)
cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:4.0:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2015-6420

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

CWE-502 Deserialization of Untrusted Data

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

Description:

The Apache Commons CSV library provides a simple interface for reading and writing
CSV files of various types.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-csv/1.6/commons-csv-1.6.jar
MD5: 6a0c53855ceb8fb376635e9a05fb8cb6
SHA1: 22b3c2f901af973a8ec4f24e80c8c0c77a600b79
SHA256:7d1560fe2c3564128f2ff3f7c0fc9f0666738aa0e704f3d78b8954f9e0ec3adf
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-csv	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	csv	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-csv/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.csv	Medium
Vendor	Manifest	implementation-build	release@r2596fdeebcab53fe459c481990bf1dec838128a5; 2018-09-19 11:49:19+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-csv/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-csv	Highest
Vendor	pom	artifactid	commons-csv	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	britter@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	ebourg@apache.org	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	mvdb@apache.org	Low
Vendor	pom	developer email	yonik@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	ebourg	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	mvdb	Medium
Vendor	pom	developer id	yonik	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Emmanuel Bourg	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	Martin van den Bemt	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Yonik Seeley	Medium
Vendor	pom	developer org	Apache	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons CSV	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-csv/	Highest
Product	file	name	commons-csv	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	csv	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-csv/	Low
Product	Manifest	Bundle-Name	Apache Commons CSV	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.csv	Medium
Product	Manifest	implementation-build	release@r2596fdeebcab53fe459c481990bf1dec838128a5; 2018-09-19 11:49:19+0000	Low
Product	Manifest	Implementation-Title	Apache Commons CSV	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-csv/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Apache Commons CSV	Medium
Product	pom	artifactid	commons-csv	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	britter@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	ebourg@apache.org	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	mvdb@apache.org	Low
Product	pom	developer email	yonik@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	ebourg	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	mvdb	Low
Product	pom	developer id	yonik	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Emmanuel Bourg	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	Martin van den Bemt	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Yonik Seeley	Low
Product	pom	developer org	Apache	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons CSV	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/proper/commons-csv/	Medium
Version	file	version	1.6	High
Version	Manifest	Implementation-Version	1.6	High
Version	pom	parent-version	1.6	Low
Version	pom	version	1.6	Highest

Identifiers

pkg:maven/org.apache.commons/commons-csv@1.6 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Commons Database Connection Pooling

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-dbcp/commons-dbcp/1.4/commons-dbcp-1.4.jar
MD5: b004158fab904f37f5831860898b3cd9
SHA1: 30be73c965cc990b153a100aaaaafcf239f82d39
SHA256:a6e2d83551d0e5b59aa942359f3010d35e79365e6552ad3dbaa6776e4851e4f6
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-dbcp	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	dbcp	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/dbcp/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.dbcp	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-dbcp	Highest
Vendor	pom	artifactid	commons-dbcp	Low
Vendor	pom	developer email	joerg.schaible@gmx.de	Low
Vendor	pom	developer email	markt@apache.org	Low
Vendor	pom	developer email	mpoeschl@marmot.at	Low
Vendor	pom	developer email	yoavs@apache.org	Low
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dirkv	Medium
Vendor	pom	developer id	dweinr1	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	jmcnally	Medium
Vendor	pom	developer id	joehni	Medium
Vendor	pom	developer id	markt	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	mpoeschl	Medium
Vendor	pom	developer id	psteitz	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	yoavs	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	David Weinrich	Medium
Vendor	pom	developer name	Dirk Verbeeck	Medium
Vendor	pom	developer name	Geir Magnusson	Medium
Vendor	pom	developer name	Jörg Schaible	Medium
Vendor	pom	developer name	John McNally	Medium
Vendor	pom	developer name	Mark Thomas	Medium
Vendor	pom	developer name	Martin Poeschl	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Phil Steitz	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Yoav Shapira	Medium
Vendor	pom	developer org	Apache Software Foundation	Medium
Vendor	pom	developer org	tucana.at	Medium
Vendor	pom	groupid	commons-dbcp	Highest
Vendor	pom	name	Commons DBCP	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/dbcp/	Highest
Product	file	name	commons-dbcp	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	dbcp	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/dbcp/	Low
Product	Manifest	Bundle-Name	Commons DBCP	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.dbcp	Medium
Product	Manifest	Implementation-Title	Commons DBCP	High
Product	Manifest	specification-title	Commons DBCP	Medium
Product	pom	artifactid	commons-dbcp	Highest
Product	pom	developer email	joerg.schaible@gmx.de	Low
Product	pom	developer email	markt@apache.org	Low
Product	pom	developer email	mpoeschl@marmot.at	Low
Product	pom	developer email	yoavs@apache.org	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dirkv	Low
Product	pom	developer id	dweinr1	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	jmcnally	Low
Product	pom	developer id	joehni	Low
Product	pom	developer id	markt	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	mpoeschl	Low
Product	pom	developer id	psteitz	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	yoavs	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	David Weinrich	Low
Product	pom	developer name	Dirk Verbeeck	Low
Product	pom	developer name	Geir Magnusson	Low
Product	pom	developer name	Jörg Schaible	Low
Product	pom	developer name	John McNally	Low
Product	pom	developer name	Mark Thomas	Low
Product	pom	developer name	Martin Poeschl	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Phil Steitz	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Yoav Shapira	Low
Product	pom	developer org	Apache Software Foundation	Low
Product	pom	developer org	tucana.at	Low
Product	pom	groupid	commons-dbcp	Highest
Product	pom	name	Commons DBCP	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/dbcp/	Medium
Version	file	version	1.4	High
Version	Manifest	Bundle-Version	1.4	High
Version	Manifest	Implementation-Version	1.4	High
Version	pom	parent-version	1.4	Low
Version	pom	version	1.4	Highest

Identifiers

pkg:maven/commons-dbcp/commons-dbcp@1.4 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    The Digester package lets you configure an XML to Java object mapping module
    which triggers certain actions called rules whenever a particular 
    pattern of nested XML elements is recognized.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar
MD5: 528445033f22da28f5047b6abcd1c7c9
SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
SHA256:e0b2b980a84fc6533c5ce291f1917b32c507f62bcad64198fff44368c2196a3d
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-digester	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	digester	Highest
Vendor	jar	package name	rules	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/digester/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.digester	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-digester	Highest
Vendor	pom	artifactid	commons-digester	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	jfarcand@apache.org	Low
Vendor	pom	developer email	jstrachan@apache.org	Low
Vendor	pom	developer email	jvanzyl@apache.org	Low
Vendor	pom	developer email	rahul AT apache DOT org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	sanders@totalsync.com	Low
Vendor	pom	developer email	simonetripodi AT apache DOT org	Low
Vendor	pom	developer email	skitching@apache.org	Low
Vendor	pom	developer email	tobrien@apache.org	Low
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	jfarcand	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	jvanzyl	Medium
Vendor	pom	developer id	rahul	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	simonetripodi	Medium
Vendor	pom	developer id	skitching	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Jason van Zyl	Medium
Vendor	pom	developer name	Jean-Francois Arcand	Medium
Vendor	pom	developer name	Rahul Akolkar	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Simon Kitching	Medium
Vendor	pom	developer name	Simone Tripodi	Medium
Vendor	pom	developer name	Tim OBrien	Medium
Vendor	pom	groupid	commons-digester	Highest
Vendor	pom	name	Commons Digester	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/digester/	Highest
Product	file	name	commons-digester	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	digester	Highest
Product	jar	package name	rules	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/digester/	Low
Product	Manifest	Bundle-Name	Commons Digester	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.digester	Medium
Product	Manifest	Implementation-Title	Commons Digester	High
Product	Manifest	specification-title	Commons Digester	Medium
Product	pom	artifactid	commons-digester	Highest
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	jfarcand@apache.org	Low
Product	pom	developer email	jstrachan@apache.org	Low
Product	pom	developer email	jvanzyl@apache.org	Low
Product	pom	developer email	rahul AT apache DOT org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	sanders@totalsync.com	Low
Product	pom	developer email	simonetripodi AT apache DOT org	Low
Product	pom	developer email	skitching@apache.org	Low
Product	pom	developer email	tobrien@apache.org	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	jfarcand	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	jvanzyl	Low
Product	pom	developer id	rahul	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	simonetripodi	Low
Product	pom	developer id	skitching	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Jason van Zyl	Low
Product	pom	developer name	Jean-Francois Arcand	Low
Product	pom	developer name	Rahul Akolkar	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Simon Kitching	Low
Product	pom	developer name	Simone Tripodi	Low
Product	pom	developer name	Tim OBrien	Low
Product	pom	groupid	commons-digester	Highest
Product	pom	name	Commons Digester	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/digester/	Medium
Version	file	version	2.1	High
Version	Manifest	Bundle-Version	2.1	High
Version	Manifest	Implementation-Version	2.1	High
Version	pom	parent-version	2.1	Low
Version	pom	version	2.1	Highest

Identifiers

pkg:maven/commons-digester/commons-digester@2.1 (Confidence:High)
cpe:2.3:a:apache:commons_net:2.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    The Apache Commons Digester package lets you configure an XML to Java
    object mapping module which triggers certain actions called rules whenever
    a particular pattern of nested XML elements is recognized.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-digester3/3.2/commons-digester3-3.2.jar
MD5: 41d2c62c7aedafa7a3627794abc83f71
SHA1: c3f68c5ff25ec5204470fd8fdf4cb8feff5e8a79
SHA256:1c150e3d2df4b4237b47e28fea2079fb0da324578d5cca6a5fed2e37a62082ec
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-digester3	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	digester	Highest
Vendor	jar	package name	digester3	Highest
Vendor	jar	package name	rules	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/digester/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.digester	Medium
Vendor	Manifest	implementation-build	tags/DIGESTER3_3_2_RC2@r1212807; 2011-12-10 15:57:06+0100	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-digester3	Highest
Vendor	pom	artifactid	commons-digester3	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	jfarcand@apache.org	Low
Vendor	pom	developer email	jstrachan@apache.org	Low
Vendor	pom	developer email	jvanzyl@apache.org	Low
Vendor	pom	developer email	mbenson AT apache DOT org	Low
Vendor	pom	developer email	rahul AT apache DOT org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	sanders@totalsync.com	Low
Vendor	pom	developer email	simonetripodi AT apache DOT org	Low
Vendor	pom	developer email	skitching@apache.org	Low
Vendor	pom	developer email	tobrien@apache.org	Low
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	jfarcand	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	jvanzyl	Medium
Vendor	pom	developer id	mbenson	Medium
Vendor	pom	developer id	rahul	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	simonetripodi	Medium
Vendor	pom	developer id	skitching	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Jason van Zyl	Medium
Vendor	pom	developer name	Jean-Francois Arcand	Medium
Vendor	pom	developer name	Matt Benson	Medium
Vendor	pom	developer name	Rahul Akolkar	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Simon Kitching	Medium
Vendor	pom	developer name	Simone Tripodi	Medium
Vendor	pom	developer name	Tim OBrien	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Digester	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/digester/	Highest
Product	file	name	commons-digester3	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	digester	Highest
Product	jar	package name	digester3	Highest
Product	jar	package name	rules	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/digester/	Low
Product	Manifest	Bundle-Name	Apache Commons Digester	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.digester	Medium
Product	Manifest	implementation-build	tags/DIGESTER3_3_2_RC2@r1212807; 2011-12-10 15:57:06+0100	Low
Product	Manifest	Implementation-Title	Apache Commons Digester	High
Product	Manifest	specification-title	Apache Commons Digester	Medium
Product	pom	artifactid	commons-digester3	Highest
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	jfarcand@apache.org	Low
Product	pom	developer email	jstrachan@apache.org	Low
Product	pom	developer email	jvanzyl@apache.org	Low
Product	pom	developer email	mbenson AT apache DOT org	Low
Product	pom	developer email	rahul AT apache DOT org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	sanders@totalsync.com	Low
Product	pom	developer email	simonetripodi AT apache DOT org	Low
Product	pom	developer email	skitching@apache.org	Low
Product	pom	developer email	tobrien@apache.org	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	jfarcand	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	jvanzyl	Low
Product	pom	developer id	mbenson	Low
Product	pom	developer id	rahul	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	simonetripodi	Low
Product	pom	developer id	skitching	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Jason van Zyl	Low
Product	pom	developer name	Jean-Francois Arcand	Low
Product	pom	developer name	Matt Benson	Low
Product	pom	developer name	Rahul Akolkar	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Simon Kitching	Low
Product	pom	developer name	Simone Tripodi	Low
Product	pom	developer name	Tim OBrien	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Digester	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/digester/	Medium
Version	file	version	3.2	High
Version	Manifest	Implementation-Version	3.2	High
Version	pom	parent-version	3.2	Low
Version	pom	version	3.2	Highest

Identifiers

pkg:maven/org.apache.commons/commons-digester3@3.2 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Apache Commons Exec is a library to reliably execute external processes from within the JVM.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-exec/1.3/commons-exec-1.3.jar
MD5: 8bb8fa2edfd60d5c7ed6bf9923d14aa8
SHA1: 8dfb9facd0830a27b1b5f29f84593f0aeee7773b
SHA256:cb49812dc1bfb0ea4f20f398bcae1a88c6406e213e67f7524fb10d4f8ad9347b
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-exec	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	exec	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-exec/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.exec	Medium
Vendor	Manifest	implementation-build	trunk@r1636211; 2014-11-02 23:51:55+0000	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-exec	Highest
Vendor	pom	artifactid	commons-exec	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer id	brett	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	sebb	Medium
Vendor	pom	developer id	sgoeschl	Medium
Vendor	pom	developer id	trygvis	Medium
Vendor	pom	developer name	Brett Porter	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Sebastian Bazley	Medium
Vendor	pom	developer name	Siegfried Goeschl	Medium
Vendor	pom	developer name	Trygve Laugstøl	Medium
Vendor	pom	developer org	Apache	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Exec	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-exec/	Highest
Product	file	name	commons-exec	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	exec	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-exec/	Low
Product	Manifest	Bundle-Name	Apache Commons Exec	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.exec	Medium
Product	Manifest	implementation-build	trunk@r1636211; 2014-11-02 23:51:55+0000	Low
Product	Manifest	Implementation-Title	Apache Commons Exec	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	Manifest	specification-title	Apache Commons Exec	Medium
Product	pom	artifactid	commons-exec	Highest
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer id	brett	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	sebb	Low
Product	pom	developer id	sgoeschl	Low
Product	pom	developer id	trygvis	Low
Product	pom	developer name	Brett Porter	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Sebastian Bazley	Low
Product	pom	developer name	Siegfried Goeschl	Low
Product	pom	developer name	Trygve Laugstøl	Low
Product	pom	developer org	Apache	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Exec	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/proper/commons-exec/	Medium
Version	file	version	1.3	High
Version	Manifest	Implementation-Version	1.3	High
Version	pom	parent-version	1.3	Low
Version	pom	version	1.3	Highest

Identifiers

pkg:maven/org.apache.commons/commons-exec@1.3 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.3:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
    file upload functionality to servlets and web applications.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-fileupload/commons-fileupload/1.4/commons-fileupload-1.4.jar
MD5: 0c3b924dcaaa90c3fb93fe04ae96a35e
SHA1: f95188e3d372e20e7328706c37ef366e5d7859b0
SHA256:a4ec02336f49253ea50405698b79232b8c5cbf02cb60df3a674d77a749a1def7
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-fileupload	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	fileupload	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-fileupload/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-fileupload	Medium
Vendor	Manifest	implementation-build	UNKNOWN@r047f31576411beee69cf75584ae76531cc9ac753; 2018-12-24 07:06:18+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-fileupload/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-fileupload	Highest
Vendor	pom	artifactid	commons-fileupload	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	dion@apache.org	Low
Vendor	pom	developer email	dlr@finemaltcoding.com	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	jason@zenplex.com	Low
Vendor	pom	developer email	jmcnally@collab.net	Low
Vendor	pom	developer email	jochen.wiedmann@gmail.com	Low
Vendor	pom	developer email	martinc@apache.org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	sean \|at\| seansullivan \|dot\| com	Low
Vendor	pom	developer email	simonetripodi@apache.org	Low
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	dlr	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jmcnally	Medium
Vendor	pom	developer id	jochen	Medium
Vendor	pom	developer id	jvanzyl	Medium
Vendor	pom	developer id	martinc	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	simonetripodi	Medium
Vendor	pom	developer id	sullis	Medium
Vendor	pom	developer name	Daniel Rall	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Jason van Zyl	Medium
Vendor	pom	developer name	Jochen Wiedmann	Medium
Vendor	pom	developer name	John McNally	Medium
Vendor	pom	developer name	Martin Cooper	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Sean C. Sullivan	Medium
Vendor	pom	developer name	Simone Tripodi	Medium
Vendor	pom	developer org	Adobe	Medium
Vendor	pom	developer org	CollabNet	Medium
Vendor	pom	developer org	Multitask Consulting	Medium
Vendor	pom	developer org	Yahoo!	Medium
Vendor	pom	developer org	Zenplex	Medium
Vendor	pom	groupid	commons-fileupload	Highest
Vendor	pom	name	Apache Commons FileUpload	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-fileupload/	Highest
Product	file	name	commons-fileupload	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	fileupload	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-fileupload/	Low
Product	Manifest	Bundle-Name	Apache Commons FileUpload	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-fileupload	Medium
Product	Manifest	implementation-build	UNKNOWN@r047f31576411beee69cf75584ae76531cc9ac753; 2018-12-24 07:06:18+0000	Low
Product	Manifest	Implementation-Title	Apache Commons FileUpload	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-fileupload/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Apache Commons FileUpload	Medium
Product	pom	artifactid	commons-fileupload	Highest
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	dion@apache.org	Low
Product	pom	developer email	dlr@finemaltcoding.com	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	jason@zenplex.com	Low
Product	pom	developer email	jmcnally@collab.net	Low
Product	pom	developer email	jochen.wiedmann@gmail.com	Low
Product	pom	developer email	martinc@apache.org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	sean \|at\| seansullivan \|dot\| com	Low
Product	pom	developer email	simonetripodi@apache.org	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	dlr	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jmcnally	Low
Product	pom	developer id	jochen	Low
Product	pom	developer id	jvanzyl	Low
Product	pom	developer id	martinc	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	simonetripodi	Low
Product	pom	developer id	sullis	Low
Product	pom	developer name	Daniel Rall	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Jason van Zyl	Low
Product	pom	developer name	Jochen Wiedmann	Low
Product	pom	developer name	John McNally	Low
Product	pom	developer name	Martin Cooper	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Sean C. Sullivan	Low
Product	pom	developer name	Simone Tripodi	Low
Product	pom	developer org	Adobe	Low
Product	pom	developer org	CollabNet	Low
Product	pom	developer org	Multitask Consulting	Low
Product	pom	developer org	Yahoo!	Low
Product	pom	developer org	Zenplex	Low
Product	pom	groupid	commons-fileupload	Highest
Product	pom	name	Apache Commons FileUpload	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/proper/commons-fileupload/	Medium
Version	file	version	1.4	High
Version	Manifest	Implementation-Version	1.4	High
Version	pom	parent-version	1.4	Low
Version	pom	version	1.4	Highest

Identifiers

pkg:maven/commons-fileupload/commons-fileupload@1.4 (Confidence:High)
cpe:2.3:a:apache:commons_fileupload:1.4:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:1.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0

File Path: /home/grprdist/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile
Grouper WS Manual Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-httpclient	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	httpclient	Highest
Vendor	jar	package name	methods	Highest
Vendor	manifest: org/apache/commons/httpclient	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	pom	artifactid	commons-httpclient	Highest
Vendor	pom	artifactid	commons-httpclient	Low
Vendor	pom	developer email	adrian.sutton -at- ephox.com	Low
Vendor	pom	developer email	dion -at- apache.org	Low
Vendor	pom	developer email	jericho -at- apache.org	Low
Vendor	pom	developer email	jsdever -at- apache.org	Low
Vendor	pom	developer email	mbecke -at- apache.org	Low
Vendor	pom	developer email	oglueck -at- apache.org	Low
Vendor	pom	developer email	olegk -at- apache.org	Low
Vendor	pom	developer email	rwaldhoff -at- apache	Low
Vendor	pom	developer email	sullis -at- apache.org	Low
Vendor	pom	developer id	adrian	Medium
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	jericho	Medium
Vendor	pom	developer id	jsdever	Medium
Vendor	pom	developer id	mbecke	Medium
Vendor	pom	developer id	oglueck	Medium
Vendor	pom	developer id	olegk	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sullis	Medium
Vendor	pom	developer name	Adrian Sutton	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Jeff Dever	Medium
Vendor	pom	developer name	Michael Becke	Medium
Vendor	pom	developer name	Oleg Kalnichevski	Medium
Vendor	pom	developer name	Ortwin Glueck	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Sean C. Sullivan	Medium
Vendor	pom	developer name	Sung-Gu	Medium
Vendor	pom	developer org	Britannica	Medium
Vendor	pom	developer org	Independent consultant	Medium
Vendor	pom	developer org	Intencha	Medium
Vendor	pom	developer org	Multitask Consulting	Medium
Vendor	pom	groupid	commons-httpclient	Highest
Vendor	pom	name	HttpClient	High
Vendor	pom	organization name	Apache Software Foundation	High
Vendor	pom	organization url	http://jakarta.apache.org/	Medium
Vendor	pom	url	http://jakarta.apache.org/httpcomponents/httpclient-3.x/	Highest
Product	file	name	commons-httpclient	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	httpclient	Highest
Product	jar	package name	methods	Highest
Product	manifest: org/apache/commons/httpclient	Implementation-Title	org.apache.commons.httpclient	Medium
Product	manifest: org/apache/commons/httpclient	Specification-Title	Jakarta Commons HttpClient	Medium
Product	pom	artifactid	commons-httpclient	Highest
Product	pom	developer email	adrian.sutton -at- ephox.com	Low
Product	pom	developer email	dion -at- apache.org	Low
Product	pom	developer email	jericho -at- apache.org	Low
Product	pom	developer email	jsdever -at- apache.org	Low
Product	pom	developer email	mbecke -at- apache.org	Low
Product	pom	developer email	oglueck -at- apache.org	Low
Product	pom	developer email	olegk -at- apache.org	Low
Product	pom	developer email	rwaldhoff -at- apache	Low
Product	pom	developer email	sullis -at- apache.org	Low
Product	pom	developer id	adrian	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	jericho	Low
Product	pom	developer id	jsdever	Low
Product	pom	developer id	mbecke	Low
Product	pom	developer id	oglueck	Low
Product	pom	developer id	olegk	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sullis	Low
Product	pom	developer name	Adrian Sutton	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Jeff Dever	Low
Product	pom	developer name	Michael Becke	Low
Product	pom	developer name	Oleg Kalnichevski	Low
Product	pom	developer name	Ortwin Glueck	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Sean C. Sullivan	Low
Product	pom	developer name	Sung-Gu	Low
Product	pom	developer org	Britannica	Low
Product	pom	developer org	Independent consultant	Low
Product	pom	developer org	Intencha	Low
Product	pom	developer org	Multitask Consulting	Low
Product	pom	groupid	commons-httpclient	Highest
Product	pom	name	HttpClient	High
Product	pom	organization name	Apache Software Foundation	Low
Product	pom	organization url	http://jakarta.apache.org/	Low
Product	pom	url	http://jakarta.apache.org/httpcomponents/httpclient-3.x/	Medium
Version	file	version	3.1	High
Version	manifest: org/apache/commons/httpclient	Implementation-Version	3.1	Medium
Version	pom	version	3.1	Highest

Identifiers

pkg:maven/commons-httpclient/commons-httpclient@3.1 (Confidence:High)
cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:3.1:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

CVE-2012-5783

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CWE-295 Improper Certificate Validation

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

BID - 58073
CONFIRM - https://issues.apache.org/jira/browse/HTTPCLIENT-1265
MISC - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
OSSINDEX - [CVE-2012-5783] CWE-295: Improper Certificate Validation
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
OSSIndex - https://exchange.xforce.ibmcloud.com/#/vulnerabilities/79984
OSSIndex - https://issues.apache.org/jira/browse/HTTPCLIENT-613
OSSIndex - https://rhn.redhat.com/errata/RHSA-2013-0681.html
REDHAT - RHSA-2013:0270
REDHAT - RHSA-2013:0679
REDHAT - RHSA-2013:0680
REDHAT - RHSA-2013:0681
REDHAT - RHSA-2013:0682
REDHAT - RHSA-2013:1147
REDHAT - RHSA-2013:1853
REDHAT - RHSA-2014:0224
REDHAT - RHSA-2017:0868
SUSE - openSUSE-SU-2013:0354
SUSE - openSUSE-SU-2013:0622
SUSE - openSUSE-SU-2013:0623
SUSE - openSUSE-SU-2013:0638
UBUNTU - USN-2769-1
XF - apache-commons-ssl-spoofing(79984)

Vulnerable Software & Versions:

cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*

CVE-2020-13956

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

NVD-CWE-noinfo

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-io/commons-io/2.11.0/commons-io-2.11.0.jar
MD5: 3b4b7ccfaeceeac240b804839ee1a1ca
SHA1: a2503f302b11ebde7ebc3df41daebe0e4eea3689
SHA256:961b2f6d87dbacc5d54abf45ab7a6e2495f89b75598962d8c723cea9bc210908
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-io	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	file	Highest
Vendor	jar	package name	io	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.io	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-io/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-io	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-io	Highest
Vendor	pom	artifactid	commons-io	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	dion@apache.org	Low
Vendor	pom	developer email	ggregory at apache.org	Low
Vendor	pom	developer email	jeremias@apache.org	Low
Vendor	pom	developer email	jochen.wiedmann@gmail.com	Low
Vendor	pom	developer email	krosenvold@apache.org	Low
Vendor	pom	developer email	martinc@apache.org	Low
Vendor	pom	developer email	matth@apache.org	Low
Vendor	pom	developer email	nicolaken@apache.org	Low
Vendor	pom	developer email	roxspring@apache.org	Low
Vendor	pom	developer email	sanders@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jeremias	Medium
Vendor	pom	developer id	jochen	Medium
Vendor	pom	developer id	jukka	Medium
Vendor	pom	developer id	krosenvold	Medium
Vendor	pom	developer id	martinc	Medium
Vendor	pom	developer id	matth	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	nicolaken	Medium
Vendor	pom	developer id	roxspring	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	Jeremias Maerki	Medium
Vendor	pom	developer name	Jochen Wiedmann	Medium
Vendor	pom	developer name	Jukka Zitting	Medium
Vendor	pom	developer name	Kristian Rosenvold	Medium
Vendor	pom	developer name	Martin Cooper	Medium
Vendor	pom	developer name	Matthew Hawthorne	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Nicola Ken Barozzi	Medium
Vendor	pom	developer name	Rob Oxspring	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	developer org URL	https://www.apache.org/	Medium
Vendor	pom	groupid	commons-io	Highest
Vendor	pom	name	Apache Commons IO	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	https://commons.apache.org/proper/commons-io/	Highest
Product	file	name	commons-io	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	file	Highest
Product	jar	package name	io	Highest
Product	Manifest	automatic-module-name	org.apache.commons.io	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-io/	Low
Product	Manifest	Bundle-Name	Apache Commons IO	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-io	Medium
Product	Manifest	Implementation-Title	Apache Commons IO	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons IO	Medium
Product	pom	artifactid	commons-io	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	dion@apache.org	Low
Product	pom	developer email	ggregory at apache.org	Low
Product	pom	developer email	jeremias@apache.org	Low
Product	pom	developer email	jochen.wiedmann@gmail.com	Low
Product	pom	developer email	krosenvold@apache.org	Low
Product	pom	developer email	martinc@apache.org	Low
Product	pom	developer email	matth@apache.org	Low
Product	pom	developer email	nicolaken@apache.org	Low
Product	pom	developer email	roxspring@apache.org	Low
Product	pom	developer email	sanders@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jeremias	Low
Product	pom	developer id	jochen	Low
Product	pom	developer id	jukka	Low
Product	pom	developer id	krosenvold	Low
Product	pom	developer id	martinc	Low
Product	pom	developer id	matth	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	nicolaken	Low
Product	pom	developer id	roxspring	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	Jeremias Maerki	Low
Product	pom	developer name	Jochen Wiedmann	Low
Product	pom	developer name	Jukka Zitting	Low
Product	pom	developer name	Kristian Rosenvold	Low
Product	pom	developer name	Martin Cooper	Low
Product	pom	developer name	Matthew Hawthorne	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Nicola Ken Barozzi	Low
Product	pom	developer name	Rob Oxspring	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	developer org URL	https://www.apache.org/	Low
Product	pom	groupid	commons-io	Highest
Product	pom	name	Apache Commons IO	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	https://commons.apache.org/proper/commons-io/	Medium
Version	file	version	2.11.0	High
Version	Manifest	Bundle-Version	2.11.0	High
Version	Manifest	Implementation-Version	2.11.0	High
Version	pom	parent-version	2.11.0	Low
Version	pom	version	2.11.0	Highest

Identifiers

pkg:maven/commons-io/commons-io@2.11.0 (Confidence:High)
cpe:2.3:a:apache:commons_io:2.11.0:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_net:2.11.0:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Common classes to make creating REST services more consistent.

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/edu/psu/swe/commons/commons-jaxrs/1.30/commons-jaxrs-1.30.jar
MD5: 28ddd7d7e6076992b76b74847bc449b0
SHA1: 808318f583518b6e4f0caef590cd77a6faa42b3f
SHA256:0dc28a13f8b9e8e5544dc64085c299dbc2309c63e8158c1103f62f3bfb245cb2
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-jaxrs	High
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	edu	Highest
Vendor	jar	package name	edu	Low
Vendor	jar	package name	psu	Highest
Vendor	jar	package name	psu	Low
Vendor	jar	package name	swe	Highest
Vendor	jar	package name	swe	Low
Vendor	pom	artifactid	commons-jaxrs	Highest
Vendor	pom	artifactid	commons-jaxrs	Low
Vendor	pom	developer email	bhoman@psu.edu	Low
Vendor	pom	developer email	crh5255@psu.edu	Low
Vendor	pom	developer email	mat21@psu.edu	Low
Vendor	pom	developer email	nur1@psu.edu	Low
Vendor	pom	developer email	ses44@psu.edu	Low
Vendor	pom	developer email	smoyer@psu.edu	Low
Vendor	pom	developer id	bhoman127	Medium
Vendor	pom	developer id	chrisharm	Medium
Vendor	pom	developer id	mat328	Medium
Vendor	pom	developer id	nur1	Medium
Vendor	pom	developer id	smoyer64	Medium
Vendor	pom	developer id	ussmith	Medium
Vendor	pom	developer name	Ben Homan	Medium
Vendor	pom	developer name	Christopher Harm	Medium
Vendor	pom	developer name	Matt Teeter	Medium
Vendor	pom	developer name	Niraja Ramesh	Medium
Vendor	pom	developer name	Shawn Smith	Medium
Vendor	pom	developer name	Steve Moyer	Medium
Vendor	pom	developer org	The Pennsylvania State University	Medium
Vendor	pom	developer org URL	https://www.psu.edu	Medium
Vendor	pom	groupid	edu.psu.swe.commons	Highest
Vendor	pom	name	Common JAXRS Libraries	High
Vendor	pom	url	PennState/commons-jaxrs	Highest
Product	file	name	commons-jaxrs	High
Product	jar	package name	commons	Highest
Product	jar	package name	commons	Low
Product	jar	package name	edu	Highest
Product	jar	package name	psu	Highest
Product	jar	package name	psu	Low
Product	jar	package name	swe	Highest
Product	jar	package name	swe	Low
Product	pom	artifactid	commons-jaxrs	Highest
Product	pom	developer email	bhoman@psu.edu	Low
Product	pom	developer email	crh5255@psu.edu	Low
Product	pom	developer email	mat21@psu.edu	Low
Product	pom	developer email	nur1@psu.edu	Low
Product	pom	developer email	ses44@psu.edu	Low
Product	pom	developer email	smoyer@psu.edu	Low
Product	pom	developer id	bhoman127	Low
Product	pom	developer id	chrisharm	Low
Product	pom	developer id	mat328	Low
Product	pom	developer id	nur1	Low
Product	pom	developer id	smoyer64	Low
Product	pom	developer id	ussmith	Low
Product	pom	developer name	Ben Homan	Low
Product	pom	developer name	Christopher Harm	Low
Product	pom	developer name	Matt Teeter	Low
Product	pom	developer name	Niraja Ramesh	Low
Product	pom	developer name	Shawn Smith	Low
Product	pom	developer name	Steve Moyer	Low
Product	pom	developer org	The Pennsylvania State University	Low
Product	pom	developer org URL	https://www.psu.edu	Low
Product	pom	groupid	edu.psu.swe.commons	Highest
Product	pom	name	Common JAXRS Libraries	High
Product	pom	url	PennState/commons-jaxrs	High
Version	file	version	1.30	High
Version	pom	version	1.30	Highest

Identifiers

pkg:maven/edu.psu.swe.commons/commons-jaxrs@1.30 (Confidence:High)

Description:

The Commons Jexl library is an implementation of the JSTL Expression Language with extensions.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-jexl/2.1.1/commons-jexl-2.1.1.jar
MD5: 4ad8f5c161dd3a50e190334555675db9
SHA1: 6ecc181debade00230aa1e17666c4ea0371beaaa
SHA256:03c9a9fae5da78ce52c0bf24467cc37355b7e23196dff4839e2c0ff018a01306
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-jexl	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	expression	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Vendor	Manifest	implementation-build	COMMONS_JEXL_2_1_1-RC1@r1220732; 2011-12-19 14:53:11+0000	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-jexl	Highest
Vendor	pom	artifactid	commons-jexl	Low
Vendor	pom	developer email	dion AT apache DOT org	Low
Vendor	pom	developer email	geirm AT apache DOT org	Low
Vendor	pom	developer email	henrib AT apache DOT org	Low
Vendor	pom	developer email	jstrachan AT apache DOT org	Low
Vendor	pom	developer email	proyal AT apache DOT org	Low
Vendor	pom	developer email	rahul AT apache DOT org	Low
Vendor	pom	developer email	sebb AT apache DOT org	Low
Vendor	pom	developer email	tobrien AT apache DOT org	Low
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	henrib	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	proyal	Medium
Vendor	pom	developer id	rahul	Medium
Vendor	pom	developer id	sebb	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Geir Magnusson Jr.	Medium
Vendor	pom	developer name	Henri Biestro	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Peter Royal	Medium
Vendor	pom	developer name	Rahul Akolkar	Medium
Vendor	pom	developer name	Sebastian Bazley	Medium
Vendor	pom	developer name	Tim O'Brien	Medium
Vendor	pom	developer org	Apache Software Foundation	Medium
Vendor	pom	developer org	independent	Medium
Vendor	pom	developer org	SpiritSoft, Inc.	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Commons JEXL	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/jexl/	Highest
Product	file	name	commons-jexl	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	expression	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Product	Manifest	Bundle-Name	Commons JEXL	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Product	Manifest	implementation-build	COMMONS_JEXL_2_1_1-RC1@r1220732; 2011-12-19 14:53:11+0000	Low
Product	Manifest	Implementation-Title	Commons JEXL	High
Product	Manifest	specification-title	Commons JEXL	Medium
Product	pom	artifactid	commons-jexl	Highest
Product	pom	developer email	dion AT apache DOT org	Low
Product	pom	developer email	geirm AT apache DOT org	Low
Product	pom	developer email	henrib AT apache DOT org	Low
Product	pom	developer email	jstrachan AT apache DOT org	Low
Product	pom	developer email	proyal AT apache DOT org	Low
Product	pom	developer email	rahul AT apache DOT org	Low
Product	pom	developer email	sebb AT apache DOT org	Low
Product	pom	developer email	tobrien AT apache DOT org	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	henrib	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	proyal	Low
Product	pom	developer id	rahul	Low
Product	pom	developer id	sebb	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Geir Magnusson Jr.	Low
Product	pom	developer name	Henri Biestro	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Peter Royal	Low
Product	pom	developer name	Rahul Akolkar	Low
Product	pom	developer name	Sebastian Bazley	Low
Product	pom	developer name	Tim O'Brien	Low
Product	pom	developer org	Apache Software Foundation	Low
Product	pom	developer org	independent	Low
Product	pom	developer org	SpiritSoft, Inc.	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Commons JEXL	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/jexl/	Medium
Version	file	version	2.1.1	High
Version	Manifest	Bundle-Version	2.1.1	High
Version	Manifest	Implementation-Version	2.1.1	High
Version	pom	parent-version	2.1.1	Low
Version	pom	version	2.1.1	Highest

Identifiers

pkg:maven/org.apache.commons/commons-jexl@2.1.1 (Confidence:High)
cpe:2.3:a:apache:commons_net:2.1.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The Apache Commons JEXL library is an implementation of the JSTL Expression Language with extensions.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-jexl3/3.0/commons-jexl3-3.0.jar
MD5: 81041b5b058a2ccff0046386bc7e23f8
SHA1: 75aba6fe6659500bc7fcd420adca9c04ec9a379a
SHA256:79b0aecbe5d851ccf919ba3f5ec3ee333e011f46a24713cb2099e3968a5b9884
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-jexl3	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	jexl3	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Vendor	Manifest	implementation-build	tags/COMMONS_JEXL_3_0-RC2@r1720787; 2015-12-18 14:09:43+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/jexl/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-jexl3	Highest
Vendor	pom	artifactid	commons-jexl3	Low
Vendor	pom	developer email	dion AT apache DOT org	Low
Vendor	pom	developer email	geirm AT apache DOT org	Low
Vendor	pom	developer email	henrib AT apache DOT org	Low
Vendor	pom	developer email	jstrachan AT apache DOT org	Low
Vendor	pom	developer email	proyal AT apache DOT org	Low
Vendor	pom	developer email	rahul AT apache DOT org	Low
Vendor	pom	developer email	sebb AT apache DOT org	Low
Vendor	pom	developer email	tobrien AT apache DOT org	Low
Vendor	pom	developer id	dion	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	henrib	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	proyal	Medium
Vendor	pom	developer id	rahul	Medium
Vendor	pom	developer id	sebb	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	dIon Gillard	Medium
Vendor	pom	developer name	Geir Magnusson Jr.	Medium
Vendor	pom	developer name	Henri Biestro	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Peter Royal	Medium
Vendor	pom	developer name	Rahul Akolkar	Medium
Vendor	pom	developer name	Sebastian Bazley	Medium
Vendor	pom	developer name	Tim O'Brien	Medium
Vendor	pom	developer org	independent	Medium
Vendor	pom	developer org	SpiritSoft, Inc.	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons JEXL	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/jexl/	Highest
Product	file	name	commons-jexl3	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	jexl3	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/jexl/	Low
Product	Manifest	Bundle-Name	Apache Commons JEXL	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.jexl	Medium
Product	Manifest	implementation-build	tags/COMMONS_JEXL_3_0-RC2@r1720787; 2015-12-18 14:09:43+0000	Low
Product	Manifest	Implementation-Title	Apache Commons JEXL	High
Product	Manifest	implementation-url	http://commons.apache.org/jexl/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Apache Commons JEXL	Medium
Product	pom	artifactid	commons-jexl3	Highest
Product	pom	developer email	dion AT apache DOT org	Low
Product	pom	developer email	geirm AT apache DOT org	Low
Product	pom	developer email	henrib AT apache DOT org	Low
Product	pom	developer email	jstrachan AT apache DOT org	Low
Product	pom	developer email	proyal AT apache DOT org	Low
Product	pom	developer email	rahul AT apache DOT org	Low
Product	pom	developer email	sebb AT apache DOT org	Low
Product	pom	developer email	tobrien AT apache DOT org	Low
Product	pom	developer id	dion	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	henrib	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	proyal	Low
Product	pom	developer id	rahul	Low
Product	pom	developer id	sebb	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	dIon Gillard	Low
Product	pom	developer name	Geir Magnusson Jr.	Low
Product	pom	developer name	Henri Biestro	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Peter Royal	Low
Product	pom	developer name	Rahul Akolkar	Low
Product	pom	developer name	Sebastian Bazley	Low
Product	pom	developer name	Tim O'Brien	Low
Product	pom	developer org	independent	Low
Product	pom	developer org	SpiritSoft, Inc.	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons JEXL	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/jexl/	Medium
Version	file	version	3.0	High
Version	Manifest	Implementation-Version	3.0	High
Version	pom	parent-version	3.0	Low
Version	pom	version	3.0	Highest

Identifiers

pkg:maven/org.apache.commons/commons-jexl3@3.0 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.0:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-lang	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	lang	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/lang/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.lang	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-lang	Highest
Vendor	pom	artifactid	commons-lang	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	dlr@finemaltcoding.com	Low
Vendor	pom	developer email	ggregory@seagullsw.com	Low
Vendor	pom	developer email	jcarman@apache.org	Low
Vendor	pom	developer email	joerg.schaible@gmx.de	Low
Vendor	pom	developer email	oheger@apache.org	Low
Vendor	pom	developer email	pbenedict@apache.org	Low
Vendor	pom	developer email	phil@steitz.com	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	scolebourne@joda.org	Low
Vendor	pom	developer email	stevencaswell@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	dlr	Medium
Vendor	pom	developer id	fredrik	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	joehni	Medium
Vendor	pom	developer id	mbenson	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	oheger	Medium
Vendor	pom	developer id	pbenedict	Medium
Vendor	pom	developer id	psteitz	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	scaswell	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer name	Daniel Rall	Medium
Vendor	pom	developer name	Fredrik Westermarck	Medium
Vendor	pom	developer name	Gary D. Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	Joerg Schaible	Medium
Vendor	pom	developer name	Matt Benson	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Oliver Heger	Medium
Vendor	pom	developer name	Paul Benedict	Medium
Vendor	pom	developer name	Phil Steitz	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer name	Steven Caswell	Medium
Vendor	pom	developer org	Carman Consulting, Inc.	Medium
Vendor	pom	developer org	CollabNet, Inc.	Medium
Vendor	pom	developer org	Seagull Software	Medium
Vendor	pom	developer org	SITA ATS Ltd	Medium
Vendor	pom	groupid	commons-lang	Highest
Vendor	pom	name	Commons Lang	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/lang/	Highest
Product	file	name	commons-lang	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	lang	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/lang/	Low
Product	Manifest	Bundle-Name	Commons Lang	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.lang	Medium
Product	Manifest	Implementation-Title	Commons Lang	High
Product	Manifest	specification-title	Commons Lang	Medium
Product	pom	artifactid	commons-lang	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	dlr@finemaltcoding.com	Low
Product	pom	developer email	ggregory@seagullsw.com	Low
Product	pom	developer email	jcarman@apache.org	Low
Product	pom	developer email	joerg.schaible@gmx.de	Low
Product	pom	developer email	oheger@apache.org	Low
Product	pom	developer email	pbenedict@apache.org	Low
Product	pom	developer email	phil@steitz.com	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	scolebourne@joda.org	Low
Product	pom	developer email	stevencaswell@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	dlr	Low
Product	pom	developer id	fredrik	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	joehni	Low
Product	pom	developer id	mbenson	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	oheger	Low
Product	pom	developer id	pbenedict	Low
Product	pom	developer id	psteitz	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	scaswell	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer name	Daniel Rall	Low
Product	pom	developer name	Fredrik Westermarck	Low
Product	pom	developer name	Gary D. Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	Joerg Schaible	Low
Product	pom	developer name	Matt Benson	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Oliver Heger	Low
Product	pom	developer name	Paul Benedict	Low
Product	pom	developer name	Phil Steitz	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer name	Steven Caswell	Low
Product	pom	developer org	Carman Consulting, Inc.	Low
Product	pom	developer org	CollabNet, Inc.	Low
Product	pom	developer org	Seagull Software	Low
Product	pom	developer org	SITA ATS Ltd	Low
Product	pom	groupid	commons-lang	Highest
Product	pom	name	Commons Lang	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/lang/	Medium
Version	file	version	2.6	High
Version	Manifest	Bundle-Version	2.6	High
Version	Manifest	Implementation-Version	2.6	High
Version	pom	parent-version	2.6	Low
Version	pom	version	2.6	Highest

Identifiers

pkg:maven/commons-lang/commons-lang@2.6 (Confidence:High)
cpe:2.3:a:apache:commons_net:2.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar
MD5: 19fe50567358922bdad277959ea69545
SHA1: c6842c86792ff03b9f1d1fe2aab8dc23aa6c6f0e
SHA256:d919d904486c037f8d193412da0c92e22a9fa24230b9d67a57855c5c31c7e94e
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-lang3	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	lang3	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-lang/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-lang3	Highest
Vendor	pom	artifactid	commons-lang3	Low
Vendor	pom	developer email	bayard@apache.org	Low
Vendor	pom	developer email	britter@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	djones@apache.org	Low
Vendor	pom	developer email	dlr@finemaltcoding.com	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	jcarman@apache.org	Low
Vendor	pom	developer email	joerg.schaible@gmx.de	Low
Vendor	pom	developer email	lguibert@apache.org	Low
Vendor	pom	developer email	oheger@apache.org	Low
Vendor	pom	developer email	pbenedict@apache.org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	scolebourne@joda.org	Low
Vendor	pom	developer email	stevencaswell@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	djones	Medium
Vendor	pom	developer id	dlr	Medium
Vendor	pom	developer id	fredrik	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	jcarman	Medium
Vendor	pom	developer id	joehni	Medium
Vendor	pom	developer id	lguibert	Medium
Vendor	pom	developer id	mbenson	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	oheger	Medium
Vendor	pom	developer id	pbenedict	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	scaswell	Medium
Vendor	pom	developer id	scolebourne	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Daniel Rall	Medium
Vendor	pom	developer name	Duncan Jones	Medium
Vendor	pom	developer name	Fredrik Westermarck	Medium
Vendor	pom	developer name	Gary D. Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Carman	Medium
Vendor	pom	developer name	Joerg Schaible	Medium
Vendor	pom	developer name	Loic Guibert	Medium
Vendor	pom	developer name	Matt Benson	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Oliver Heger	Medium
Vendor	pom	developer name	Paul Benedict	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	developer name	Steven Caswell	Medium
Vendor	pom	developer org	Carman Consulting, Inc.	Medium
Vendor	pom	developer org	CollabNet, Inc.	Medium
Vendor	pom	developer org	SITA ATS Ltd	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Lang	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	https://commons.apache.org/proper/commons-lang/	Highest
Product	file	name	commons-lang3	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	lang3	Highest
Product	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-lang/	Low
Product	Manifest	Bundle-Name	Apache Commons Lang	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Product	Manifest	Implementation-Title	Apache Commons Lang	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons Lang	Medium
Product	pom	artifactid	commons-lang3	Highest
Product	pom	developer email	bayard@apache.org	Low
Product	pom	developer email	britter@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	djones@apache.org	Low
Product	pom	developer email	dlr@finemaltcoding.com	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	jcarman@apache.org	Low
Product	pom	developer email	joerg.schaible@gmx.de	Low
Product	pom	developer email	lguibert@apache.org	Low
Product	pom	developer email	oheger@apache.org	Low
Product	pom	developer email	pbenedict@apache.org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	scolebourne@joda.org	Low
Product	pom	developer email	stevencaswell@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	djones	Low
Product	pom	developer id	dlr	Low
Product	pom	developer id	fredrik	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	jcarman	Low
Product	pom	developer id	joehni	Low
Product	pom	developer id	lguibert	Low
Product	pom	developer id	mbenson	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	oheger	Low
Product	pom	developer id	pbenedict	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	scaswell	Low
Product	pom	developer id	scolebourne	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Daniel Rall	Low
Product	pom	developer name	Duncan Jones	Low
Product	pom	developer name	Fredrik Westermarck	Low
Product	pom	developer name	Gary D. Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Carman	Low
Product	pom	developer name	Joerg Schaible	Low
Product	pom	developer name	Loic Guibert	Low
Product	pom	developer name	Matt Benson	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Oliver Heger	Low
Product	pom	developer name	Paul Benedict	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	developer name	Steven Caswell	Low
Product	pom	developer org	Carman Consulting, Inc.	Low
Product	pom	developer org	CollabNet, Inc.	Low
Product	pom	developer org	SITA ATS Ltd	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Lang	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	https://commons.apache.org/proper/commons-lang/	Medium
Version	file	version	3.12.0	High
Version	Manifest	Bundle-Version	3.12.0	High
Version	Manifest	Implementation-Version	3.12.0	High
Version	pom	parent-version	3.12.0	Low
Version	pom	version	3.12.0	Highest

Identifiers

pkg:maven/org.apache.commons/commons-lang3@3.12.0 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.12.0:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile
Grouper WS Manual Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-logging	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	logging	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Vendor	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-logging	Highest
Vendor	pom	artifactid	commons-logging	Low
Vendor	pom	developer email	baliuka@apache.org	Low
Vendor	pom	developer email	costin@apache.org	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	dennisl@apache.org	Low
Vendor	pom	developer email	donaldp@apache.org	Low
Vendor	pom	developer email	morgand@apache.org	Low
Vendor	pom	developer email	rdonkin@apache.org	Low
Vendor	pom	developer email	rsitze@apache.org	Low
Vendor	pom	developer email	rwaldhoff@apache.org	Low
Vendor	pom	developer email	sanders@apache.org	Low
Vendor	pom	developer email	skitching@apache.org	Low
Vendor	pom	developer email	tn@apache.org	Low
Vendor	pom	developer id	baliuka	Medium
Vendor	pom	developer id	bstansberry	Medium
Vendor	pom	developer id	costin	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dennisl	Medium
Vendor	pom	developer id	donaldp	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rsitze	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sanders	Medium
Vendor	pom	developer id	skitching	Medium
Vendor	pom	developer id	tn	Medium
Vendor	pom	developer name	Brian Stansberry	Medium
Vendor	pom	developer name	Costin Manolache	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	Dennis Lundberg	Medium
Vendor	pom	developer name	Juozas Baliuka	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Peter Donald	Medium
Vendor	pom	developer name	Richard Sitze	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer name	Simon Kitching	Medium
Vendor	pom	developer name	Thomas Neidhart	Medium
Vendor	pom	developer org	Apache	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	groupid	commons-logging	Highest
Vendor	pom	name	Apache Commons Logging	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-logging/	Highest
Product	file	name	commons-logging	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	logging	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Product	Manifest	Bundle-Name	Apache Commons Logging	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Product	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Product	Manifest	Implementation-Title	Apache Commons Logging	High
Product	Manifest	specification-title	Apache Commons Logging	Medium
Product	pom	artifactid	commons-logging	Highest
Product	pom	developer email	baliuka@apache.org	Low
Product	pom	developer email	costin@apache.org	Low
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	dennisl@apache.org	Low
Product	pom	developer email	donaldp@apache.org	Low
Product	pom	developer email	morgand@apache.org	Low
Product	pom	developer email	rdonkin@apache.org	Low
Product	pom	developer email	rsitze@apache.org	Low
Product	pom	developer email	rwaldhoff@apache.org	Low
Product	pom	developer email	sanders@apache.org	Low
Product	pom	developer email	skitching@apache.org	Low
Product	pom	developer email	tn@apache.org	Low
Product	pom	developer id	baliuka	Low
Product	pom	developer id	bstansberry	Low
Product	pom	developer id	costin	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dennisl	Low
Product	pom	developer id	donaldp	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rsitze	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sanders	Low
Product	pom	developer id	skitching	Low
Product	pom	developer id	tn	Low
Product	pom	developer name	Brian Stansberry	Low
Product	pom	developer name	Costin Manolache	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	Dennis Lundberg	Low
Product	pom	developer name	Juozas Baliuka	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Peter Donald	Low
Product	pom	developer name	Richard Sitze	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer name	Simon Kitching	Low
Product	pom	developer name	Thomas Neidhart	Low
Product	pom	developer org	Apache	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	groupid	commons-logging	Highest
Product	pom	name	Apache Commons Logging	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/proper/commons-logging/	Medium
Version	file	version	1.2	High
Version	Manifest	Implementation-Version	1.2	High
Version	pom	parent-version	1.2	Low
Version	pom	version	1.2	Highest

Identifiers

pkg:maven/commons-logging/commons-logging@1.2 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-math/commons-math/1.2/commons-math-1.2.jar
MD5: 5d3ce091a67e863549de4493e19df069
SHA1: 3955b41fe9f3c0469bd873331940674812d09bd2
SHA256:429ad6e1a650bc924a3e26fafc8ef703147375d8dd6d02b710c655071cc82270
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-math	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	math	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.commons.math	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-math	Highest
Vendor	pom	artifactid	commons-math	Low
Vendor	pom	developer email	achou at apache dot org	Low
Vendor	pom	developer email	brentworden at apache dot org	Low
Vendor	pom	developer email	j3322ptm at yahoo dot de	Low
Vendor	pom	developer email	luc at apache dot org	Low
Vendor	pom	developer email	mdiggory at apache dot org	Low
Vendor	pom	developer email	psteitz at apache dot org	Low
Vendor	pom	developer email	rdonkin at apache dot org	Low
Vendor	pom	developer email	tobrien at apache dot org	Low
Vendor	pom	developer id	achou	Medium
Vendor	pom	developer id	brentworden	Medium
Vendor	pom	developer id	luc	Medium
Vendor	pom	developer id	mdiggory	Medium
Vendor	pom	developer id	pietsch	Medium
Vendor	pom	developer id	psteitz	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	tobrien	Medium
Vendor	pom	developer name	Albert Davidson Chou	Medium
Vendor	pom	developer name	Brent Worden	Medium
Vendor	pom	developer name	J. Pietschmann	Medium
Vendor	pom	developer name	Luc Maisonobe	Medium
Vendor	pom	developer name	Mark Diggory	Medium
Vendor	pom	developer name	Phil Steitz	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Tim O'Brien	Medium
Vendor	pom	groupid	commons-math	Highest
Vendor	pom	name	Commons Math	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/math/	Highest
Product	file	name	commons-math	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	math	Highest
Product	Manifest	Bundle-Name	Apache Commons Math Bundle	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.math	Medium
Product	Manifest	Implementation-Title	Commons Math	High
Product	Manifest	specification-title	Commons Math	Medium
Product	pom	artifactid	commons-math	Highest
Product	pom	developer email	achou at apache dot org	Low
Product	pom	developer email	brentworden at apache dot org	Low
Product	pom	developer email	j3322ptm at yahoo dot de	Low
Product	pom	developer email	luc at apache dot org	Low
Product	pom	developer email	mdiggory at apache dot org	Low
Product	pom	developer email	psteitz at apache dot org	Low
Product	pom	developer email	rdonkin at apache dot org	Low
Product	pom	developer email	tobrien at apache dot org	Low
Product	pom	developer id	achou	Low
Product	pom	developer id	brentworden	Low
Product	pom	developer id	luc	Low
Product	pom	developer id	mdiggory	Low
Product	pom	developer id	pietsch	Low
Product	pom	developer id	psteitz	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	tobrien	Low
Product	pom	developer name	Albert Davidson Chou	Low
Product	pom	developer name	Brent Worden	Low
Product	pom	developer name	J. Pietschmann	Low
Product	pom	developer name	Luc Maisonobe	Low
Product	pom	developer name	Mark Diggory	Low
Product	pom	developer name	Phil Steitz	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Tim O'Brien	Low
Product	pom	groupid	commons-math	Highest
Product	pom	name	Commons Math	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/math/	Medium
Version	file	version	1.2	High
Version	Manifest	Bundle-Version	1.2	High
Version	Manifest	Implementation-Version	1.2	High
Version	pom	parent-version	1.2	Low
Version	pom	version	1.2	Highest

Identifiers

pkg:maven/commons-math/commons-math@1.2 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.2:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-net/commons-net/3.6/commons-net-3.6.jar
MD5: b46661b01cc7aeec501f1cd3775509f1
SHA1: b71de00508dcb078d2b24b5fa7e538636de9b3da
SHA256:d3b3866c61a47ba3bf040ab98e60c3010d027da0e7a99e1755e407dd47bc2702
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-net	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	echo	Highest
Vendor	jar	package name	finger	Highest
Vendor	jar	package name	ftp	Highest
Vendor	jar	package name	net	Highest
Vendor	jar	package name	nntp	Highest
Vendor	jar	package name	pop3	Highest
Vendor	jar	package name	smtp	Highest
Vendor	jar	package name	telnet	Highest
Vendor	jar	package name	whois	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-net/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.net	Medium
Vendor	Manifest	implementation-build	tags/NET_3_6_RC1@r1782607; 2017-02-11 15:16:26+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-net/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-net	Highest
Vendor	pom	artifactid	commons-net	Low
Vendor	pom	developer email	bruno.davanzo@hp.com	Low
Vendor	pom	developer email	dfs@apache.org	Low
Vendor	pom	developer email	Jeff.Brekke@qg.com	Low
Vendor	pom	developer email	rwinston@apache.org	Low
Vendor	pom	developer email	rwinston@checkfree.com	Low
Vendor	pom	developer email	scohen@apache.org	Low
Vendor	pom	developer id	brekke	Medium
Vendor	pom	developer id	brudav	Medium
Vendor	pom	developer id	dfs	Medium
Vendor	pom	developer id	rwinston	Medium
Vendor	pom	developer id	scohen	Medium
Vendor	pom	developer name	Bruno D'Avanzo	Medium
Vendor	pom	developer name	Daniel F. Savarese	Medium
Vendor	pom	developer name	Jeffrey D. Brekke	Medium
Vendor	pom	developer name	Rory Winston	Medium
Vendor	pom	developer name	Steve Cohen	Medium
Vendor	pom	developer org	<a href="http://www.savarese.com/">Savarese Software Research</a>	Medium
Vendor	pom	developer org	Hewlett-Packard	Medium
Vendor	pom	developer org	javactivity.org	Medium
Vendor	pom	developer org	Quad/Graphics, Inc.	Medium
Vendor	pom	groupid	commons-net	Highest
Vendor	pom	name	Apache Commons Net	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-net/	Highest
Product	file	name	commons-net	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	echo	Highest
Product	jar	package name	finger	Highest
Product	jar	package name	ftp	Highest
Product	jar	package name	net	Highest
Product	jar	package name	nntp	Highest
Product	jar	package name	pop3	Highest
Product	jar	package name	smtp	Highest
Product	jar	package name	telnet	Highest
Product	jar	package name	whois	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-net/	Low
Product	Manifest	Bundle-Name	Apache Commons Net	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.net	Medium
Product	Manifest	implementation-build	tags/NET_3_6_RC1@r1782607; 2017-02-11 15:16:26+0000	Low
Product	Manifest	Implementation-Title	Apache Commons Net	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-net/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Apache Commons Net	Medium
Product	pom	artifactid	commons-net	Highest
Product	pom	developer email	bruno.davanzo@hp.com	Low
Product	pom	developer email	dfs@apache.org	Low
Product	pom	developer email	Jeff.Brekke@qg.com	Low
Product	pom	developer email	rwinston@apache.org	Low
Product	pom	developer email	rwinston@checkfree.com	Low
Product	pom	developer email	scohen@apache.org	Low
Product	pom	developer id	brekke	Low
Product	pom	developer id	brudav	Low
Product	pom	developer id	dfs	Low
Product	pom	developer id	rwinston	Low
Product	pom	developer id	scohen	Low
Product	pom	developer name	Bruno D'Avanzo	Low
Product	pom	developer name	Daniel F. Savarese	Low
Product	pom	developer name	Jeffrey D. Brekke	Low
Product	pom	developer name	Rory Winston	Low
Product	pom	developer name	Steve Cohen	Low
Product	pom	developer org	<a href="http://www.savarese.com/">Savarese Software Research</a>	Low
Product	pom	developer org	Hewlett-Packard	Low
Product	pom	developer org	javactivity.org	Low
Product	pom	developer org	Quad/Graphics, Inc.	Low
Product	pom	groupid	commons-net	Highest
Product	pom	name	Apache Commons Net	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/proper/commons-net/	Medium
Version	file	version	3.6	High
Version	Manifest	Implementation-Version	3.6	High
Version	pom	parent-version	3.6	Low
Version	pom	version	3.6	Highest

Identifiers

pkg:maven/commons-net/commons-net@3.6 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
DEBIAN - DSA-5307
MLIST - [debian-lts-announce] 20221229 [SECURITY] [DLA 3251-1] libcommons-net-java security update
MLIST - [oss-security] 20221203 CVE-2021-37533: Apache Commons Net's FTP client trusts the host from PASV response by default
OSSINDEX - [CVE-2021-37533] CWE-20: Improper Input Validation
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37533
OSSIndex - http://www.openwall.com/lists/oss-security/2022/12/03/1
OSSIndex - https://issues.apache.org/jira/browse/NET-711
OSSIndex - https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Commons Object Pooling Library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-pool/commons-pool/1.6/commons-pool-1.6.jar
MD5: 5ca02245c829422176d23fa530e919cc
SHA1: 4572d589699f09d866a226a14b7f4323c6d8f040
SHA256:46c42b4a38dc6b2db53a9ee5c92c63db103665d56694e2cfce2c95d51a6860cc
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-pool	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	pool	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/pool/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.pool	Medium
Vendor	Manifest	implementation-build	UNKNOWN_BRANCH@r??????; 2012-01-04 10:31:47-0500	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-pool	Highest
Vendor	pom	artifactid	commons-pool	Low
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dirkv	Medium
Vendor	pom	developer id	dweinr1	Medium
Vendor	pom	developer id	geirm	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	morgand	Medium
Vendor	pom	developer id	rdonkin	Medium
Vendor	pom	developer id	rwaldhoff	Medium
Vendor	pom	developer id	sandymac	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	David Weinrich	Medium
Vendor	pom	developer name	Dirk Verbeeck	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Geir Magnusson	Medium
Vendor	pom	developer name	Morgan Delagrange	Medium
Vendor	pom	developer name	Robert Burrell Donkin	Medium
Vendor	pom	developer name	Rodney Waldhoff	Medium
Vendor	pom	developer name	Sandy McArthur	Medium
Vendor	pom	developer org	Apache Software Foundation	Medium
Vendor	pom	groupid	commons-pool	Highest
Vendor	pom	name	Commons Pool	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/pool/	Highest
Product	file	name	commons-pool	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	pool	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/pool/	Low
Product	Manifest	Bundle-Name	Commons Pool	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.pool	Medium
Product	Manifest	implementation-build	UNKNOWN_BRANCH@r??????; 2012-01-04 10:31:47-0500	Low
Product	Manifest	Implementation-Title	Commons Pool	High
Product	Manifest	specification-title	Commons Pool	Medium
Product	pom	artifactid	commons-pool	Highest
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dirkv	Low
Product	pom	developer id	dweinr1	Low
Product	pom	developer id	geirm	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	morgand	Low
Product	pom	developer id	rdonkin	Low
Product	pom	developer id	rwaldhoff	Low
Product	pom	developer id	sandymac	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	David Weinrich	Low
Product	pom	developer name	Dirk Verbeeck	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Geir Magnusson	Low
Product	pom	developer name	Morgan Delagrange	Low
Product	pom	developer name	Robert Burrell Donkin	Low
Product	pom	developer name	Rodney Waldhoff	Low
Product	pom	developer name	Sandy McArthur	Low
Product	pom	developer org	Apache Software Foundation	Low
Product	pom	groupid	commons-pool	Highest
Product	pom	name	Commons Pool	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/pool/	Medium
Version	file	version	1.6	High
Version	Manifest	Implementation-Version	1.6	High
Version	pom	parent-version	1.6	Low
Version	pom	version	1.6	Highest

Identifiers

pkg:maven/commons-pool/commons-pool@1.6 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Apache Commons Text is a library focused on algorithms working on strings.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-text/1.10.0/commons-text-1.10.0.jar
MD5: 4afc9bfa2d31dbf7330c98fcc954b892
SHA1: 3363381aef8cef2dbc1023b3e3a9433b08b64e01
SHA256:770cd903fa7b604d1f7ef7ba17f84108667294b2b478be8ed1af3bffb4ae0018
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-text	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	text	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.text	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-text	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-text	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-text	Highest
Vendor	pom	artifactid	commons-text	Low
Vendor	pom	developer email	britter@apache.org	Low
Vendor	pom	developer email	chtompki@apache.org	Low
Vendor	pom	developer email	djones@apache.org	Low
Vendor	pom	developer email	ggregory at apache.org	Low
Vendor	pom	developer email	kinow@apache.org	Low
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	chtompki	Medium
Vendor	pom	developer id	djones	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	kinow	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Bruno P. Kinoshita	Medium
Vendor	pom	developer name	Duncan Jones	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Rob Tompkins	Medium
Vendor	pom	developer org	The Apache Software Foundation	Medium
Vendor	pom	developer org URL	https://www.apache.org/	Medium
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons Text	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	https://commons.apache.org/proper/commons-text	Highest
Product	file	name	commons-text	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	text	Highest
Product	Manifest	automatic-module-name	org.apache.commons.text	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-text	Low
Product	Manifest	Bundle-Name	Apache Commons Text	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-text	Medium
Product	Manifest	Implementation-Title	Apache Commons Text	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons Text	Medium
Product	pom	artifactid	commons-text	Highest
Product	pom	developer email	britter@apache.org	Low
Product	pom	developer email	chtompki@apache.org	Low
Product	pom	developer email	djones@apache.org	Low
Product	pom	developer email	ggregory at apache.org	Low
Product	pom	developer email	kinow@apache.org	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	chtompki	Low
Product	pom	developer id	djones	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	kinow	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Bruno P. Kinoshita	Low
Product	pom	developer name	Duncan Jones	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Rob Tompkins	Low
Product	pom	developer org	The Apache Software Foundation	Low
Product	pom	developer org URL	https://www.apache.org/	Low
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons Text	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	https://commons.apache.org/proper/commons-text	Medium
Version	file	version	1.10.0	High
Version	Manifest	Bundle-Version	1.10.0	High
Version	Manifest	Implementation-Version	1.10.0	High
Version	pom	parent-version	1.10.0	Low
Version	pom	version	1.10.0	Highest

Identifiers

pkg:maven/org.apache.commons/commons-text@1.10.0 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.10.0:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:commons_text:1.10.0:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

    Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
    It may be used standalone or with a framework like Struts.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/commons-validator/commons-validator/1.6/commons-validator-1.6.jar
MD5: 3fd5efd8dcdd601035c123638a897833
SHA1: e989d1e87cdd60575df0765ed5bac65c905d7908
SHA256:bd62795d7068a69cbea333f6dbf9c9c1a6ad7521443fb57202a44874f240ba25
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-validator	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	validator	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-validator/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.validator	Medium
Vendor	Manifest	implementation-build	tags/VALIDATOR_1_6_RC1@r1783233; 2017-02-16 15:10:22+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-validator/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-validator	Highest
Vendor	pom	artifactid	commons-validator	Low
Vendor	pom	developer email	craigmcc@apache.org	Low
Vendor	pom	developer email	dgraham@apache.org	Low
Vendor	pom	developer email	dwinterfeldt@apache.org	Low
Vendor	pom	developer email	ggregory@apache.org	Low
Vendor	pom	developer email	husted@apache.org	Low
Vendor	pom	developer email	jmitchell NOSPAM apache.org	Low
Vendor	pom	developer email	martinc@apache.org	Low
Vendor	pom	developer email	mrdon@apache.org	Low
Vendor	pom	developer email	rleland at apache.org	Low
Vendor	pom	developer email	turner@apache.org	Low
Vendor	pom	developer id	bayard	Medium
Vendor	pom	developer id	britter	Medium
Vendor	pom	developer id	bspeakmon	Medium
Vendor	pom	developer id	craigmcc	Medium
Vendor	pom	developer id	dgraham	Medium
Vendor	pom	developer id	dwinterfeldt	Medium
Vendor	pom	developer id	ggregory	Medium
Vendor	pom	developer id	husted	Medium
Vendor	pom	developer id	jmitchell	Medium
Vendor	pom	developer id	martinc	Medium
Vendor	pom	developer id	mrdon	Medium
Vendor	pom	developer id	niallp	Medium
Vendor	pom	developer id	nick	Medium
Vendor	pom	developer id	rleland	Medium
Vendor	pom	developer id	simonetripodi	Medium
Vendor	pom	developer id	turner	Medium
Vendor	pom	developer name	Ben Speakmon	Medium
Vendor	pom	developer name	Benedikt Ritter	Medium
Vendor	pom	developer name	Craig McClanahan	Medium
Vendor	pom	developer name	David Graham	Medium
Vendor	pom	developer name	David Winterfeldt	Medium
Vendor	pom	developer name	Don Brown	Medium
Vendor	pom	developer name	Gary Gregory	Medium
Vendor	pom	developer name	Henri Yandell	Medium
Vendor	pom	developer name	James Mitchell	Medium
Vendor	pom	developer name	James Turner	Medium
Vendor	pom	developer name	Martin Cooper	Medium
Vendor	pom	developer name	Niall Pemberton	Medium
Vendor	pom	developer name	Nick Burch	Medium
Vendor	pom	developer name	Rob Leland	Medium
Vendor	pom	developer name	SimoneTripodi	Medium
Vendor	pom	developer name	Ted Husted	Medium
Vendor	pom	developer org	EdgeTech, Inc	Medium
Vendor	pom	groupid	commons-validator	Highest
Vendor	pom	name	Apache Commons Validator	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-validator/	Highest
Product	file	name	commons-validator	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	validator	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-validator/	Low
Product	Manifest	Bundle-Name	Apache Commons Validator	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.validator	Medium
Product	Manifest	implementation-build	tags/VALIDATOR_1_6_RC1@r1783233; 2017-02-16 15:10:22+0000	Low
Product	Manifest	Implementation-Title	Apache Commons Validator	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-validator/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Apache Commons Validator	Medium
Product	pom	artifactid	commons-validator	Highest
Product	pom	developer email	craigmcc@apache.org	Low
Product	pom	developer email	dgraham@apache.org	Low
Product	pom	developer email	dwinterfeldt@apache.org	Low
Product	pom	developer email	ggregory@apache.org	Low
Product	pom	developer email	husted@apache.org	Low
Product	pom	developer email	jmitchell NOSPAM apache.org	Low
Product	pom	developer email	martinc@apache.org	Low
Product	pom	developer email	mrdon@apache.org	Low
Product	pom	developer email	rleland at apache.org	Low
Product	pom	developer email	turner@apache.org	Low
Product	pom	developer id	bayard	Low
Product	pom	developer id	britter	Low
Product	pom	developer id	bspeakmon	Low
Product	pom	developer id	craigmcc	Low
Product	pom	developer id	dgraham	Low
Product	pom	developer id	dwinterfeldt	Low
Product	pom	developer id	ggregory	Low
Product	pom	developer id	husted	Low
Product	pom	developer id	jmitchell	Low
Product	pom	developer id	martinc	Low
Product	pom	developer id	mrdon	Low
Product	pom	developer id	niallp	Low
Product	pom	developer id	nick	Low
Product	pom	developer id	rleland	Low
Product	pom	developer id	simonetripodi	Low
Product	pom	developer id	turner	Low
Product	pom	developer name	Ben Speakmon	Low
Product	pom	developer name	Benedikt Ritter	Low
Product	pom	developer name	Craig McClanahan	Low
Product	pom	developer name	David Graham	Low
Product	pom	developer name	David Winterfeldt	Low
Product	pom	developer name	Don Brown	Low
Product	pom	developer name	Gary Gregory	Low
Product	pom	developer name	Henri Yandell	Low
Product	pom	developer name	James Mitchell	Low
Product	pom	developer name	James Turner	Low
Product	pom	developer name	Martin Cooper	Low
Product	pom	developer name	Niall Pemberton	Low
Product	pom	developer name	Nick Burch	Low
Product	pom	developer name	Rob Leland	Low
Product	pom	developer name	SimoneTripodi	Low
Product	pom	developer name	Ted Husted	Low
Product	pom	developer org	EdgeTech, Inc	Low
Product	pom	groupid	commons-validator	Highest
Product	pom	name	Apache Commons Validator	High
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	url	http://commons.apache.org/proper/commons-validator/	Medium
Version	file	version	1.6	High
Version	Manifest	Implementation-Version	1.6	High
Version	pom	parent-version	1.6	Low
Version	pom	version	1.6	Highest

Identifiers

pkg:maven/commons-validator/commons-validator@1.6 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.6:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Apache Commons VFS is a Virtual File System library.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/commons/commons-vfs2/2.4.1/commons-vfs2-2.4.1.jar
MD5: 3689ad3e33c2455c033c7062f583c49f
SHA1: 2b041628c3cb436d8eee25f78603f04eb5e817a5
SHA256:1d518e883bb4e9a791c2bb48c76ed7b8879708b312ed955854e50b831e23ed35
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-vfs2	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	jar	package name	vfs	Highest
Vendor	jar	package name	vfs2	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-vfs/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.vfs2	Medium
Vendor	Manifest	implementation-build	release@reabdee306d5b0a73859a0aa841a5c0ccfe8b337a; 2019-08-11 00:23:00+0000	Low
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-vfs/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	commons-vfs2	Highest
Vendor	pom	artifactid	commons-vfs2	Low
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	name	Apache Commons VFS	High
Vendor	pom	parent-artifactid	commons-vfs2-project	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-vfs/	Highest
Product	file	name	commons-vfs2	High
Product	jar	package name	apache	Highest
Product	jar	package name	commons	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	vfs	Highest
Product	jar	package name	vfs2	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-vfs/	Low
Product	Manifest	Bundle-Name	Apache Commons VFS	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.vfs2	Medium
Product	Manifest	implementation-build	release@reabdee306d5b0a73859a0aa841a5c0ccfe8b337a; 2019-08-11 00:23:00+0000	Low
Product	Manifest	Implementation-Title	Apache Commons VFS	High
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-vfs/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons VFS	Medium
Product	pom	artifactid	commons-vfs2	Highest
Product	pom	groupid	org.apache.commons	Highest
Product	pom	name	Apache Commons VFS	High
Product	pom	parent-artifactid	commons-vfs2-project	Medium
Product	pom	url	http://commons.apache.org/proper/commons-vfs/	Medium
Version	file	version	2.4.1	High
Version	Manifest	Bundle-Version	2.4.1	High
Version	Manifest	Implementation-Version	2.4.1	High
Version	pom	version	2.4.1	Highest

Identifiers

pkg:maven/org.apache.commons/commons-vfs2@2.4.1 (Confidence:High)
cpe:2.3:a:apache:commons_net:2.4.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Java library for Content (Media) Type representation

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/nimbusds/content-type/2.2/content-type-2.2.jar
MD5: 135aaa5ebcc12a45f4b3ff08cb6fa46a
SHA1: 9a894bce7646dd4086652d85b88013229f23724b
SHA256:730f1816196145e88275093c147f2e6da3c3e541207acd3503a1b06129b9bea9
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	content-type	High
Vendor	jar	package name	nimbusds	Highest
Vendor	Manifest	build-date	${timestamp}	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	build-number	${buildNumber}	Low
Vendor	Manifest	build-tag	2.2	Low
Vendor	Manifest	bundle-docurl	https://connect2id.com	Low
Vendor	Manifest	bundle-symbolicname	com.nimbusds.content-type	Medium
Vendor	Manifest	Implementation-Vendor	Connect2id Ltd.	High
Vendor	Manifest	Implementation-Vendor-Id	com.nimbusds	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	Connect2id Ltd.	Low
Vendor	pom	artifactid	content-type	Highest
Vendor	pom	artifactid	content-type	Low
Vendor	pom	developer email	vladimir@dzhuvinov.com	Low
Vendor	pom	developer id	vdzhuvinov	Medium
Vendor	pom	developer name	Vladimir Dzhuvinov	Medium
Vendor	pom	groupid	com.nimbusds	Highest
Vendor	pom	name	Nimbus Content Type	High
Vendor	pom	organization name	Connect2id Ltd.	High
Vendor	pom	organization url	https://connect2id.com	Medium
Vendor	pom	url	https://bitbucket.org/connect2id/nimbus-content-type	Highest
Product	file	name	content-type	High
Product	jar	package name	nimbusds	Highest
Product	Manifest	build-date	${timestamp}	Low
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	build-number	${buildNumber}	Low
Product	Manifest	build-tag	2.2	Low
Product	Manifest	bundle-docurl	https://connect2id.com	Low
Product	Manifest	Bundle-Name	Nimbus Content Type	Medium
Product	Manifest	bundle-symbolicname	com.nimbusds.content-type	Medium
Product	Manifest	Implementation-Title	Nimbus Content Type	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Nimbus Content Type	Medium
Product	pom	artifactid	content-type	Highest
Product	pom	developer email	vladimir@dzhuvinov.com	Low
Product	pom	developer id	vdzhuvinov	Low
Product	pom	developer name	Vladimir Dzhuvinov	Low
Product	pom	groupid	com.nimbusds	Highest
Product	pom	name	Nimbus Content Type	High
Product	pom	organization name	Connect2id Ltd.	Low
Product	pom	organization url	https://connect2id.com	Low
Product	pom	url	https://bitbucket.org/connect2id/nimbus-content-type	Medium
Version	file	version	2.2	High
Version	Manifest	build-tag	2.2	Low
Version	Manifest	Implementation-Version	2.2	High
Version	pom	version	2.2	Highest

Identifiers

pkg:maven/com.nimbusds/content-type@2.2 (Confidence:High)

File Path: /home/grprdist/.m2/repository/net/redhogs/cronparser/cron-parser-core/3.4/cron-parser-core-3.4.jar
MD5: 984e308161cecec9ca9ca7ab34257c1e
SHA1: f4b72519661bd9879803b82ac19eab1269bbcdf9
SHA256:caece60f6f9305eb0ff54b9558ef014a7c076bb9ecec609006983794c0ced2ee
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	cron-parser-core	High
Vendor	jar	package name	cronparser	Highest
Vendor	jar	package name	cronparser	Low
Vendor	jar	package name	net	Highest
Vendor	jar	package name	net	Low
Vendor	jar	package name	redhogs	Highest
Vendor	jar	package name	redhogs	Low
Vendor	pom	artifactid	cron-parser-core	Highest
Vendor	pom	artifactid	cron-parser-core	Low
Vendor	pom	groupid	net.redhogs.cronparser	Highest
Vendor	pom	name	cron-parser-core	High
Vendor	pom	parent-artifactid	cron-parser	Low
Product	file	name	cron-parser-core	High
Product	jar	package name	cronparser	Highest
Product	jar	package name	cronparser	Low
Product	jar	package name	net	Highest
Product	jar	package name	redhogs	Highest
Product	jar	package name	redhogs	Low
Product	pom	artifactid	cron-parser-core	Highest
Product	pom	groupid	net.redhogs.cronparser	Highest
Product	pom	name	cron-parser-core	High
Product	pom	parent-artifactid	cron-parser	Medium
Version	file	version	3.4	High
Version	pom	version	3.4	Highest

Identifiers

pkg:maven/net.redhogs.cronparser/cron-parser-core@3.4 (Confidence:High)

Description:

flexible XML framework for Java

License:

BSD 3-clause New License: https://github.com/dom4j/dom4j/blob/master/LICENSE

File Path: /home/grprdist/.m2/repository/org/dom4j/dom4j/2.1.3/dom4j-2.1.3.jar
MD5: 41efcf234c5a05a8c590f9b51d53ca66
SHA1: a75914155a9f5808963170ec20653668a2ffd2fd
SHA256:549f3007c6290f6a901e57d1d331b4ed0e6bf7384f78bf10316ffceeca834de6
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	dom4j	High
Vendor	jar	package name	dom4j	Highest
Vendor	jar	package name	dom4j	Low
Vendor	pom	artifactid	dom4j	Highest
Vendor	pom	artifactid	dom4j	Low
Vendor	pom	developer email	filip@jirsak.org	Low
Vendor	pom	developer name	Filip Jirsák	Medium
Vendor	pom	groupid	org.dom4j	Highest
Vendor	pom	name	dom4j	High
Vendor	pom	url	http://dom4j.github.io/	Highest
Product	file	name	dom4j	High
Product	jar	package name	dom4j	Highest
Product	pom	artifactid	dom4j	Highest
Product	pom	developer email	filip@jirsak.org	Low
Product	pom	developer name	Filip Jirsák	Low
Product	pom	groupid	org.dom4j	Highest
Product	pom	name	dom4j	High
Product	pom	url	http://dom4j.github.io/	Medium
Version	file	version	2.1.3	High
Version	pom	version	2.1.3	Highest

Identifiers

pkg:maven/org.dom4j/dom4j@2.1.3 (Confidence:High)
cpe:2.3:a:dom4j_project:dom4j:2.1.3:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Internet2 Groups Management WS Generated Client

License:

Apache 2 http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /var/grouper-docs/git/grouper/grouper-ws/grouper-ws-java-generated-client/pom.xml

Referenced In Project/Scope:Grouper WS Test

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	pom	High
Vendor	project	artifactid	grouper-ws-java-generated-client	Low
Vendor	project	groupid	edu.internet2.middleware.grouper	Highest
Product	file	name	pom	High
Product	project	artifactid	grouper-ws-java-generated-client	Highest
Product	project	groupid	edu.internet2.middleware.grouper	Low

Identifiers

pkg:maven/edu.internet2.middleware.grouper/grouper-ws-java-generated-client@2.6.0-SNAPSHOT (Confidence:Highest)
cpe:2.3:a:internet2:grouper:2.6.0:snapshot:*:*:*:*:*:* (Confidence:Highest)

Description:

Internet2 Groups Management WS Core

License:

Apache 2 http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /var/grouper-docs/git/grouper/grouper-ws/grouper-ws/pom.xml

Referenced In Project/Scope:Grouper WS Test

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	pom	High
Vendor	project	artifactid	grouper-ws	Low
Vendor	project	groupid	edu.internet2.middleware.grouper	Highest
Product	file	name	pom	High
Product	project	artifactid	grouper-ws	Highest
Product	project	groupid	edu.internet2.middleware.grouper	Low

Identifiers

pkg:maven/edu.internet2.middleware.grouper/grouper-ws@2.6.0-SNAPSHOT (Confidence:Highest)
cpe:2.3:a:internet2:grouper:2.6.0:snapshot:*:*:*:*:*:* (Confidence:Highest)

Description:

Internet2 Groups Management Toolkit

License:

Apache 2 http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /var/grouper-docs/git/grouper/grouper/pom.xml

Referenced In Projects/Scopes:

Grouper WS Test
Grouper WS
Grouper WS Generated Client
Grouper WS SCIM

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	pom	High
Vendor	project	artifactid	grouper	Low
Vendor	project	groupid	edu.internet2.middleware.grouper	Highest
Product	file	name	pom	High
Product	project	artifactid	grouper	Highest
Product	project	groupid	edu.internet2.middleware.grouper	Low

Identifiers

pkg:maven/edu.internet2.middleware.grouper/grouper@2.6.0-SNAPSHOT (Confidence:Highest)
cpe:2.3:a:internet2:grouper:2.6.0:snapshot:*:*:*:*:*:* (Confidence:Highest)

Description:

Client for Grouper LDAP and Web Services

License:

Apache 2 http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /var/grouper-docs/git/grouper/grouper-misc/grouperClient/pom.xml

Referenced In Projects/Scopes:

Grouper WS Test
Grouper WS
Grouper WS Generated Client
Grouper WS SCIM

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	pom	High
Vendor	project	artifactid	grouperClient	Low
Vendor	project	groupid	edu.internet2.middleware.grouper	Highest
Product	file	name	pom	High
Product	project	artifactid	grouperClient	Highest
Product	project	groupid	edu.internet2.middleware.grouper	Low

Identifiers

pkg:maven/edu.internet2.middleware.grouper/grouperClient@2.6.0-SNAPSHOT (Confidence:Highest)
cpe:2.3:a:internet2:grouper:2.6.0:snapshot:*:*:*:*:*:* (Confidence:Highest)

Description:

This is the ehcache core module. Pair it with other modules for added functionality.

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt

File Path: /home/grprdist/.m2/repository/net/sf/ehcache/ehcache-core/2.6.10/ehcache-core-2.6.10.jar
MD5: 206e69dbe0f3454dceee5acf71b64823
SHA1: 8e567a024e27e11b961ca068c5c367f845e21a9b
SHA256:53733a580faad03c8433a6a9f0067040f7ace569f4adeaf71f8aa46e1037e3c9
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ehcache-core	High
Vendor	jar	package name	ehcache	Highest
Vendor	jar	package name	net	Highest
Vendor	jar	package name	sf	Highest
Vendor	pom	artifactid	ehcache-core	Highest
Vendor	pom	artifactid	ehcache-core	Low
Vendor	pom	groupid	net.sf.ehcache	Highest
Vendor	pom	name	Ehcache Core	High
Vendor	pom	parent-artifactid	ehcache-parent	Low
Vendor	pom	url	http://ehcache.org	Highest
Product	file	name	ehcache-core	High
Product	jar	package name	ehcache	Highest
Product	jar	package name	net	Highest
Product	jar	package name	sf	Highest
Product	pom	artifactid	ehcache-core	Highest
Product	pom	groupid	net.sf.ehcache	Highest
Product	pom	name	Ehcache Core	High
Product	pom	parent-artifactid	ehcache-parent	Medium
Product	pom	url	http://ehcache.org	Medium
Version	file	version	2.6.10	High
Version	pom	parent-version	2.6.10	Low
Version	pom	version	2.6.10	Highest

Identifiers

pkg:maven/net.sf.ehcache/ehcache-core@2.6.10 (Confidence:High)

File Path: /home/grprdist/.m2/repository/net/sf/ehcache/ehcache-core/2.6.10/ehcache-core-2.6.10.jar/net/sf/ehcache/pool/sizeof/sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
SHA256:3bcd560ca5f05248db9b689244b043e9c7549e3791281631a64e5dfff15870d2
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	sizeof-agent	High
Vendor	jar	package name	ehcache	Highest
Vendor	jar	package name	net	Highest
Vendor	jar	package name	sf	Highest
Vendor	Manifest	hudson-build-number	6	Low
Vendor	Manifest	hudson-project	sizeof-agent_sizeof-agent-1.0.1_publisher	Low
Vendor	Manifest	jenkins-build-number	6	Low
Vendor	Manifest	jenkins-project	sizeof-agent_sizeof-agent-1.0.1_publisher	Low
Vendor	pom	artifactid	sizeof-agent	Low
Vendor	pom	groupid	net.sf.ehcache	Highest
Vendor	pom	name	Ehcache Size-Of Agent	High
Vendor	pom	parent-artifactid	ehcache-parent	Low
Vendor	pom	url	http://www.ehcache.org	Highest
Product	file	name	sizeof-agent	High
Product	jar	package name	ehcache	Highest
Product	jar	package name	net	Highest
Product	jar	package name	sf	Highest
Product	Manifest	hudson-build-number	6	Low
Product	Manifest	hudson-project	sizeof-agent_sizeof-agent-1.0.1_publisher	Low
Product	Manifest	jenkins-build-number	6	Low
Product	Manifest	jenkins-project	sizeof-agent_sizeof-agent-1.0.1_publisher	Low
Product	pom	artifactid	sizeof-agent	Highest
Product	pom	groupid	net.sf.ehcache	Highest
Product	pom	name	Ehcache Size-Of Agent	High
Product	pom	parent-artifactid	ehcache-parent	Medium
Product	pom	url	http://www.ehcache.org	Medium
Version	pom	parent-version	1.0.1	Low
Version	pom	version	1.0.1	Highest

Identifiers

pkg:maven/net.sf.ehcache/sizeof-agent@1.0.1 (Confidence:High)

Description:

      Simple java library for transforming an Object to another Object.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/net/sf/ezmorph/ezmorph/1.0.6/ezmorph-1.0.6.jar
MD5: 1fa113c6aacf3a01af1449df77acd474
SHA1: 01e55d2a0253ea37745d33062852fd2c90027432
SHA256:2be06a2380f8656426b5c610db694bbd75314caf3e9191affcd7942721398ed7
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ezmorph	High
Vendor	jar	package name	ezmorph	Highest
Vendor	jar	package name	ezmorph	Low
Vendor	jar	package name	net	Highest
Vendor	jar	package name	net	Low
Vendor	jar	package name	object	Highest
Vendor	jar	package name	sf	Highest
Vendor	jar	package name	sf	Low
Vendor	pom	artifactid	ezmorph	Highest
Vendor	pom	artifactid	ezmorph	Low
Vendor	pom	developer email	aalmiray@users.sourceforge.net	Low
Vendor	pom	developer id	aalmiray	Medium
Vendor	pom	developer name	Andres Almiray	Medium
Vendor	pom	groupid	net.sf.ezmorph	Highest
Vendor	pom	name	ezmorph	High
Vendor	pom	url	http://ezmorph.sourceforge.net	Highest
Product	file	name	ezmorph	High
Product	jar	package name	ezmorph	Highest
Product	jar	package name	ezmorph	Low
Product	jar	package name	net	Highest
Product	jar	package name	object	Highest
Product	jar	package name	sf	Highest
Product	jar	package name	sf	Low
Product	pom	artifactid	ezmorph	Highest
Product	pom	developer email	aalmiray@users.sourceforge.net	Low
Product	pom	developer id	aalmiray	Low
Product	pom	developer name	Andres Almiray	Low
Product	pom	groupid	net.sf.ezmorph	Highest
Product	pom	name	ezmorph	High
Product	pom	url	http://ezmorph.sourceforge.net	Medium
Version	file	version	1.0.6	High
Version	pom	version	1.0.6	Highest

Identifiers

pkg:maven/net.sf.ezmorph/ezmorph@1.0.6 (Confidence:High)

Description:

Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/geronimo/specs/geronimo-activation_1.1_spec/1.0.2/geronimo-activation_1.1_spec-1.0.2.jar
MD5: 9759ed85c6e767bf3dc00c4cf635c4e2
SHA1: 3efc3aadfaf8878060167e492c03fdafb905ae01
SHA256:eead654df3a0e1405314eb0578e32c53267872dfbb1250b2fd6f3a9629c57fa4
Referenced In Project/Scope:Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	geronimo-activation_1.1_spec-1.0.2	High
Vendor	jar	package name	activation	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org	Low
Vendor	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-activation_1.1_spec	Medium
Vendor	pom	artifactid	geronimo-activation_1.1_spec	Highest
Vendor	pom	artifactid	geronimo-activation_1.1_spec	Low
Vendor	pom	groupid	org.apache.geronimo.specs	Highest
Vendor	pom	name	Activation 1.1	High
Vendor	pom	parent-artifactid	specs	Low
Product	file	name	geronimo-activation_1.1_spec-1.0.2	High
Product	jar	package name	activation	Highest
Product	Manifest	bundle-docurl	http://www.apache.org	Low
Product	Manifest	Bundle-Name	geronimo-activation_1.1_spec	Medium
Product	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-activation_1.1_spec	Medium
Product	Manifest	Implementation-Title	Apache Geronimo	High
Product	pom	artifactid	geronimo-activation_1.1_spec	Highest
Product	pom	groupid	org.apache.geronimo.specs	Highest
Product	pom	name	Activation 1.1	High
Product	pom	parent-artifactid	specs	Medium
Version	Manifest	Bundle-Version	1.0.2	High
Version	Manifest	Implementation-Version	1.0.2	High
Version	pom	parent-version	1.0.2	Low
Version	pom	version	1.0.2	Highest

Identifiers

pkg:maven/org.apache.geronimo.specs/geronimo-activation_1.1_spec@1.0.2 (Confidence:High)

Description:

Javamail 1.4 Specification

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/geronimo/specs/geronimo-javamail_1.4_spec/1.7.1/geronimo-javamail_1.4_spec-1.7.1.jar
MD5: f3b9d8c9a79eefdc0ebe07c34612646d
SHA1: 43ad4090b1a07a11c82ac40c01fc4e2fbad20013
SHA256:6f1e85d9c66135f5a9dbc9f78cbf8132e52f8a85884d618ccf0dbe9344c5a330
Referenced In Project/Scope:Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	geronimo-javamail_1.4_spec-1.7.1	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	geronimo	Highest
Vendor	Manifest	bundle-docurl	http://geronimo.apache.org/maven/specs/geronimo-javamail_1.4_spec/1.7.1	Low
Vendor	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-javamail_1.4_spec;singleton=true	Medium
Vendor	Manifest	specification-vendor	Sun Microsystems, Inc.	Low
Vendor	pom	artifactid	geronimo-javamail_1.4_spec	Highest
Vendor	pom	artifactid	geronimo-javamail_1.4_spec	Low
Vendor	pom	groupid	org.apache.geronimo.specs	Highest
Vendor	pom	name	JavaMail 1.4	High
Vendor	pom	parent-artifactid	genesis-java5-flava	Low
Vendor	pom	parent-groupid	org.apache.geronimo.genesis	Medium
Vendor	pom	url	http://geronimo.apache.org/maven/${siteId}/${version}	Highest
Vendor	pom	url	http://geronimo.apache.org/maven/${siteId}/1.7.1	Highest
Product	file	name	geronimo-javamail_1.4_spec-1.7.1	High
Product	jar	package name	apache	Highest
Product	jar	package name	geronimo	Highest
Product	Manifest	bundle-docurl	http://geronimo.apache.org/maven/specs/geronimo-javamail_1.4_spec/1.7.1	Low
Product	Manifest	Bundle-Name	JavaMail 1.4	Medium
Product	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-javamail_1.4_spec;singleton=true	Medium
Product	Manifest	Implementation-Title	JavaMail 1.4	High
Product	Manifest	specification-title	JSR-919 Javamail API 1.4	Medium
Product	pom	artifactid	geronimo-javamail_1.4_spec	Highest
Product	pom	groupid	org.apache.geronimo.specs	Highest
Product	pom	name	JavaMail 1.4	High
Product	pom	parent-artifactid	genesis-java5-flava	Medium
Product	pom	parent-groupid	org.apache.geronimo.genesis	Medium
Product	pom	url	http://geronimo.apache.org/maven/${siteId}/${version}	Medium
Product	pom	url	http://geronimo.apache.org/maven/${siteId}/1.7.1	Medium
Version	Manifest	Bundle-Version	1.7.1	High
Version	Manifest	Implementation-Version	1.7.1	High
Version	pom	parent-version	1.7.1	Low
Version	pom	version	1.7.1	Highest

Identifiers

pkg:maven/org.apache.geronimo.specs/geronimo-javamail_1.4_spec@1.7.1 (Confidence:High)

File Path: /home/grprdist/.m2/repository/org/apache/geronimo/specs/geronimo-jta_1.1_spec/1.1/geronimo-jta_1.1_spec-1.1.jar
MD5: 25b479710f7ac269c6bf5bf016345ad9
SHA1: fe8d9046737540d728e4b82cf26dcdd8bf4b0eb1
SHA256:186d94eaf931e434c6858d5f255c808f22a5de72cda8106ca34fe003d3e015bb
Referenced In Project/Scope:Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	geronimo-jta_1.1_spec-1.1	High
Vendor	jar	package name	javax	Low
Vendor	jar	package name	transaction	Low
Vendor	pom	artifactid	geronimo-jta_1.1_spec	Highest
Vendor	pom	artifactid	geronimo-jta_1.1_spec	Low
Vendor	pom	groupid	org.apache.geronimo.specs	Highest
Vendor	pom	name	JTA 1.1	High
Vendor	pom	parent-artifactid	specs	Low
Product	file	name	geronimo-jta_1.1_spec-1.1	High
Product	jar	package name	transaction	Low
Product	pom	artifactid	geronimo-jta_1.1_spec	Highest
Product	pom	groupid	org.apache.geronimo.specs	Highest
Product	pom	name	JTA 1.1	High
Product	pom	parent-artifactid	specs	Medium
Version	pom	parent-version	1.1	Low
Version	pom	version	1.1	Highest

Identifiers

pkg:maven/org.apache.geronimo.specs/geronimo-jta_1.1_spec@1.1 (Confidence:High)

Description:

Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/geronimo/specs/geronimo-stax-api_1.0_spec/1.0.1/geronimo-stax-api_1.0_spec-1.0.1.jar
MD5: b7c2a715cd3d1c43dc4ccfae426e8e2e
SHA1: 1c171093a8b43aa550c6050ac441abe713ebb4f2
SHA256:124235815fba376b0c20ed37f79d691fa26b4e00297a4ab27b6ca05ceb591348
Referenced In Project/Scope:Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	geronimo-stax-api_1.0_spec-1.0.1	High
Vendor	jar	package name	xml	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org	Low
Vendor	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-stax-api_1.0_spec	Medium
Vendor	pom	artifactid	geronimo-stax-api_1.0_spec	Highest
Vendor	pom	artifactid	geronimo-stax-api_1.0_spec	Low
Vendor	pom	groupid	org.apache.geronimo.specs	Highest
Vendor	pom	name	Streaming API for XML (STAX API 1.0)	High
Vendor	pom	parent-artifactid	specs	Low
Product	file	name	geronimo-stax-api_1.0_spec-1.0.1	High
Product	jar	package name	xml	Highest
Product	Manifest	bundle-docurl	http://www.apache.org	Low
Product	Manifest	Bundle-Name	geronimo-stax-api_1.0_spec	Medium
Product	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-stax-api_1.0_spec	Medium
Product	Manifest	Implementation-Title	Apache Geronimo	High
Product	pom	artifactid	geronimo-stax-api_1.0_spec	Highest
Product	pom	groupid	org.apache.geronimo.specs	Highest
Product	pom	name	Streaming API for XML (STAX API 1.0)	High
Product	pom	parent-artifactid	specs	Medium
Version	Manifest	Bundle-Version	1.0.1	High
Version	Manifest	Implementation-Version	1.0.1	High
Version	pom	parent-version	1.0.1	Low
Version	pom	version	1.0.1	Highest

Identifiers

pkg:maven/org.apache.geronimo.specs/geronimo-stax-api_1.0_spec@1.0.1 (Confidence:High)

Description:

Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/geronimo/specs/geronimo-ws-metadata_2.0_spec/1.1.2/geronimo-ws-metadata_2.0_spec-1.1.2.jar
MD5: 3d0fbbca45e8877dee74e83bc83317d5
SHA1: 7be9f049b4f0f0cf045675be5a0ff709d57cbc6a
SHA256:94820ccdb04c7c64290938f16cc577cdd8ded6a4d12ed2fbfd03318feff97579
Referenced In Project/Scope:Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	geronimo-ws-metadata_2.0_spec-1.1.2	High
Vendor	hint analyzer	vendor	web services	Medium
Vendor	Manifest	bundle-docurl	http://www.apache.org	Low
Vendor	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-ws-metadata_2.0_spec	Medium
Vendor	pom	artifactid	geronimo-ws-metadata_2.0_spec	Highest
Vendor	pom	artifactid	geronimo-ws-metadata_2.0_spec	Low
Vendor	pom	groupid	org.apache.geronimo.specs	Highest
Vendor	pom	name	Web Services Metadata 2.0	High
Vendor	pom	parent-artifactid	specs	Low
Product	file	name	geronimo-ws-metadata_2.0_spec-1.1.2	High
Product	hint analyzer	product	web services	Medium
Product	Manifest	bundle-docurl	http://www.apache.org	Low
Product	Manifest	Bundle-Name	geronimo-ws-metadata_2.0_spec	Medium
Product	Manifest	bundle-symbolicname	org.apache.geronimo.specs.geronimo-ws-metadata_2.0_spec	Medium
Product	Manifest	Implementation-Title	Apache Geronimo	High
Product	pom	artifactid	geronimo-ws-metadata_2.0_spec	Highest
Product	pom	groupid	org.apache.geronimo.specs	Highest
Product	pom	name	Web Services Metadata 2.0	High
Product	pom	parent-artifactid	specs	Medium
Version	Manifest	Bundle-Version	1.1.2	High
Version	Manifest	Implementation-Version	1.1.2	High
Version	pom	parent-version	1.1.2	Low
Version	pom	version	1.1.2	Highest

Identifiers

pkg:maven/org.apache.geronimo.specs/geronimo-ws-metadata_2.0_spec@1.1.2 (Confidence:High)
cpe:2.3:a:web_project:web:1.1.2:*:*:*:*:*:*:* (Confidence:Low)

Description:

Groovy: A powerful, dynamic language for the JVM

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy/2.5.18/groovy-2.5.18.jar
MD5: f3de969ce974116e3e262c591dfc8ef2
SHA1: 798c6b66235338deeab9ecffa8942c67a0357abe
SHA256:ce352918c7fc06c700bc7f13cbd00226042bc146a899eb52ff5b522a092a309c
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	groovy	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	codehaus	Highest
Vendor	jar	package name	groovy	Highest
Vendor	Manifest	automatic-module-name	org.codehaus.groovy	Medium
Vendor	Manifest	bundle-symbolicname	groovy	Medium
Vendor	Manifest	eclipse-buddypolicy	dependent	Low
Vendor	Manifest	eclipse-extensibleapi	true	Low
Vendor	Manifest	extension-name	groovy	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	groovy	Highest
Vendor	pom	artifactid	groovy	Low
Vendor	pom	developer email	aalmiray@users.sourceforge.net	Low
Vendor	pom	developer email	b55r@sina.com	Low
Vendor	pom	developer email	blackdrag@gmx.org	Low
Vendor	pom	developer email	bob@werken.com	Low
Vendor	pom	developer email	cedric.champeau@gmail.com	Low
Vendor	pom	developer email	ckl@dacelo.nl	Low
Vendor	pom	developer email	cpoirier@dreaming.org	Low
Vendor	pom	developer email	goetze@dovetail.com	Low
Vendor	pom	developer email	guillaume.alleon@gmail.com	Low
Vendor	pom	developer email	hamletdrc@gmail.com	Low
Vendor	pom	developer email	james@coredevelopers.com	Low
Vendor	pom	developer email	jason@planet57.com	Low
Vendor	pom	developer email	jeremy.rayner@gmail.com	Low
Vendor	pom	developer email	jim@pagesmiths.com	Low
Vendor	pom	developer email	johnstump2@yahoo.com	Low
Vendor	pom	developer email	mguillemot@yahoo.fr	Low
Vendor	pom	developer email	paulk@asert.com.au	Low
Vendor	pom	developer email	phkim@cluecom.co.kr	Low
Vendor	pom	developer email	pniederw@gmail.com	Low
Vendor	pom	developer email	russel@winder.org.uk	Low
Vendor	pom	developer email	sam@sampullara.com	Low
Vendor	pom	developer email	sormuras@gmx.de	Low
Vendor	pom	developer email	tug@wilson.co.uk	Low
Vendor	pom	developer id	aalmiray	Medium
Vendor	pom	developer id	alextkachman	Medium
Vendor	pom	developer id	andresteingress	Medium
Vendor	pom	developer id	blackdrag	Medium
Vendor	pom	developer id	bob	Medium
Vendor	pom	developer id	bran	Medium
Vendor	pom	developer id	ckl	Medium
Vendor	pom	developer id	cpoirier	Medium
Vendor	pom	developer id	cstein	Medium
Vendor	pom	developer id	emilles	Medium
Vendor	pom	developer id	galleon	Medium
Vendor	pom	developer id	glaforge	Medium
Vendor	pom	developer id	goetze	Medium
Vendor	pom	developer id	grocher	Medium
Vendor	pom	developer id	hamletdrc	Medium
Vendor	pom	developer id	jamiemc	Medium
Vendor	pom	developer id	jez	Medium
Vendor	pom	developer id	jimwhite	Medium
Vendor	pom	developer id	joe	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	jstump	Medium
Vendor	pom	developer id	jwill	Medium
Vendor	pom	developer id	jwilson	Medium
Vendor	pom	developer id	kasper	Medium
Vendor	pom	developer id	mattf	Medium
Vendor	pom	developer id	melix	Medium
Vendor	pom	developer id	mguillem	Medium
Vendor	pom	developer id	mittie	Medium
Vendor	pom	developer id	pascalschumacher	Medium
Vendor	pom	developer id	paulk	Medium
Vendor	pom	developer id	phk	Medium
Vendor	pom	developer id	pniederw	Medium
Vendor	pom	developer id	roshandawrani	Medium
Vendor	pom	developer id	rpopma	Medium
Vendor	pom	developer id	russel	Medium
Vendor	pom	developer id	shemnon	Medium
Vendor	pom	developer id	skizz	Medium
Vendor	pom	developer id	spullara	Medium
Vendor	pom	developer id	sunlan	Medium
Vendor	pom	developer id	timyates	Medium
Vendor	pom	developer id	travis	Medium
Vendor	pom	developer id	user57	Medium
Vendor	pom	developer id	zohar	Medium
Vendor	pom	developer name	Alex Tkachman	Medium
Vendor	pom	developer name	Andre Steingress	Medium
Vendor	pom	developer name	Andres Almiray	Medium
Vendor	pom	developer name	Bing Ran	Medium
Vendor	pom	developer name	bob mcwhirter	Medium
Vendor	pom	developer name	Cedric Champeau	Medium
Vendor	pom	developer name	Chris Poirier	Medium
Vendor	pom	developer name	Chris Stevenson	Medium
Vendor	pom	developer name	Christiaan ten Klooster	Medium
Vendor	pom	developer name	Christian Stein	Medium
Vendor	pom	developer name	Daniel Sun	Medium
Vendor	pom	developer name	Danno Ferrin	Medium
Vendor	pom	developer name	Dierk Koenig	Medium
Vendor	pom	developer name	Eric Milles	Medium
Vendor	pom	developer name	Graeme Rocher	Medium
Vendor	pom	developer name	Guillaume Alleon	Medium
Vendor	pom	developer name	Guillaume Laforge	Medium
Vendor	pom	developer name	Hamlet D'Arcy	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	James Williams	Medium
Vendor	pom	developer name	Jamie McCrindle	Medium
Vendor	pom	developer name	Jason Dillon	Medium
Vendor	pom	developer name	Jeremy Rayner	Medium
Vendor	pom	developer name	Jim White	Medium
Vendor	pom	developer name	Jochen Theodorou	Medium
Vendor	pom	developer name	Joe Walnes	Medium
Vendor	pom	developer name	John Stump	Medium
Vendor	pom	developer name	John Wilson	Medium
Vendor	pom	developer name	Kasper Nielsen	Medium
Vendor	pom	developer name	Marc Guillemot	Medium
Vendor	pom	developer name	Matt Foemmel	Medium
Vendor	pom	developer name	Pascal Schumacher	Medium
Vendor	pom	developer name	Paul King	Medium
Vendor	pom	developer name	Peter Niederwieser	Medium
Vendor	pom	developer name	Pilho Kim	Medium
Vendor	pom	developer name	Remko Popma	Medium
Vendor	pom	developer name	Roshan Dawrani	Medium
Vendor	pom	developer name	Russel Winder	Medium
Vendor	pom	developer name	Sam Pullara	Medium
Vendor	pom	developer name	Steve Goetze	Medium
Vendor	pom	developer name	Tim Yates	Medium
Vendor	pom	developer name	Travis Kay	Medium
Vendor	pom	developer name	Zohar Melamed	Medium
Vendor	pom	developer org	Concertant LLP & It'z Interactive Ltd	Medium
Vendor	pom	developer org	Core Developers Network	Medium
Vendor	pom	developer org	CTSR.de	Medium
Vendor	pom	developer org	Dacelo WebDevelopment	Medium
Vendor	pom	developer org	Dovetailed Technologies, LLC	Medium
Vendor	pom	developer org	Google	Medium
Vendor	pom	developer org	IFCX.org	Medium
Vendor	pom	developer org	javanicus	Medium
Vendor	pom	developer org	Karakun AG	Medium
Vendor	pom	developer org	Leadingcare	Medium
Vendor	pom	developer org	OCI, Australia	Medium
Vendor	pom	developer org	The Werken Company	Medium
Vendor	pom	developer org	The Wilson Partnership	Medium
Vendor	pom	developer org	Thomson Reuters	Medium
Vendor	pom	developer org	ThoughtWorks	Medium
Vendor	pom	developer org	Three	Medium
Vendor	pom	groupid	org.codehaus.groovy	Highest
Vendor	pom	name	Apache Groovy	High
Vendor	pom	organization name	Apache Software Foundation	High
Vendor	pom	organization url	https://apache.org	Medium
Vendor	pom	url	https://groovy-lang.org	Highest
Product	file	name	groovy	High
Product	jar	package name	apache	Highest
Product	jar	package name	codehaus	Highest
Product	jar	package name	groovy	Highest
Product	jar	package name	runtime	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	org.codehaus.groovy	Medium
Product	Manifest	Bundle-Name	Groovy Runtime	Medium
Product	Manifest	bundle-symbolicname	groovy	Medium
Product	Manifest	eclipse-buddypolicy	dependent	Low
Product	Manifest	eclipse-extensibleapi	true	Low
Product	Manifest	extension-name	groovy	Medium
Product	Manifest	Implementation-Title	Groovy: a powerful, dynamic language for the JVM	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Groovy: a powerful, dynamic language for the JVM	Medium
Product	pom	artifactid	groovy	Highest
Product	pom	developer email	aalmiray@users.sourceforge.net	Low
Product	pom	developer email	b55r@sina.com	Low
Product	pom	developer email	blackdrag@gmx.org	Low
Product	pom	developer email	bob@werken.com	Low
Product	pom	developer email	cedric.champeau@gmail.com	Low
Product	pom	developer email	ckl@dacelo.nl	Low
Product	pom	developer email	cpoirier@dreaming.org	Low
Product	pom	developer email	goetze@dovetail.com	Low
Product	pom	developer email	guillaume.alleon@gmail.com	Low
Product	pom	developer email	hamletdrc@gmail.com	Low
Product	pom	developer email	james@coredevelopers.com	Low
Product	pom	developer email	jason@planet57.com	Low
Product	pom	developer email	jeremy.rayner@gmail.com	Low
Product	pom	developer email	jim@pagesmiths.com	Low
Product	pom	developer email	johnstump2@yahoo.com	Low
Product	pom	developer email	mguillemot@yahoo.fr	Low
Product	pom	developer email	paulk@asert.com.au	Low
Product	pom	developer email	phkim@cluecom.co.kr	Low
Product	pom	developer email	pniederw@gmail.com	Low
Product	pom	developer email	russel@winder.org.uk	Low
Product	pom	developer email	sam@sampullara.com	Low
Product	pom	developer email	sormuras@gmx.de	Low
Product	pom	developer email	tug@wilson.co.uk	Low
Product	pom	developer id	aalmiray	Low
Product	pom	developer id	alextkachman	Low
Product	pom	developer id	andresteingress	Low
Product	pom	developer id	blackdrag	Low
Product	pom	developer id	bob	Low
Product	pom	developer id	bran	Low
Product	pom	developer id	ckl	Low
Product	pom	developer id	cpoirier	Low
Product	pom	developer id	cstein	Low
Product	pom	developer id	emilles	Low
Product	pom	developer id	galleon	Low
Product	pom	developer id	glaforge	Low
Product	pom	developer id	goetze	Low
Product	pom	developer id	grocher	Low
Product	pom	developer id	hamletdrc	Low
Product	pom	developer id	jamiemc	Low
Product	pom	developer id	jez	Low
Product	pom	developer id	jimwhite	Low
Product	pom	developer id	joe	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	jstump	Low
Product	pom	developer id	jwill	Low
Product	pom	developer id	jwilson	Low
Product	pom	developer id	kasper	Low
Product	pom	developer id	mattf	Low
Product	pom	developer id	melix	Low
Product	pom	developer id	mguillem	Low
Product	pom	developer id	mittie	Low
Product	pom	developer id	pascalschumacher	Low
Product	pom	developer id	paulk	Low
Product	pom	developer id	phk	Low
Product	pom	developer id	pniederw	Low
Product	pom	developer id	roshandawrani	Low
Product	pom	developer id	rpopma	Low
Product	pom	developer id	russel	Low
Product	pom	developer id	shemnon	Low
Product	pom	developer id	skizz	Low
Product	pom	developer id	spullara	Low
Product	pom	developer id	sunlan	Low
Product	pom	developer id	timyates	Low
Product	pom	developer id	travis	Low
Product	pom	developer id	user57	Low
Product	pom	developer id	zohar	Low
Product	pom	developer name	Alex Tkachman	Low
Product	pom	developer name	Andre Steingress	Low
Product	pom	developer name	Andres Almiray	Low
Product	pom	developer name	Bing Ran	Low
Product	pom	developer name	bob mcwhirter	Low
Product	pom	developer name	Cedric Champeau	Low
Product	pom	developer name	Chris Poirier	Low
Product	pom	developer name	Chris Stevenson	Low
Product	pom	developer name	Christiaan ten Klooster	Low
Product	pom	developer name	Christian Stein	Low
Product	pom	developer name	Daniel Sun	Low
Product	pom	developer name	Danno Ferrin	Low
Product	pom	developer name	Dierk Koenig	Low
Product	pom	developer name	Eric Milles	Low
Product	pom	developer name	Graeme Rocher	Low
Product	pom	developer name	Guillaume Alleon	Low
Product	pom	developer name	Guillaume Laforge	Low
Product	pom	developer name	Hamlet D'Arcy	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	James Williams	Low
Product	pom	developer name	Jamie McCrindle	Low
Product	pom	developer name	Jason Dillon	Low
Product	pom	developer name	Jeremy Rayner	Low
Product	pom	developer name	Jim White	Low
Product	pom	developer name	Jochen Theodorou	Low
Product	pom	developer name	Joe Walnes	Low
Product	pom	developer name	John Stump	Low
Product	pom	developer name	John Wilson	Low
Product	pom	developer name	Kasper Nielsen	Low
Product	pom	developer name	Marc Guillemot	Low
Product	pom	developer name	Matt Foemmel	Low
Product	pom	developer name	Pascal Schumacher	Low
Product	pom	developer name	Paul King	Low
Product	pom	developer name	Peter Niederwieser	Low
Product	pom	developer name	Pilho Kim	Low
Product	pom	developer name	Remko Popma	Low
Product	pom	developer name	Roshan Dawrani	Low
Product	pom	developer name	Russel Winder	Low
Product	pom	developer name	Sam Pullara	Low
Product	pom	developer name	Steve Goetze	Low
Product	pom	developer name	Tim Yates	Low
Product	pom	developer name	Travis Kay	Low
Product	pom	developer name	Zohar Melamed	Low
Product	pom	developer org	Concertant LLP & It'z Interactive Ltd	Low
Product	pom	developer org	Core Developers Network	Low
Product	pom	developer org	CTSR.de	Low
Product	pom	developer org	Dacelo WebDevelopment	Low
Product	pom	developer org	Dovetailed Technologies, LLC	Low
Product	pom	developer org	Google	Low
Product	pom	developer org	IFCX.org	Low
Product	pom	developer org	javanicus	Low
Product	pom	developer org	Karakun AG	Low
Product	pom	developer org	Leadingcare	Low
Product	pom	developer org	OCI, Australia	Low
Product	pom	developer org	The Werken Company	Low
Product	pom	developer org	The Wilson Partnership	Low
Product	pom	developer org	Thomson Reuters	Low
Product	pom	developer org	ThoughtWorks	Low
Product	pom	developer org	Three	Low
Product	pom	groupid	org.codehaus.groovy	Highest
Product	pom	name	Apache Groovy	High
Product	pom	organization name	Apache Software Foundation	Low
Product	pom	organization url	https://apache.org	Low
Product	pom	url	https://groovy-lang.org	Medium
Version	file	version	2.5.18	High
Version	Manifest	Bundle-Version	2.5.18	High
Version	Manifest	Implementation-Version	2.5.18	High
Version	pom	version	2.5.18	Highest

Identifiers

pkg:maven/org.codehaus.groovy/groovy@2.5.18 (Confidence:High)
cpe:2.3:a:apache:groovy:2.5.18:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Groovy: A powerful, dynamic language for the JVM

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-xml/2.5.18/groovy-xml-2.5.18.jar
MD5: f6c37df32d9c4837944d07f775f5d51e
SHA1: 42e42df001f431da9ca965495d56cdaad93a2f0b
SHA256:a474f0f15088281be9e94639be4c1aa873d40fdb8e540220f17c071ae1490673
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	groovy-xml	High
Vendor	jar	package name	codehaus	Highest
Vendor	jar	package name	groovy	Highest
Vendor	jar	package name	xml	Highest
Vendor	Manifest	automatic-module-name	org.codehaus.groovy.xml	Medium
Vendor	Manifest	bundle-symbolicname	groovy-xml	Medium
Vendor	Manifest	eclipse-buddypolicy	dependent	Low
Vendor	Manifest	fragment-host	groovy	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	groovy-xml	Highest
Vendor	pom	artifactid	groovy-xml	Low
Vendor	pom	developer email	aalmiray@users.sourceforge.net	Low
Vendor	pom	developer email	b55r@sina.com	Low
Vendor	pom	developer email	blackdrag@gmx.org	Low
Vendor	pom	developer email	bob@werken.com	Low
Vendor	pom	developer email	cedric.champeau@gmail.com	Low
Vendor	pom	developer email	ckl@dacelo.nl	Low
Vendor	pom	developer email	cpoirier@dreaming.org	Low
Vendor	pom	developer email	goetze@dovetail.com	Low
Vendor	pom	developer email	guillaume.alleon@gmail.com	Low
Vendor	pom	developer email	hamletdrc@gmail.com	Low
Vendor	pom	developer email	james@coredevelopers.com	Low
Vendor	pom	developer email	jason@planet57.com	Low
Vendor	pom	developer email	jeremy.rayner@gmail.com	Low
Vendor	pom	developer email	jim@pagesmiths.com	Low
Vendor	pom	developer email	johnstump2@yahoo.com	Low
Vendor	pom	developer email	mguillemot@yahoo.fr	Low
Vendor	pom	developer email	paulk@asert.com.au	Low
Vendor	pom	developer email	phkim@cluecom.co.kr	Low
Vendor	pom	developer email	pniederw@gmail.com	Low
Vendor	pom	developer email	russel@winder.org.uk	Low
Vendor	pom	developer email	sam@sampullara.com	Low
Vendor	pom	developer email	sormuras@gmx.de	Low
Vendor	pom	developer email	tug@wilson.co.uk	Low
Vendor	pom	developer id	aalmiray	Medium
Vendor	pom	developer id	alextkachman	Medium
Vendor	pom	developer id	andresteingress	Medium
Vendor	pom	developer id	blackdrag	Medium
Vendor	pom	developer id	bob	Medium
Vendor	pom	developer id	bran	Medium
Vendor	pom	developer id	ckl	Medium
Vendor	pom	developer id	cpoirier	Medium
Vendor	pom	developer id	cstein	Medium
Vendor	pom	developer id	emilles	Medium
Vendor	pom	developer id	galleon	Medium
Vendor	pom	developer id	glaforge	Medium
Vendor	pom	developer id	goetze	Medium
Vendor	pom	developer id	grocher	Medium
Vendor	pom	developer id	hamletdrc	Medium
Vendor	pom	developer id	jamiemc	Medium
Vendor	pom	developer id	jez	Medium
Vendor	pom	developer id	jimwhite	Medium
Vendor	pom	developer id	joe	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	jstump	Medium
Vendor	pom	developer id	jwill	Medium
Vendor	pom	developer id	jwilson	Medium
Vendor	pom	developer id	kasper	Medium
Vendor	pom	developer id	mattf	Medium
Vendor	pom	developer id	melix	Medium
Vendor	pom	developer id	mguillem	Medium
Vendor	pom	developer id	mittie	Medium
Vendor	pom	developer id	pascalschumacher	Medium
Vendor	pom	developer id	paulk	Medium
Vendor	pom	developer id	phk	Medium
Vendor	pom	developer id	pniederw	Medium
Vendor	pom	developer id	roshandawrani	Medium
Vendor	pom	developer id	rpopma	Medium
Vendor	pom	developer id	russel	Medium
Vendor	pom	developer id	shemnon	Medium
Vendor	pom	developer id	skizz	Medium
Vendor	pom	developer id	spullara	Medium
Vendor	pom	developer id	sunlan	Medium
Vendor	pom	developer id	timyates	Medium
Vendor	pom	developer id	travis	Medium
Vendor	pom	developer id	user57	Medium
Vendor	pom	developer id	zohar	Medium
Vendor	pom	developer name	Alex Tkachman	Medium
Vendor	pom	developer name	Andre Steingress	Medium
Vendor	pom	developer name	Andres Almiray	Medium
Vendor	pom	developer name	Bing Ran	Medium
Vendor	pom	developer name	bob mcwhirter	Medium
Vendor	pom	developer name	Cedric Champeau	Medium
Vendor	pom	developer name	Chris Poirier	Medium
Vendor	pom	developer name	Chris Stevenson	Medium
Vendor	pom	developer name	Christiaan ten Klooster	Medium
Vendor	pom	developer name	Christian Stein	Medium
Vendor	pom	developer name	Daniel Sun	Medium
Vendor	pom	developer name	Danno Ferrin	Medium
Vendor	pom	developer name	Dierk Koenig	Medium
Vendor	pom	developer name	Eric Milles	Medium
Vendor	pom	developer name	Graeme Rocher	Medium
Vendor	pom	developer name	Guillaume Alleon	Medium
Vendor	pom	developer name	Guillaume Laforge	Medium
Vendor	pom	developer name	Hamlet D'Arcy	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	James Williams	Medium
Vendor	pom	developer name	Jamie McCrindle	Medium
Vendor	pom	developer name	Jason Dillon	Medium
Vendor	pom	developer name	Jeremy Rayner	Medium
Vendor	pom	developer name	Jim White	Medium
Vendor	pom	developer name	Jochen Theodorou	Medium
Vendor	pom	developer name	Joe Walnes	Medium
Vendor	pom	developer name	John Stump	Medium
Vendor	pom	developer name	John Wilson	Medium
Vendor	pom	developer name	Kasper Nielsen	Medium
Vendor	pom	developer name	Marc Guillemot	Medium
Vendor	pom	developer name	Matt Foemmel	Medium
Vendor	pom	developer name	Pascal Schumacher	Medium
Vendor	pom	developer name	Paul King	Medium
Vendor	pom	developer name	Peter Niederwieser	Medium
Vendor	pom	developer name	Pilho Kim	Medium
Vendor	pom	developer name	Remko Popma	Medium
Vendor	pom	developer name	Roshan Dawrani	Medium
Vendor	pom	developer name	Russel Winder	Medium
Vendor	pom	developer name	Sam Pullara	Medium
Vendor	pom	developer name	Steve Goetze	Medium
Vendor	pom	developer name	Tim Yates	Medium
Vendor	pom	developer name	Travis Kay	Medium
Vendor	pom	developer name	Zohar Melamed	Medium
Vendor	pom	developer org	Concertant LLP & It'z Interactive Ltd	Medium
Vendor	pom	developer org	Core Developers Network	Medium
Vendor	pom	developer org	CTSR.de	Medium
Vendor	pom	developer org	Dacelo WebDevelopment	Medium
Vendor	pom	developer org	Dovetailed Technologies, LLC	Medium
Vendor	pom	developer org	Google	Medium
Vendor	pom	developer org	IFCX.org	Medium
Vendor	pom	developer org	javanicus	Medium
Vendor	pom	developer org	Karakun AG	Medium
Vendor	pom	developer org	Leadingcare	Medium
Vendor	pom	developer org	OCI, Australia	Medium
Vendor	pom	developer org	The Werken Company	Medium
Vendor	pom	developer org	The Wilson Partnership	Medium
Vendor	pom	developer org	Thomson Reuters	Medium
Vendor	pom	developer org	ThoughtWorks	Medium
Vendor	pom	developer org	Three	Medium
Vendor	pom	groupid	org.codehaus.groovy	Highest
Vendor	pom	name	Apache Groovy	High
Vendor	pom	organization name	Apache Software Foundation	High
Vendor	pom	organization url	https://apache.org	Medium
Vendor	pom	url	https://groovy-lang.org	Highest
Product	file	name	groovy-xml	High
Product	jar	package name	codehaus	Highest
Product	jar	package name	groovy	Highest
Product	jar	package name	xml	Highest
Product	Manifest	automatic-module-name	org.codehaus.groovy.xml	Medium
Product	Manifest	bundle-symbolicname	groovy-xml	Medium
Product	Manifest	eclipse-buddypolicy	dependent	Low
Product	Manifest	fragment-host	groovy	Low
Product	Manifest	Implementation-Title	Groovy: a powerful, dynamic language for the JVM	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Groovy: a powerful, dynamic language for the JVM	Medium
Product	pom	artifactid	groovy-xml	Highest
Product	pom	developer email	aalmiray@users.sourceforge.net	Low
Product	pom	developer email	b55r@sina.com	Low
Product	pom	developer email	blackdrag@gmx.org	Low
Product	pom	developer email	bob@werken.com	Low
Product	pom	developer email	cedric.champeau@gmail.com	Low
Product	pom	developer email	ckl@dacelo.nl	Low
Product	pom	developer email	cpoirier@dreaming.org	Low
Product	pom	developer email	goetze@dovetail.com	Low
Product	pom	developer email	guillaume.alleon@gmail.com	Low
Product	pom	developer email	hamletdrc@gmail.com	Low
Product	pom	developer email	james@coredevelopers.com	Low
Product	pom	developer email	jason@planet57.com	Low
Product	pom	developer email	jeremy.rayner@gmail.com	Low
Product	pom	developer email	jim@pagesmiths.com	Low
Product	pom	developer email	johnstump2@yahoo.com	Low
Product	pom	developer email	mguillemot@yahoo.fr	Low
Product	pom	developer email	paulk@asert.com.au	Low
Product	pom	developer email	phkim@cluecom.co.kr	Low
Product	pom	developer email	pniederw@gmail.com	Low
Product	pom	developer email	russel@winder.org.uk	Low
Product	pom	developer email	sam@sampullara.com	Low
Product	pom	developer email	sormuras@gmx.de	Low
Product	pom	developer email	tug@wilson.co.uk	Low
Product	pom	developer id	aalmiray	Low
Product	pom	developer id	alextkachman	Low
Product	pom	developer id	andresteingress	Low
Product	pom	developer id	blackdrag	Low
Product	pom	developer id	bob	Low
Product	pom	developer id	bran	Low
Product	pom	developer id	ckl	Low
Product	pom	developer id	cpoirier	Low
Product	pom	developer id	cstein	Low
Product	pom	developer id	emilles	Low
Product	pom	developer id	galleon	Low
Product	pom	developer id	glaforge	Low
Product	pom	developer id	goetze	Low
Product	pom	developer id	grocher	Low
Product	pom	developer id	hamletdrc	Low
Product	pom	developer id	jamiemc	Low
Product	pom	developer id	jez	Low
Product	pom	developer id	jimwhite	Low
Product	pom	developer id	joe	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	jstump	Low
Product	pom	developer id	jwill	Low
Product	pom	developer id	jwilson	Low
Product	pom	developer id	kasper	Low
Product	pom	developer id	mattf	Low
Product	pom	developer id	melix	Low
Product	pom	developer id	mguillem	Low
Product	pom	developer id	mittie	Low
Product	pom	developer id	pascalschumacher	Low
Product	pom	developer id	paulk	Low
Product	pom	developer id	phk	Low
Product	pom	developer id	pniederw	Low
Product	pom	developer id	roshandawrani	Low
Product	pom	developer id	rpopma	Low
Product	pom	developer id	russel	Low
Product	pom	developer id	shemnon	Low
Product	pom	developer id	skizz	Low
Product	pom	developer id	spullara	Low
Product	pom	developer id	sunlan	Low
Product	pom	developer id	timyates	Low
Product	pom	developer id	travis	Low
Product	pom	developer id	user57	Low
Product	pom	developer id	zohar	Low
Product	pom	developer name	Alex Tkachman	Low
Product	pom	developer name	Andre Steingress	Low
Product	pom	developer name	Andres Almiray	Low
Product	pom	developer name	Bing Ran	Low
Product	pom	developer name	bob mcwhirter	Low
Product	pom	developer name	Cedric Champeau	Low
Product	pom	developer name	Chris Poirier	Low
Product	pom	developer name	Chris Stevenson	Low
Product	pom	developer name	Christiaan ten Klooster	Low
Product	pom	developer name	Christian Stein	Low
Product	pom	developer name	Daniel Sun	Low
Product	pom	developer name	Danno Ferrin	Low
Product	pom	developer name	Dierk Koenig	Low
Product	pom	developer name	Eric Milles	Low
Product	pom	developer name	Graeme Rocher	Low
Product	pom	developer name	Guillaume Alleon	Low
Product	pom	developer name	Guillaume Laforge	Low
Product	pom	developer name	Hamlet D'Arcy	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	James Williams	Low
Product	pom	developer name	Jamie McCrindle	Low
Product	pom	developer name	Jason Dillon	Low
Product	pom	developer name	Jeremy Rayner	Low
Product	pom	developer name	Jim White	Low
Product	pom	developer name	Jochen Theodorou	Low
Product	pom	developer name	Joe Walnes	Low
Product	pom	developer name	John Stump	Low
Product	pom	developer name	John Wilson	Low
Product	pom	developer name	Kasper Nielsen	Low
Product	pom	developer name	Marc Guillemot	Low
Product	pom	developer name	Matt Foemmel	Low
Product	pom	developer name	Pascal Schumacher	Low
Product	pom	developer name	Paul King	Low
Product	pom	developer name	Peter Niederwieser	Low
Product	pom	developer name	Pilho Kim	Low
Product	pom	developer name	Remko Popma	Low
Product	pom	developer name	Roshan Dawrani	Low
Product	pom	developer name	Russel Winder	Low
Product	pom	developer name	Sam Pullara	Low
Product	pom	developer name	Steve Goetze	Low
Product	pom	developer name	Tim Yates	Low
Product	pom	developer name	Travis Kay	Low
Product	pom	developer name	Zohar Melamed	Low
Product	pom	developer org	Concertant LLP & It'z Interactive Ltd	Low
Product	pom	developer org	Core Developers Network	Low
Product	pom	developer org	CTSR.de	Low
Product	pom	developer org	Dacelo WebDevelopment	Low
Product	pom	developer org	Dovetailed Technologies, LLC	Low
Product	pom	developer org	Google	Low
Product	pom	developer org	IFCX.org	Low
Product	pom	developer org	javanicus	Low
Product	pom	developer org	Karakun AG	Low
Product	pom	developer org	Leadingcare	Low
Product	pom	developer org	OCI, Australia	Low
Product	pom	developer org	The Werken Company	Low
Product	pom	developer org	The Wilson Partnership	Low
Product	pom	developer org	Thomson Reuters	Low
Product	pom	developer org	ThoughtWorks	Low
Product	pom	developer org	Three	Low
Product	pom	groupid	org.codehaus.groovy	Highest
Product	pom	name	Apache Groovy	High
Product	pom	organization name	Apache Software Foundation	Low
Product	pom	organization url	https://apache.org	Low
Product	pom	url	https://groovy-lang.org	Medium
Version	file	version	2.5.18	High
Version	Manifest	Bundle-Version	2.5.18	High
Version	Manifest	Implementation-Version	2.5.18	High
Version	pom	version	2.5.18	Highest

Related Dependencies

groovy-cli-picocli-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-cli-picocli/2.5.18/groovy-cli-picocli-2.5.18.jar
- MD5: 9e2881fd02755e2dca877af20be272af
- SHA1: b630c15141f09a034d80e2b419e77f93a58febed
- SHA256: ce99225534b8ebfd8ceba00ff18ce84a40144da38a92b3e6f36c96602302d090
- pkg:maven/org.codehaus.groovy/groovy-cli-picocli@2.5.18
groovy-console-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-console/2.5.18/groovy-console-2.5.18.jar
- MD5: adeefc339808d50a5c6d5500421549fc
- SHA1: 724e91113829e73a87c3931279705e54fa896796
- SHA256: c81c73a5b3b6906122072d8478de8795d07f4df6b47290e59bdccf9bf05bbff4
- pkg:maven/org.codehaus.groovy/groovy-console@2.5.18
groovy-groovysh-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-groovysh/2.5.18/groovy-groovysh-2.5.18.jar
- MD5: 887c33764a5479be42e0114b27ecd488
- SHA1: 22aaf5e1849bf2ac6a1f36b5528040bff3e5fee8
- SHA256: 02328ed516035a31eb8061e50e8ebfb883b557d5a2baed3deb45abc174e54333
- pkg:maven/org.codehaus.groovy/groovy-groovysh@2.5.18
groovy-jsr223-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-jsr223/2.5.18/groovy-jsr223-2.5.18.jar
- MD5: 9181a6a9b721051d840be820a001de0e
- SHA1: e65d3c2c32352583939adb7a16e8802626f8899a
- SHA256: 2a5d25d90b89a22cbeeb83495c4d6b7cd76ac75f4078beb841a6732258a92a26
- pkg:maven/org.codehaus.groovy/groovy-jsr223@2.5.18
groovy-swing-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-swing/2.5.18/groovy-swing-2.5.18.jar
- MD5: 9dd23e929a171e2fa656224ab5d64367
- SHA1: 4a98d780762efe1fbc777d353a3406b1cbe884ec
- SHA256: 41f51592241acb04d97ef3c62827b8eff8a747cec34fd7419adca62816aec862
- pkg:maven/org.codehaus.groovy/groovy-swing@2.5.18
groovy-templates-2.5.18.jar
- File Path: /home/grprdist/.m2/repository/org/codehaus/groovy/groovy-templates/2.5.18/groovy-templates-2.5.18.jar
- MD5: ec20cce24dc773f21594406c8257f6d7
- SHA1: fc465a955137ff128fa41ec2d9d371c799b2c041
- SHA256: 769644776fe2be28dfc2e21d34ad3af41667b7f7e18db00e28bcb7b76b46e25f
- pkg:maven/org.codehaus.groovy/groovy-templates@2.5.18

Identifiers

pkg:maven/org.codehaus.groovy/groovy-xml@2.5.18 (Confidence:High)
cpe:2.3:a:apache:groovy:2.5.18:*:*:*:*:*:*:* (Confidence:High)

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has only one code dependency - javax.annotation,
    per the JSR-305 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar
MD5: 947641f6bb535b1d942d1bc387c45290
SHA1: cce0823396aa693798f8882e64213b1772032b09
SHA256:d664fbfc03d2e5ce9cab2a44fb01f1d0bf9dfebeccc1a473b1f9ea31f79f6f99
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	guava	High
Vendor	jar	package name	google	Highest
Vendor	Manifest	bundle-docurl	https://guava-libraries.googlecode.com/	Low
Vendor	Manifest	bundle-symbolicname	com.google.guava	Medium
Vendor	pom	artifactid	guava	Highest
Vendor	pom	artifactid	guava	Low
Vendor	pom	groupid	com.google.guava	Highest
Vendor	pom	name	Guava: Google Core Libraries for Java	High
Vendor	pom	parent-artifactid	guava-parent	Low
Product	file	name	guava	High
Product	jar	package name	google	Highest
Product	Manifest	bundle-docurl	https://guava-libraries.googlecode.com/	Low
Product	Manifest	Bundle-Name	Guava: Google Core Libraries for Java	Medium
Product	Manifest	bundle-symbolicname	com.google.guava	Medium
Product	pom	artifactid	guava	Highest
Product	pom	groupid	com.google.guava	Highest
Product	pom	name	Guava: Google Core Libraries for Java	High
Product	pom	parent-artifactid	guava-parent	Medium
Version	file	version	18.0	High
Version	pom	version	18.0	Highest

Identifiers

pkg:maven/com.google.guava/guava@18.0 (Confidence:High)
cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: LOW (3.3)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

Description:

Common reflection code used in support of annotation processing

License:

GNU Library General Public License v2.1 or later: http://www.opensource.org/licenses/LGPL-2.1

File Path: /home/grprdist/.m2/repository/org/hibernate/common/hibernate-commons-annotations/5.1.2.Final/hibernate-commons-annotations-5.1.2.Final.jar
MD5: 2a2490b3eb8e7585a6a899d27d7ed43f
SHA1: e59ffdbc6ad09eeb33507b39ffcf287679a498c8
SHA256:1c7ce712b2679fea0a5441eb02a04144297125b768944819be0765befb996275
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	hibernate-commons-annotations	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	annotations	Highest
Vendor	jar	package name	common	Highest
Vendor	jar	package name	hibernate	Highest
Vendor	jar	package name	reflection	Highest
Vendor	Manifest	automatic-module-name	org.hibernate.commons.annotations	Medium
Vendor	Manifest	bundle-symbolicname	org.hibernate.common.hibernate-commons-annotations	Medium
Vendor	Manifest	implementation-url	http://hibernate.org	Low
Vendor	Manifest	Implementation-Vendor	Hibernate.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.hibernate	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	hibernate-commons-annotations	Highest
Vendor	pom	artifactid	hibernate-commons-annotations	Low
Vendor	pom	developer id	hibernate-team	Medium
Vendor	pom	developer name	The Hibernate Development Team	Medium
Vendor	pom	developer org	Hibernate.org	Medium
Vendor	pom	developer org URL	http://hibernate.org	Medium
Vendor	pom	groupid	org.hibernate.common	Highest
Vendor	pom	name	Hibernate Commons Annotations	High
Vendor	pom	organization name	Hibernate.org	High
Vendor	pom	organization url	http://hibernate.org	Medium
Vendor	pom	url	http://hibernate.org	Highest
Product	file	name	hibernate-commons-annotations	High
Product	jar	package name	annotations	Highest
Product	jar	package name	common	Highest
Product	jar	package name	hibernate	Highest
Product	jar	package name	reflection	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	org.hibernate.commons.annotations	Medium
Product	Manifest	Bundle-Name	hibernate-commons-annotations	Medium
Product	Manifest	bundle-symbolicname	org.hibernate.common.hibernate-commons-annotations	Medium
Product	Manifest	implementation-url	http://hibernate.org	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	hibernate-commons-annotations	Highest
Product	pom	developer id	hibernate-team	Low
Product	pom	developer name	The Hibernate Development Team	Low
Product	pom	developer org	Hibernate.org	Low
Product	pom	developer org URL	http://hibernate.org	Low
Product	pom	groupid	org.hibernate.common	Highest
Product	pom	name	Hibernate Commons Annotations	High
Product	pom	organization name	Hibernate.org	Low
Product	pom	organization url	http://hibernate.org	Low
Product	pom	url	http://hibernate.org	Medium
Version	Manifest	Bundle-Version	5.1.2.Final	High
Version	Manifest	Implementation-Version	5.1.2.Final	High
Version	pom	version	5.1.2.Final	Highest

Identifiers

pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final (Confidence:High)

Description:

Hibernate's core ORM functionality

License:

GNU Library General Public License v2.1 or later: https://www.opensource.org/licenses/LGPL-2.1

File Path: /home/grprdist/.m2/repository/org/hibernate/hibernate-core/5.6.10.Final/hibernate-core-5.6.10.Final.jar
MD5: 9c4f43fc5936b6d6555ff6ece7865220
SHA1: 408fd5802391d8e6f619db9d7c6c0e27d49118c2
SHA256:ed3693a0ae288dafff6155b03b7d743fdb9c9f432de37d7b894f44d92e3a85c4
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	hibernate-core	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	hibernate	Highest
Vendor	Manifest	automatic-module-name	org.hibernate.orm.core	Medium
Vendor	Manifest	bundle-docurl	https://hibernate.org/orm/5.6	Low
Vendor	Manifest	bundle-symbolicname	org.hibernate.orm.core	Medium
Vendor	Manifest	implementation-url	https://hibernate.org/orm	Low
Vendor	Manifest	Implementation-Vendor	Hibernate.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.hibernate	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	Hibernate.org	Low
Vendor	pom	artifactid	hibernate-core	Highest
Vendor	pom	artifactid	hibernate-core	Low
Vendor	pom	developer id	hibernate-team	Medium
Vendor	pom	developer name	The Hibernate Development Team	Medium
Vendor	pom	developer org	Hibernate.org	Medium
Vendor	pom	developer org URL	https://hibernate.org	Medium
Vendor	pom	groupid	org.hibernate	Highest
Vendor	pom	name	Hibernate ORM - hibernate-core	High
Vendor	pom	organization name	Hibernate.org	High
Vendor	pom	organization url	https://hibernate.org	Medium
Vendor	pom	url	https://hibernate.org/orm	Highest
Product	file	name	hibernate-core	High
Product	hint analyzer	product	orm	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	hibernate	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	org.hibernate.orm.core	Medium
Product	Manifest	bundle-docurl	https://hibernate.org/orm/5.6	Low
Product	Manifest	Bundle-Name	hibernate-core	Medium
Product	Manifest	bundle-symbolicname	org.hibernate.orm.core	Medium
Product	Manifest	Implementation-Title	hibernate-core	High
Product	Manifest	implementation-url	https://hibernate.org/orm	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	hibernate-core	Medium
Product	pom	artifactid	hibernate-core	Highest
Product	pom	developer id	hibernate-team	Low
Product	pom	developer name	The Hibernate Development Team	Low
Product	pom	developer org	Hibernate.org	Low
Product	pom	developer org URL	https://hibernate.org	Low
Product	pom	groupid	org.hibernate	Highest
Product	pom	name	Hibernate ORM - hibernate-core	High
Product	pom	organization name	Hibernate.org	Low
Product	pom	organization url	https://hibernate.org	Low
Product	pom	url	https://hibernate.org/orm	Medium
Version	Manifest	Bundle-Version	5.6.10.Final	High
Version	Manifest	Implementation-Version	5.6.10.Final	High
Version	pom	version	5.6.10.Final	Highest

Related Dependencies

Identifiers

pkg:maven/org.hibernate/hibernate-core@5.6.10.Final (Confidence:High)
cpe:2.3:a:hibernate:hibernate_orm:5.6.10:*:*:*:*:*:*:* (Confidence:Low)

Description:

${project.name}

License:

http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html

File Path: /home/grprdist/.m2/repository/org/glassfish/hk2/hk2-api/2.6.1/hk2-api-2.6.1.jar
MD5: 23e8c18dae0c7b776bed756763d5153f
SHA1: 114bd7afb4a1bd9993527f52a08a252b5d2acac5
SHA256:c2cb80a01e58440ae57d5ee59af4d4d94e5180e04aff112b0cb611c07d61e773
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	hk2-api	High
Vendor	jar	package name	api	Highest
Vendor	jar	package name	glassfish	Highest
Vendor	jar	package name	hk2	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	org.glassfish.hk2.api	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	hk2-api	Highest
Vendor	pom	artifactid	hk2-api	Low
Vendor	pom	groupid	org.glassfish.hk2	Highest
Vendor	pom	name	HK2 API module	High
Vendor	pom	parent-artifactid	hk2-parent	Low
Product	file	name	hk2-api	High
Product	jar	package name	api	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	glassfish	Highest
Product	jar	package name	hk2	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	HK2 API module	Medium
Product	Manifest	bundle-symbolicname	org.glassfish.hk2.api	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	hk2-api	Highest
Product	pom	groupid	org.glassfish.hk2	Highest
Product	pom	name	HK2 API module	High
Product	pom	parent-artifactid	hk2-parent	Medium
Version	file	version	2.6.1	High
Version	Manifest	Bundle-Version	2.6.1	High
Version	pom	version	2.6.1	Highest

Identifiers

pkg:maven/org.glassfish.hk2/hk2-api@2.6.1 (Confidence:High)
cpe:2.3:a:oracle:java_se:2.6.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

${project.name}

License:

http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html

File Path: /home/grprdist/.m2/repository/org/glassfish/hk2/hk2-locator/2.6.1/hk2-locator-2.6.1.jar
MD5: dfd358720393d83b01747928db6e3912
SHA1: 9dedf9d2022e38ec0743ed44c1ac94ad6149acdd
SHA256:febc668deb9f2000c76bd4918d8086c0a4c74d07bd0c60486b72c6bd38b62874
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	hk2-locator	High
Vendor	jar	package name	hk2	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	org.glassfish.hk2.locator	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	hk2-locator	Highest
Vendor	pom	artifactid	hk2-locator	Low
Vendor	pom	groupid	org.glassfish.hk2	Highest
Vendor	pom	name	ServiceLocator Default Implementation	High
Vendor	pom	parent-artifactid	hk2-parent	Low
Product	file	name	hk2-locator	High
Product	jar	package name	hk2	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	ServiceLocator Default Implementation	Medium
Product	Manifest	bundle-symbolicname	org.glassfish.hk2.locator	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	hk2-locator	Highest
Product	pom	groupid	org.glassfish.hk2	Highest
Product	pom	name	ServiceLocator Default Implementation	High
Product	pom	parent-artifactid	hk2-parent	Medium
Version	file	version	2.6.1	High
Version	Manifest	Bundle-Version	2.6.1	High
Version	pom	version	2.6.1	Highest

Identifiers

pkg:maven/org.glassfish.hk2/hk2-locator@2.6.1 (Confidence:High)
cpe:2.3:a:service_project:service:2.6.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

${project.name}

License:

http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html

File Path: /home/grprdist/.m2/repository/org/glassfish/hk2/hk2-utils/2.6.1/hk2-utils-2.6.1.jar
MD5: 75ccb55538a77bf878996497ffeb86f3
SHA1: 396513aa96c1d5a10aa4f75c4dcbf259a698d62d
SHA256:30727f79086452fdefdab08451d982c2082aa239d9f75cdeb1ba271e3c887036
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	hk2-utils	High
Vendor	jar	package name	glassfish	Highest
Vendor	jar	package name	hk2	Highest
Vendor	jar	package name	utilities	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	org.glassfish.hk2.utils	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	service	foo	Low
Vendor	pom	artifactid	hk2-utils	Highest
Vendor	pom	artifactid	hk2-utils	Low
Vendor	pom	groupid	org.glassfish.hk2	Highest
Vendor	pom	name	HK2 Implementation Utilities	High
Vendor	pom	parent-artifactid	hk2-parent	Low
Product	file	name	hk2-utils	High
Product	jar	package name	glassfish	Highest
Product	jar	package name	hk2	Highest
Product	jar	package name	utilities	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	HK2 Implementation Utilities	Medium
Product	Manifest	bundle-symbolicname	org.glassfish.hk2.utils	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	service	foo	Low
Product	pom	artifactid	hk2-utils	Highest
Product	pom	groupid	org.glassfish.hk2	Highest
Product	pom	name	HK2 Implementation Utilities	High
Product	pom	parent-artifactid	hk2-parent	Medium
Version	file	version	2.6.1	High
Version	Manifest	Bundle-Version	2.6.1	High
Version	pom	version	2.6.1	Highest

Identifiers

pkg:maven/org.glassfish.hk2/hk2-utils@2.6.1 (Confidence:High)
cpe:2.3:a:utils_project:utils:2.6.1:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-4277

A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability.

CWE-330 Use of Insufficiently Random Values

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:utils_project:utils:*:*:*:*:*:*:*:* versions up to (excluding) 2021-05-14

Description:

   Apache HttpComponents Client

File Path: /home/grprdist/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar
MD5: 40d6b9075fbd28fa10292a45a0db9457
SHA1: e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada
SHA256:6fe9026a566c6a5001608cf3fc32196641f6c1e5e1986d1037ccdbd5f31ef743
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	httpclient	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	client	Highest
Vendor	jar	package name	httpclient	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.httpcomponents	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	httpclient	Highest
Vendor	pom	artifactid	httpclient	Low
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpClient	High
Vendor	pom	parent-artifactid	httpcomponents-client	Low
Vendor	pom	url	http://hc.apache.org/httpcomponents-client	Highest
Product	file	name	httpclient	High
Product	jar	package name	apache	Highest
Product	jar	package name	client	Highest
Product	jar	package name	http	Highest
Product	jar	package name	httpclient	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Product	Manifest	Implementation-Title	Apache HttpClient	High
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	Manifest	specification-title	Apache HttpClient	Medium
Product	pom	artifactid	httpclient	Highest
Product	pom	groupid	org.apache.httpcomponents	Highest
Product	pom	name	Apache HttpClient	High
Product	pom	parent-artifactid	httpcomponents-client	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-client	Medium
Version	file	version	4.5.13	High
Version	Manifest	Implementation-Version	4.5.13	High
Version	pom	version	4.5.13	Highest

Identifiers

pkg:maven/org.apache.httpcomponents/httpclient@4.5.13 (Confidence:High)
cpe:2.3:a:apache:httpclient:4.5.13:*:*:*:*:*:*:* (Confidence:Highest)

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /home/grprdist/.m2/repository/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar
MD5: 2b3991eda121042765a5ee299556c200
SHA1: 9dd1a631c082d92ecd4bd8fd4cf55026c720a8c1
SHA256:f956209e450cb1d0c51776dfbd23e53e9dd8db9a1298ed62b70bf0944ba63b28
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	httpcore	High
Vendor	jar	package name	apache	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Vendor	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Vendor	pom	artifactid	httpcore	Highest
Vendor	pom	artifactid	httpcore	Low
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpCore	High
Vendor	pom	parent-artifactid	httpcomponents-core	Low
Vendor	pom	url	http://hc.apache.org/httpcomponents-core-ga	Highest
Product	file	name	httpcore	High
Product	jar	package name	apache	Highest
Product	jar	package name	http	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Product	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Product	Manifest	Implementation-Title	HttpComponents Apache HttpCore	High
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	Manifest	specification-title	HttpComponents Apache HttpCore	Medium
Product	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	pom	artifactid	httpcore	Highest
Product	pom	groupid	org.apache.httpcomponents	Highest
Product	pom	name	Apache HttpCore	High
Product	pom	parent-artifactid	httpcomponents-core	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-core-ga	Medium
Version	file	version	4.4.14	High
Version	Manifest	Implementation-Version	4.4.14	High
Version	pom	version	4.4.14	Highest

Identifiers

pkg:maven/org.apache.httpcomponents/httpcore@4.4.14 (Confidence:High)

Description:

   Apache HttpComponents HttpClient - MIME coded entities

File Path: /home/grprdist/.m2/repository/org/apache/httpcomponents/httpmime/4.5.13/httpmime-4.5.13.jar
MD5: 3f0c1ef2c9dc47b62b780192f54b0c18
SHA1: efc110bad4a0d45cda7858e6beee1d8a8313da5a
SHA256:06e754d99245b98dcc2860dcb43d20e737d650da2bf2077a105f68accbd5c5cc
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	httpmime	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	mime	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpmime	Medium
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.httpcomponents	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	httpmime	Highest
Vendor	pom	artifactid	httpmime	Low
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	pom	name	Apache HttpClient Mime	High
Vendor	pom	parent-artifactid	httpcomponents-client	Low
Vendor	pom	url	http://hc.apache.org/httpcomponents-client	Highest
Product	file	name	httpmime	High
Product	jar	package name	apache	Highest
Product	jar	package name	http	Highest
Product	jar	package name	mime	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpmime	Medium
Product	Manifest	Implementation-Title	Apache HttpClient Mime	High
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	Manifest	specification-title	Apache HttpClient Mime	Medium
Product	pom	artifactid	httpmime	Highest
Product	pom	groupid	org.apache.httpcomponents	Highest
Product	pom	name	Apache HttpClient Mime	High
Product	pom	parent-artifactid	httpcomponents-client	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-client	Medium
Version	file	version	4.5.13	High
Version	Manifest	Implementation-Version	4.5.13	High
Version	pom	version	4.5.13	Highest

Identifiers

pkg:maven/org.apache.httpcomponents/httpmime@4.5.13 (Confidence:High)

Description:

    A Java implementation of the Amazon Ion data notation.

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/software/amazon/ion/ion-java/1.0.2/ion-java-1.0.2.jar
MD5: 3f07f5df418af9ea2ebe80c3d6eccac4
SHA1: ee9dacea7726e495f8352b81c12c23834ffbc564
SHA256:0d127b205a1fce0abc2a3757a041748651bc66c15cf4c059bac5833b27d471a5
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ion-java	High
Vendor	jar	package name	amazon	Highest
Vendor	jar	package name	ion	Highest
Vendor	jar	package name	software	Highest
Vendor	Manifest	bundle-symbolicname	software.amazon.ion.java	Medium
Vendor	Manifest	ion-java-build-time	2017-02-07T23:59:25Z	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	pom	artifactid	ion-java	Highest
Vendor	pom	artifactid	ion-java	Low
Vendor	pom	developer email	ion-team@amazon.com	Low
Vendor	pom	developer name	Amazon Ion Team	Medium
Vendor	pom	developer org	Amazon Labs	Medium
Vendor	pom	developer org URL	https://github.com/amznlabs	Medium
Vendor	pom	groupid	software.amazon.ion	Highest
Vendor	pom	url	amznlabs/ion-java/	Highest
Product	file	name	ion-java	High
Product	jar	package name	amazon	Highest
Product	jar	package name	ion	Highest
Product	jar	package name	software	Highest
Product	Manifest	Bundle-Name	software.amazon.ion:ion-java	Medium
Product	Manifest	bundle-symbolicname	software.amazon.ion.java	Medium
Product	Manifest	ion-java-build-time	2017-02-07T23:59:25Z	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	pom	artifactid	ion-java	Highest
Product	pom	developer email	ion-team@amazon.com	Low
Product	pom	developer name	Amazon Ion Team	Low
Product	pom	developer org	Amazon Labs	Low
Product	pom	developer org URL	https://github.com/amznlabs	Low
Product	pom	groupid	software.amazon.ion	Highest
Product	pom	url	amznlabs/ion-java/	High
Version	file	version	1.0.2	High
Version	Manifest	Bundle-Version	1.0.2	High
Version	Manifest	ion-java-project-version	1.0.2	Medium
Version	pom	version	1.0.2	Highest

Identifiers

pkg:maven/software.amazon.ion/ion-java@1.0.2 (Confidence:High)

Description:

istack common utility code

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html, https://glassfish.java.net/public/CDDL+GPL_1_1.html

File Path: /home/grprdist/.m2/repository/com/sun/istack/istack-commons-runtime/3.0.7/istack-commons-runtime-3.0.7.jar
MD5: 83e9617b86023b91bd54f65c09838f4b
SHA1: c197c86ceec7318b1284bffb49b54226ca774003
SHA256:6443e10ba2e259fb821d9b6becf10db5316285fc30c53cec9d7b19a3877e7fdf
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	istack-commons-runtime	High
Vendor	jar	package name	istack	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com/	Low
Vendor	Manifest	bundle-symbolicname	com.sun.istack.commons-runtime	Medium
Vendor	Manifest	implementation-build-id	3.0.7-c8b5e20894f565780625d6f9b018ef7c458cd688, 2018-08-29T05:23:37-0700	Low
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun.istack	Medium
Vendor	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	artifactid	istack-commons-runtime	Highest
Vendor	pom	artifactid	istack-commons-runtime	Low
Vendor	pom	groupid	com.sun.istack	Highest
Vendor	pom	name	istack common utility code runtime	High
Vendor	pom	parent-artifactid	istack-commons	Low
Product	file	name	istack-commons-runtime	High
Product	jar	package name	istack	Highest
Product	jar	package name	sun	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com/	Low
Product	Manifest	Bundle-Name	istack common utility code runtime	Medium
Product	Manifest	bundle-symbolicname	com.sun.istack.commons-runtime	Medium
Product	Manifest	implementation-build-id	3.0.7-c8b5e20894f565780625d6f9b018ef7c458cd688, 2018-08-29T05:23:37-0700	Low
Product	Manifest	Implementation-Title	istack common utility code runtime	High
Product	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	artifactid	istack-commons-runtime	Highest
Product	pom	groupid	com.sun.istack	Highest
Product	pom	name	istack common utility code runtime	High
Product	pom	parent-artifactid	istack-commons	Medium
Version	file	version	3.0.7	High
Version	Manifest	Bundle-Version	3.0.7	High
Version	Manifest	Implementation-Version	3.0.7	High
Version	pom	version	3.0.7	Highest

Identifiers

pkg:maven/com.sun.istack/istack-commons-runtime@3.0.7 (Confidence:High)
cpe:2.3:a:apache:commons_net:3.0.7:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:oracle:java_se:3.0.7:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

Core annotations used for value types, used by Jackson data binding package.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.13.3/jackson-annotations-2.13.3.jar
MD5: 3fb8ee542a62a113fa7474fe88bb97e8
SHA1: 7198b3aac15285a49e218e08441c5f70af00fc51
SHA256:5326a6fbcde7cf8817f36c254101cd45f6acea4258518cd3c80ee5b89f4e4b9b
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-annotations	High
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	http://github.com/FasterXML/jackson	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Vendor	Manifest	implementation-build-date	2022-05-14 14:27:37+0000	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-annotations	Highest
Vendor	pom	artifactid	jackson-annotations	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	Jackson-annotations	High
Vendor	pom	parent-artifactid	jackson-parent	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	http://github.com/FasterXML/jackson	Highest
Product	file	name	jackson-annotations	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	http://github.com/FasterXML/jackson	Low
Product	Manifest	Bundle-Name	Jackson-annotations	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Product	Manifest	implementation-build-date	2022-05-14 14:27:37+0000	Low
Product	Manifest	Implementation-Title	Jackson-annotations	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Jackson-annotations	Medium
Product	pom	artifactid	jackson-annotations	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	Jackson-annotations	High
Product	pom	parent-artifactid	jackson-parent	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	http://github.com/FasterXML/jackson	Medium
Version	file	version	2.13.3	High
Version	Manifest	Bundle-Version	2.13.3	High
Version	Manifest	Implementation-Version	2.13.3	High
Version	pom	parent-version	2.13.3	Low
Version	pom	version	2.13.3	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.3 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.13.3:*:*:*:*:*:*:* (Confidence:Low)

Description:

Core annotations used for value types, used by Jackson data binding package.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.9.0/jackson-annotations-2.9.0.jar
MD5: c09faa1b063681cf45706c6df50685b6
SHA1: 07c10d545325e3a6e72e06381afe469fd40eb701
SHA256:45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-annotations	High
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	bundle-docurl	http://github.com/FasterXML/jackson	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Vendor	Manifest	implementation-build-date	2017-07-30 03:53:23+0000	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-annotations	Highest
Vendor	pom	artifactid	jackson-annotations	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	Jackson-annotations	High
Vendor	pom	parent-artifactid	jackson-parent	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	http://github.com/FasterXML/jackson	Highest
Product	file	name	jackson-annotations	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	bundle-docurl	http://github.com/FasterXML/jackson	Low
Product	Manifest	Bundle-Name	Jackson-annotations	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Product	Manifest	implementation-build-date	2017-07-30 03:53:23+0000	Low
Product	Manifest	Implementation-Title	Jackson-annotations	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Jackson-annotations	Medium
Product	pom	artifactid	jackson-annotations	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	Jackson-annotations	High
Product	pom	parent-artifactid	jackson-parent	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	http://github.com/FasterXML/jackson	Medium
Version	file	version	2.9.0	High
Version	Manifest	Bundle-Version	2.9.0	High
Version	Manifest	Implementation-Version	2.9.0	High
Version	pom	version	2.9.0	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.9.0:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2018-1000873

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.0/jackson-core-2.14.0.jar
MD5: 88988c4b941b1f4c6637af5218b26f87
SHA1: 49d219171d6af643e061e9e1baaaf6a6a067918d
SHA256:ab4793e5df4fbfae445ca55e9e1439311c80fa8b34fc13162c1260902b4dbea0
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-core	High
Vendor	jar	package name	base	Highest
Vendor	jar	package name	core	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	jar	package name	json	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-core	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-core	Highest
Vendor	pom	artifactid	jackson-core	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	Jackson-core	High
Vendor	pom	parent-artifactid	jackson-base	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	FasterXML/jackson-core	Highest
Product	file	name	jackson-core	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	base	Highest
Product	jar	package name	core	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	jackson	Highest
Product	jar	package name	json	Highest
Product	jar	package name	version	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-core	Low
Product	Manifest	Bundle-Name	Jackson-core	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Product	Manifest	Implementation-Title	Jackson-core	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Jackson-core	Medium
Product	pom	artifactid	jackson-core	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	Jackson-core	High
Product	pom	parent-artifactid	jackson-base	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	FasterXML/jackson-core	High
Version	file	version	2.14.0	High
Version	Manifest	Bundle-Version	2.14.0	High
Version	Manifest	Implementation-Version	2.14.0	High
Version	pom	version	2.14.0	Highest

Related Dependencies

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:*:*:*:*:*:*:* (Confidence:Low)

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.14.0/jackson-databind-2.14.0.jar
MD5: f94ffc53b4062cae1f383a4482593020
SHA1: 513b8ca3fea0352ceebe4d0bbeea527ab343dc1a
SHA256:54377fa855f52ed87e8f689b35249971840b16870dee76806d5d200cbcd66f27
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-databind	High
Vendor	jar	package name	databind	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-databind	Highest
Vendor	pom	artifactid	jackson-databind	Low
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	jackson-databind	High
Vendor	pom	parent-artifactid	jackson-base	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	FasterXML/jackson	Highest
Product	file	name	jackson-databind	High
Product	hint analyzer	product	java8	Highest
Product	hint analyzer	product	modules	Highest
Product	jar	package name	databind	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson	Low
Product	Manifest	Bundle-Name	jackson-databind	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Product	Manifest	Implementation-Title	jackson-databind	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	jackson-databind	Medium
Product	pom	artifactid	jackson-databind	Highest
Product	pom	groupid	com.fasterxml.jackson.core	Highest
Product	pom	name	jackson-databind	High
Product	pom	parent-artifactid	jackson-base	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	FasterXML/jackson	High
Version	file	version	2.14.0	High
Version	Manifest	Bundle-Version	2.14.0	High
Version	Manifest	Implementation-Version	2.14.0	High
Version	pom	version	2.14.0	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-databind:2.14.0:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.0:*:*:*:*:*:*:* (Confidence:Low)

Description:

Support for reading and writing Concise Binary Object Representation
([CBOR](https://www.rfc-editor.org/info/rfc7049)
encoded data using Jackson abstractions (streaming API, data binding, tree model)

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-cbor/2.12.6/jackson-dataformat-cbor-2.12.6.jar
MD5: 2bef08f2597473f39e4d9c9de01d3dde
SHA1: 3cd2e6a538f73483c6c59c354ce2276bcdc5ba7b
SHA256:cfa008d15f052e69221e8c3193056ff95c3c594271321ccac8d72dc1a770619c
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-dataformat-cbor	High
Vendor	jar	package name	cbor	Highest
Vendor	jar	package name	dataformat	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	http://github.com/FasterXML/jackson-dataformats-binary	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.dataformat.jackson-dataformat-cbor	Medium
Vendor	Manifest	implementation-build-date	2021-12-15 04:37:17+0000	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.dataformat	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-dataformat-cbor	Highest
Vendor	pom	artifactid	jackson-dataformat-cbor	Low
Vendor	pom	groupid	com.fasterxml.jackson.dataformat	Highest
Vendor	pom	name	Jackson dataformat: CBOR	High
Vendor	pom	parent-artifactid	jackson-dataformats-binary	Low
Vendor	pom	url	http://github.com/FasterXML/jackson-dataformats-binary	Highest
Product	file	name	jackson-dataformat-cbor	High
Product	jar	package name	cbor	Highest
Product	jar	package name	dataformat	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	http://github.com/FasterXML/jackson-dataformats-binary	Low
Product	Manifest	Bundle-Name	Jackson dataformat: CBOR	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.dataformat.jackson-dataformat-cbor	Medium
Product	Manifest	implementation-build-date	2021-12-15 04:37:17+0000	Low
Product	Manifest	Implementation-Title	Jackson dataformat: CBOR	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Jackson dataformat: CBOR	Medium
Product	pom	artifactid	jackson-dataformat-cbor	Highest
Product	pom	groupid	com.fasterxml.jackson.dataformat	Highest
Product	pom	name	Jackson dataformat: CBOR	High
Product	pom	parent-artifactid	jackson-dataformats-binary	Medium
Product	pom	url	http://github.com/FasterXML/jackson-dataformats-binary	Medium
Version	file	version	2.12.6	High
Version	Manifest	Bundle-Version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High
Version	pom	version	2.12.6	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor@2.12.6 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.6:*:*:*:*:*:*:* (Confidence:Low)

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License Version 2.0: LICENSE.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.4.2/jackson-dataformat-yaml-2.4.2.jar/META-INF/maven/org.yaml/snakeyaml/pom.xml
MD5: d103ace8c756cc13661469b53cff1794
SHA1: c9dbe57a55450ef61cdb139c01a8edea9206949d
SHA256:8e74df39a8ef592fb70464815ddc7ae244ec6ebfe5ba9a3203daa07275395160
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	snakeyaml	Low
Vendor	pom	developer email	alexander.maslov@gmail.com	Low
Vendor	pom	developer email	py4fun@gmail.com	Low
Vendor	pom	developer id	maslovalex	Medium
Vendor	pom	developer id	py4fun	Medium
Vendor	pom	developer name	Alexander Maslov	Medium
Vendor	pom	developer name	Andrey Somov	Medium
Vendor	pom	groupid	org.yaml	Highest
Vendor	pom	name	SnakeYAML	High
Vendor	pom	url	http://www.snakeyaml.org	Highest
Product	pom	artifactid	snakeyaml	Highest
Product	pom	developer email	alexander.maslov@gmail.com	Low
Product	pom	developer email	py4fun@gmail.com	Low
Product	pom	developer id	maslovalex	Low
Product	pom	developer id	py4fun	Low
Product	pom	developer name	Alexander Maslov	Low
Product	pom	developer name	Andrey Somov	Low
Product	pom	groupid	org.yaml	Highest
Product	pom	name	SnakeYAML	High
Product	pom	url	http://www.snakeyaml.org	Medium
Version	pom	version	1.12	Highest

Identifiers

pkg:maven/org.yaml/snakeyaml@1.12 (Confidence:High)
cpe:2.3:a:snakeyaml_project:snakeyaml:1.12:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:yaml_project:yaml:1.12:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2022-1471 (OSSINDEX)

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

CWE-502 Deserialization of Untrusted Data

CVSSv2:

Base Score: HIGH (9.8)
Vector: /AV:N/AC:L/Au:/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:org.yaml:snakeyaml:1.12:*:*:*:*:*:*:*

CVE-2017-18640

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2022-25857

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A
MLIST - [debian-lts-announce] 20221002 [SECURITY] [DLA 3132-1] snakeyaml security update
OSSINDEX - [CVE-2022-25857] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25857
OSSIndex - https://bitbucket.org/snakeyaml/snakeyaml/issues/525

Vulnerable Software & Versions:

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:* versions up to (excluding) 1.31

CVE-2022-3064

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:* versions up to (excluding) 2.2.4

CVE-2022-38749

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

CWE-787 Out-of-bounds Write

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:* versions up to (excluding) 1.31

CVE-2022-38751

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

CWE-787 Out-of-bounds Write

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:* versions up to (excluding) 1.31

CVE-2022-38752

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

CWE-787 Out-of-bounds Write

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:* versions up to (excluding) 1.32

CVE-2022-41854

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

CWE-787 Out-of-bounds Write

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
FEDORA - FEDORA-2022-8a4e8aa190
FEDORA - FEDORA-2022-c01dd659fa
OSSINDEX - [CVE-2022-41854] CWE-787: Out-of-bounds Write
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41854
OSSIndex - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355

Vulnerable Software & Versions:

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:* versions up to (excluding) 1.32

CVE-2021-4235

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

NVD-CWE-noinfo

CVSSv3:

Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:* versions up to (excluding) 2.2.3

CVE-2022-38750

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

CWE-787 Out-of-bounds Write

CVSSv3:

Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:* versions up to (excluding) 1.31

Description:

Support for reading and writing YAML-encoded data via Jackson abstractions.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.4.2/jackson-dataformat-yaml-2.4.2.jar
MD5: 0284425f0cb4b9badc64c1455f7af053
SHA1: 7136d542ef2d5b9ace4bb9eb4bd43f8d410a55da
SHA256:f873a33cba87a937141e247cde7530682e90786ae5a38a1ca2d13662eca3219b
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-dataformat-yaml	High
Vendor	jar	package name	dataformat	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	jar	package name	yaml	Highest
Vendor	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonExtensionYAML	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.dataformat.jackson-dataformat-yaml	Medium
Vendor	Manifest	implementation-build-date	2014-08-15 18:38:55-0700	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.dataformat	Medium
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-dataformat-yaml	Highest
Vendor	pom	artifactid	jackson-dataformat-yaml	Low
Vendor	pom	groupid	com.fasterxml.jackson.dataformat	Highest
Vendor	pom	name	Jackson-dataformat-YAML	High
Vendor	pom	parent-artifactid	jackson-parent	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	http://wiki.fasterxml.com/JacksonExtensionYAML	Highest
Product	file	name	jackson-dataformat-yaml	High
Product	jar	package name	dataformat	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	jar	package name	yaml	Highest
Product	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonExtensionYAML	Low
Product	Manifest	Bundle-Name	Jackson-dataformat-YAML	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.dataformat.jackson-dataformat-yaml	Medium
Product	Manifest	implementation-build-date	2014-08-15 18:38:55-0700	Low
Product	Manifest	Implementation-Title	Jackson-dataformat-YAML	High
Product	Manifest	specification-title	Jackson-dataformat-YAML	Medium
Product	pom	artifactid	jackson-dataformat-yaml	Highest
Product	pom	groupid	com.fasterxml.jackson.dataformat	Highest
Product	pom	name	Jackson-dataformat-YAML	High
Product	pom	parent-artifactid	jackson-parent	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	http://wiki.fasterxml.com/JacksonExtensionYAML	Medium
Version	file	version	2.4.2	High
Version	Manifest	Bundle-Version	2.4.2	High
Version	Manifest	Implementation-Version	2.4.2	High
Version	pom	parent-version	2.4.2	Low
Version	pom	version	2.4.2	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.4.2 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-dataformat-xml:2.4.2:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:yaml_project:yaml:2.4.2:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Add-on module for Jackson (http://jackson.codehaus.org) to support
Joda (http://joda-time.sourceforge.net/) data types.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-joda/2.4.2/jackson-datatype-joda-2.4.2.jar
MD5: 6e25c374cf329603f01710030195b8ae
SHA1: d826d1db3f9f2277576c524a71d03d1f1cbe462b
SHA256:aadc841436205f31d3947adf8579d8e5651bd4ef24dbf743327020128b7e2705
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-datatype-joda	High
Vendor	jar	package name	datatype	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	jar	package name	joda	Highest
Vendor	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonModuleJoda	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.datatype.jackson-datatype-joda	Medium
Vendor	Manifest	implementation-build-date	2014-08-15 19:15:49-0700	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.datatype	Medium
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-datatype-joda	Highest
Vendor	pom	artifactid	jackson-datatype-joda	Low
Vendor	pom	groupid	com.fasterxml.jackson.datatype	Highest
Vendor	pom	name	Jackson-datatype-Joda	High
Vendor	pom	parent-artifactid	jackson-parent	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	url	http://wiki.fasterxml.com/JacksonModuleJoda	Highest
Product	file	name	jackson-datatype-joda	High
Product	jar	package name	datatype	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	jar	package name	joda	Highest
Product	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonModuleJoda	Low
Product	Manifest	Bundle-Name	Jackson-datatype-Joda	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.datatype.jackson-datatype-joda	Medium
Product	Manifest	implementation-build-date	2014-08-15 19:15:49-0700	Low
Product	Manifest	Implementation-Title	Jackson-datatype-Joda	High
Product	Manifest	specification-title	Jackson-datatype-Joda	Medium
Product	pom	artifactid	jackson-datatype-joda	Highest
Product	pom	groupid	com.fasterxml.jackson.datatype	Highest
Product	pom	name	Jackson-datatype-Joda	High
Product	pom	parent-artifactid	jackson-parent	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	url	http://wiki.fasterxml.com/JacksonModuleJoda	Medium
Version	file	version	2.4.2	High
Version	Manifest	Bundle-Version	2.4.2	High
Version	Manifest	Implementation-Version	2.4.2	High
Version	pom	parent-version	2.4.2	Low
Version	pom	version	2.4.2	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-joda@2.4.2 (Confidence:High)

Description:

Pile of code that is shared by all Jackson-based JAX-RS
providers.

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.14.0/jackson-jaxrs-base-2.14.0.jar
MD5: 95b3a4295287c202cf3556828bf4faf6
SHA1: f013209a02e9ed57d23e3d9bb1e05da6b0e4afba
SHA256:b2ba9f27eba41c580cb8958c6494e71efc7871bd68682f6363b2759945920451
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-jaxrs-base	High
Vendor	jar	package name	base	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	jar	package name	jaxrs	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-base	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.jaxrs.jackson-jaxrs-base	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.jaxrs	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-jaxrs-base	Highest
Vendor	pom	artifactid	jackson-jaxrs-base	Low
Vendor	pom	groupid	com.fasterxml.jackson.jaxrs	Highest
Vendor	pom	name	Jackson-JAXRS: base	High
Vendor	pom	parent-artifactid	jackson-jaxrs-providers	Low
Product	file	name	jackson-jaxrs-base	High
Product	jar	package name	base	Highest
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	jar	package name	jaxrs	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-base	Low
Product	Manifest	Bundle-Name	Jackson-JAXRS: base	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.jaxrs.jackson-jaxrs-base	Medium
Product	Manifest	Implementation-Title	Jackson-JAXRS: base	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Jackson-JAXRS: base	Medium
Product	pom	artifactid	jackson-jaxrs-base	Highest
Product	pom	groupid	com.fasterxml.jackson.jaxrs	Highest
Product	pom	name	Jackson-JAXRS: base	High
Product	pom	parent-artifactid	jackson-jaxrs-providers	Medium
Version	file	version	2.14.0	High
Version	Manifest	Bundle-Version	2.14.0	High
Version	Manifest	Implementation-Version	2.14.0	High
Version	pom	version	2.14.0	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base@2.14.0 (Confidence:High)

Description:

Functionality to handle JSON input/output for JAX-RS implementations (like Jersey and RESTeasy) using standard Jackson data binding.

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.14.0/jackson-jaxrs-json-provider-2.14.0.jar
MD5: c283b55e9b2ce98e0d8ad33429e2cd95
SHA1: 96f7f0f834f765aefeeb73e313001060f88fcd12
SHA256:87465585a13d27491b774e077003d76ce859bffea574ac79bc10903527bd435e
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-jaxrs-json-provider	High
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	jar	package name	jaxrs	Highest
Vendor	jar	package name	json	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-json-provider	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.jaxrs	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-jaxrs-json-provider	Highest
Vendor	pom	artifactid	jackson-jaxrs-json-provider	Low
Vendor	pom	groupid	com.fasterxml.jackson.jaxrs	Highest
Vendor	pom	name	Jackson-JAXRS: JSON	High
Vendor	pom	parent-artifactid	jackson-jaxrs-providers	Low
Product	file	name	jackson-jaxrs-json-provider	High
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	jar	package name	jaxrs	Highest
Product	jar	package name	json	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-json-provider	Low
Product	Manifest	Bundle-Name	Jackson-JAXRS: JSON	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider	Medium
Product	Manifest	Implementation-Title	Jackson-JAXRS: JSON	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Jackson-JAXRS: JSON	Medium
Product	pom	artifactid	jackson-jaxrs-json-provider	Highest
Product	pom	groupid	com.fasterxml.jackson.jaxrs	Highest
Product	pom	name	Jackson-JAXRS: JSON	High
Product	pom	parent-artifactid	jackson-jaxrs-providers	Medium
Version	file	version	2.14.0	High
Version	Manifest	Bundle-Version	2.14.0	High
Version	Manifest	Implementation-Version	2.14.0	High
Version	pom	version	2.14.0	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider@2.14.0 (Confidence:High)

Description:

Support for using JAXB annotations as an alternative to "native" Jackson annotations,
for configuring data-binding.

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/fasterxml/jackson/module/jackson-module-jaxb-annotations/2.14.0/jackson-module-jaxb-annotations-2.14.0.jar
MD5: 7181cedd13c14dcbf8b4f55c347e0e6e
SHA1: d224162d974acebab7bb6fb7826a5fd319cebbf7
SHA256:5ac9a0f78af0fdac22f5a4e25494bee2ed54bf1c760af63aa78a0147eb7f41d0
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-module-jaxb-annotations	High
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jackson	Highest
Vendor	jar	package name	jaxb	Highest
Vendor	jar	package name	module	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-base	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.module.jackson-module-jaxb-annotations	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.module	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-module-jaxb-annotations	Highest
Vendor	pom	artifactid	jackson-module-jaxb-annotations	Low
Vendor	pom	groupid	com.fasterxml.jackson.module	Highest
Vendor	pom	name	Jackson module: Old JAXB Annotations (javax.xml.bind)	High
Vendor	pom	parent-artifactid	jackson-modules-base	Low
Vendor	pom	url	FasterXML/jackson-modules-base	Highest
Product	file	name	jackson-module-jaxb-annotations	High
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jackson	Highest
Product	jar	package name	jaxb	Highest
Product	jar	package name	module	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-base	Low
Product	Manifest	Bundle-Name	Jackson module: Old JAXB Annotations (javax.xml.bind)	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.module.jackson-module-jaxb-annotations	Medium
Product	Manifest	Implementation-Title	Jackson module: Old JAXB Annotations (javax.xml.bind)	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Jackson module: Old JAXB Annotations (javax.xml.bind)	Medium
Product	pom	artifactid	jackson-module-jaxb-annotations	Highest
Product	pom	groupid	com.fasterxml.jackson.module	Highest
Product	pom	name	Jackson module: Old JAXB Annotations (javax.xml.bind)	High
Product	pom	parent-artifactid	jackson-modules-base	Medium
Product	pom	url	FasterXML/jackson-modules-base	High
Version	file	version	2.14.0	High
Version	Manifest	Bundle-Version	2.14.0	High
Version	Manifest	Implementation-Version	2.14.0	High
Version	pom	version	2.14.0	Highest

Identifiers

pkg:maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations@2.14.0 (Confidence:High)

Description:

Jakarta Activation API jar

License:

http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/grprdist/.m2/repository/jakarta/activation/jakarta.activation-api/1.2.2/jakarta.activation-api-1.2.2.jar
MD5: 1cbb480310fa1987f9db7a3ed7118af7
SHA1: 99f53adba383cb1bf7c3862844488574b559621f
SHA256:a187a939103aef5849a7af84bd7e27be2d120c410af291437375ffe061f4f09d
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.activation-api	High
Vendor	jar	package name	activation	Highest
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	Manifest	bundle-symbolicname	jakarta.activation-api	Medium
Vendor	Manifest	extension-name	jakarta.activation	Medium
Vendor	Manifest	Implementation-Vendor	Eclipse Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Vendor	Manifest	specification-vendor	Eclipse Foundation	Low
Vendor	pom	artifactid	jakarta.activation-api	Highest
Vendor	pom	artifactid	jakarta.activation-api	Low
Vendor	pom	groupid	jakarta.activation	Highest
Vendor	pom	name	Jakarta Activation API jar	High
Vendor	pom	parent-artifactid	all	Low
Vendor	pom	parent-groupid	com.sun.activation	Medium
Product	file	name	jakarta.activation-api	High
Product	jar	package name	activation	Highest
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	Manifest	Bundle-Name	Jakarta Activation API jar	Medium
Product	Manifest	bundle-symbolicname	jakarta.activation-api	Medium
Product	Manifest	extension-name	jakarta.activation	Medium
Product	Manifest	Implementation-Title	jakarta.activation.jakarta.activation-api	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Product	Manifest	specification-title	jakarta.activation.jakarta.activation-api	Medium
Product	pom	artifactid	jakarta.activation-api	Highest
Product	pom	groupid	jakarta.activation	Highest
Product	pom	name	Jakarta Activation API jar	High
Product	pom	parent-artifactid	all	Medium
Product	pom	parent-groupid	com.sun.activation	Medium
Version	file	version	1.2.2	High
Version	Manifest	Bundle-Version	1.2.2	High
Version	Manifest	Implementation-Version	1.2.2	High
Version	pom	version	1.2.2	Highest

Identifiers

pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2 (Confidence:High)

Description:

Jakarta Annotations API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html

File Path: /home/grprdist/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
MD5: 8b165cf58df5f8c2a222f637c0a07c97
SHA1: 59eb84ee0d616332ff44aba065f3888cf002cd2d
SHA256:85fb03fc054cdf4efca8efd9b6712bbb418e1ab98241c4539c8585bbc23e1b8a
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.annotation-api	High
Vendor	jar	package name	annotation	Highest
Vendor	Manifest	automatic-module-name	java.annotation	Medium
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	Manifest	bundle-symbolicname	jakarta.annotation-api	Medium
Vendor	Manifest	extension-name	jakarta.annotation	Medium
Vendor	Manifest	Implementation-Vendor	Eclipse Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.glassfish	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	Eclipse Foundation	Low
Vendor	pom	artifactid	jakarta.annotation-api	Highest
Vendor	pom	artifactid	jakarta.annotation-api	Low
Vendor	pom	developer name	Linda De Michiel	Medium
Vendor	pom	developer org	Oracle Corp.	Medium
Vendor	pom	groupid	jakarta.annotation	Highest
Vendor	pom	name	Jakarta Annotations API	High
Vendor	pom	parent-artifactid	ca-parent	Low
Vendor	pom	url	https://projects.eclipse.org/projects/ee4j.ca	Highest
Product	file	name	jakarta.annotation-api	High
Product	jar	package name	annotation	Highest
Product	Manifest	automatic-module-name	java.annotation	Medium
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	Manifest	Bundle-Name	Jakarta Annotations API	Medium
Product	Manifest	bundle-symbolicname	jakarta.annotation-api	Medium
Product	Manifest	extension-name	jakarta.annotation	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	jakarta.annotation-api	Highest
Product	pom	developer name	Linda De Michiel	Low
Product	pom	developer org	Oracle Corp.	Low
Product	pom	groupid	jakarta.annotation	Highest
Product	pom	name	Jakarta Annotations API	High
Product	pom	parent-artifactid	ca-parent	Medium
Product	pom	url	https://projects.eclipse.org/projects/ee4j.ca	Medium
Version	file	version	1.3.5	High
Version	Manifest	Bundle-Version	1.3.5	High
Version	Manifest	Implementation-Version	1.3.5	High
Version	pom	version	1.3.5	Highest

Identifiers

pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5 (Confidence:High)
cpe:2.3:a:oracle:java_se:1.3.5:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:oracle:projects:1.3.5:*:*:*:*:*:*:* (Confidence:Low)

Description:

Injection API (JSR 330) version ${javax.inject.version} repackaged as OSGi bundle

License:

http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html

File Path: /home/grprdist/.m2/repository/org/glassfish/hk2/external/jakarta.inject/2.6.1/jakarta.inject-2.6.1.jar
MD5: 4d7c80a1e3cd54531af03bef4537f7af
SHA1: 8096ebf722902e75fbd4f532a751e514f02e1eb7
SHA256:5e88c123b3e41bca788b2683118867d9b6dec714247ea91c588aed46a36ee24f
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.inject	High
Vendor	jar	package name	inject	Highest
Vendor	jar	package name	javax	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	org.glassfish.hk2.external.jakarta.inject	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	jakarta.inject	Highest
Vendor	pom	artifactid	jakarta.inject	Low
Vendor	pom	groupid	org.glassfish.hk2.external	Highest
Vendor	pom	name	javax.inject:${javax-inject.version} as OSGi bundle	High
Vendor	pom	parent-artifactid	external	Low
Vendor	pom	parent-groupid	org.glassfish.hk2	Medium
Product	file	name	jakarta.inject	High
Product	jar	package name	inject	Highest
Product	jar	package name	javax	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	javax.inject:1 as OSGi bundle	Medium
Product	Manifest	bundle-symbolicname	org.glassfish.hk2.external.jakarta.inject	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	jakarta.inject	Highest
Product	pom	groupid	org.glassfish.hk2.external	Highest
Product	pom	name	javax.inject:${javax-inject.version} as OSGi bundle	High
Product	pom	parent-artifactid	external	Medium
Product	pom	parent-groupid	org.glassfish.hk2	Medium
Version	file	version	2.6.1	High
Version	Manifest	Bundle-Version	2.6.1	High
Version	pom	version	2.6.1	Highest

Identifiers

pkg:maven/org.glassfish.hk2.external/jakarta.inject@2.6.1 (Confidence:High)
cpe:2.3:a:oracle:java_se:2.6.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

        Jakarta Bean Validation API

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/jakarta/validation/jakarta.validation-api/2.0.2/jakarta.validation-api-2.0.2.jar
MD5: 77501d529c1928c9bac2500cc9f93fb0
SHA1: 5eacc6522521f7eacb081f95cee1e231648461e7
SHA256:b42d42428f3d922c892a909fa043287d577c0c5b165ad9b7d568cebf87fc9ea4
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.validation-api	High
Vendor	jar	package name	validation	Highest
Vendor	Manifest	automatic-module-name	java.validation	Medium
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	Manifest	bundle-symbolicname	jakarta.validation.jakarta.validation-api	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	jakarta.validation-api	Highest
Vendor	pom	artifactid	jakarta.validation-api	Low
Vendor	pom	developer email	emmanuel@hibernate.org	Low
Vendor	pom	developer email	guillaume.smet@hibernate.org	Low
Vendor	pom	developer email	gunnar@hibernate.org	Low
Vendor	pom	developer email	hferents@redhat.com	Low
Vendor	pom	developer id	emmanuelbernard	Medium
Vendor	pom	developer id	epbernard	Medium
Vendor	pom	developer id	guillaume.smet	Medium
Vendor	pom	developer id	gunnar.morling	Medium
Vendor	pom	developer id	hardy.ferentschik	Medium
Vendor	pom	developer name	Emmanuel Bernard	Medium
Vendor	pom	developer name	Guillaume Smet	Medium
Vendor	pom	developer name	Gunnar Morling	Medium
Vendor	pom	developer name	Hardy Ferentschik	Medium
Vendor	pom	developer org	Red Hat, Inc.	Medium
Vendor	pom	groupid	jakarta.validation	Highest
Vendor	pom	name	Jakarta Bean Validation API	High
Vendor	pom	parent-artifactid	project	Low
Vendor	pom	parent-groupid	org.eclipse.ee4j	Medium
Vendor	pom	url	https://beanvalidation.org	Highest
Product	file	name	jakarta.validation-api	High
Product	jar	package name	validation	Highest
Product	Manifest	automatic-module-name	java.validation	Medium
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	Manifest	Bundle-Name	Jakarta Bean Validation API	Medium
Product	Manifest	bundle-symbolicname	jakarta.validation.jakarta.validation-api	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	jakarta.validation-api	Highest
Product	pom	developer email	emmanuel@hibernate.org	Low
Product	pom	developer email	guillaume.smet@hibernate.org	Low
Product	pom	developer email	gunnar@hibernate.org	Low
Product	pom	developer email	hferents@redhat.com	Low
Product	pom	developer id	emmanuelbernard	Low
Product	pom	developer id	epbernard	Low
Product	pom	developer id	guillaume.smet	Low
Product	pom	developer id	gunnar.morling	Low
Product	pom	developer id	hardy.ferentschik	Low
Product	pom	developer name	Emmanuel Bernard	Low
Product	pom	developer name	Guillaume Smet	Low
Product	pom	developer name	Gunnar Morling	Low
Product	pom	developer name	Hardy Ferentschik	Low
Product	pom	developer org	Red Hat, Inc.	Low
Product	pom	groupid	jakarta.validation	Highest
Product	pom	name	Jakarta Bean Validation API	High
Product	pom	parent-artifactid	project	Medium
Product	pom	parent-groupid	org.eclipse.ee4j	Medium
Product	pom	url	https://beanvalidation.org	Medium
Version	file	version	2.0.2	High
Version	Manifest	Bundle-Version	2.0.2	High
Version	pom	parent-version	2.0.2	Low
Version	pom	version	2.0.2	Highest

Identifiers

pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2 (Confidence:High)

Description:

Jakarta RESTful Web Services API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html

File Path: /home/grprdist/.m2/repository/jakarta/ws/rs/jakarta.ws.rs-api/2.1.6/jakarta.ws.rs-api-2.1.6.jar
MD5: c3892382aeb5c54085b22b1890511d29
SHA1: 1dcb770bce80a490dff49729b99c7a60e9ecb122
SHA256:4cea299c846c8a6e6470cbfc2f7c391bc29b9caa2f9264ac1064ba91691f4adf
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.ws.rs-api	High
Vendor	hint analyzer	vendor	web services	Medium
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	rs	Highest
Vendor	jar	package name	ws	Highest
Vendor	Manifest	automatic-module-name	java.ws.rs	Medium
Vendor	Manifest	bundle-docurl	https://www.eclipse.org/org/foundation/	Low
Vendor	Manifest	bundle-symbolicname	jakarta.ws.rs-api	Medium
Vendor	Manifest	extension-name	javax.ws.rs	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	artifactid	jakarta.ws.rs-api	Highest
Vendor	pom	artifactid	jakarta.ws.rs-api	Low
Vendor	pom	developer email	jaxrs-dev@eclipse.org	Low
Vendor	pom	developer id	developers	Medium
Vendor	pom	developer name	API Developers	Medium
Vendor	pom	groupid	jakarta.ws.rs	Highest
Vendor	pom	name	jakarta.ws.rs-api	High
Vendor	pom	organization name	Eclipse Foundation	High
Vendor	pom	organization url	https://www.eclipse.org/org/foundation/	Medium
Vendor	pom	url	eclipse-ee4j/jaxrs-api	Highest
Product	file	name	jakarta.ws.rs-api	High
Product	hint analyzer	product	web services	Medium
Product	jar	package name	javax	Highest
Product	jar	package name	rs	Highest
Product	jar	package name	ws	Highest
Product	Manifest	automatic-module-name	java.ws.rs	Medium
Product	Manifest	bundle-docurl	https://www.eclipse.org/org/foundation/	Low
Product	Manifest	Bundle-Name	jakarta.ws.rs-api	Medium
Product	Manifest	bundle-symbolicname	jakarta.ws.rs-api	Medium
Product	Manifest	extension-name	javax.ws.rs	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	jakarta.ws.rs-api	Highest
Product	pom	developer email	jaxrs-dev@eclipse.org	Low
Product	pom	developer id	developers	Low
Product	pom	developer name	API Developers	Low
Product	pom	groupid	jakarta.ws.rs	Highest
Product	pom	name	jakarta.ws.rs-api	High
Product	pom	organization name	Eclipse Foundation	Low
Product	pom	organization url	https://www.eclipse.org/org/foundation/	Low
Product	pom	url	eclipse-ee4j/jaxrs-api	High
Version	file	version	2.1.6	High
Version	Manifest	Bundle-Version	2.1.6	High
Version	Manifest	Implementation-Version	2.1.6	High
Version	pom	version	2.1.6	Highest

Identifiers

pkg:maven/jakarta.ws.rs/jakarta.ws.rs-api@2.1.6 (Confidence:High)
cpe:2.3:a:web_project:web:2.1.6:*:*:*:*:*:*:* (Confidence:Low)

Description:

Jakarta XML Binding API 2.3 Design Specification

License:

http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/grprdist/.m2/repository/jakarta/xml/bind/jakarta.xml.bind-api/2.3.3/jakarta.xml.bind-api-2.3.3.jar
MD5: 61286918ca0192e9f87d1358aef718dd
SHA1: 48e3b9cfc10752fba3521d6511f4165bea951801
SHA256:c04539f472e9a6dd0c7685ea82d677282269ab8e7baca2e14500e381e0c6cec5
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.xml.bind-api	High
Vendor	jar	package name	bind	Highest
Vendor	jar	package name	xml	Highest
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	Manifest	bundle-symbolicname	jakarta.xml.bind-api	Medium
Vendor	Manifest	extension-name	jakarta.xml.bind	Medium
Vendor	Manifest	implementation-build-id	2.3.3-RELEASE-fd06b2b	Low
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	Eclipse Foundation	Low
Vendor	pom	artifactid	jakarta.xml.bind-api	Highest
Vendor	pom	artifactid	jakarta.xml.bind-api	Low
Vendor	pom	groupid	jakarta.xml.bind	Highest
Vendor	pom	name	Jakarta XML Binding API	High
Vendor	pom	parent-artifactid	jakarta.xml.bind-api-parent	Low
Product	file	name	jakarta.xml.bind-api	High
Product	jar	package name	bind	Highest
Product	jar	package name	xml	Highest
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	Manifest	Bundle-Name	Jakarta XML Binding API	Medium
Product	Manifest	bundle-symbolicname	jakarta.xml.bind-api	Medium
Product	Manifest	extension-name	jakarta.xml.bind	Medium
Product	Manifest	implementation-build-id	2.3.3-RELEASE-fd06b2b	Low
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	jakarta.xml.bind-api	Highest
Product	pom	groupid	jakarta.xml.bind	Highest
Product	pom	name	Jakarta XML Binding API	High
Product	pom	parent-artifactid	jakarta.xml.bind-api-parent	Medium
Version	file	version	2.3.3	High
Version	Manifest	Bundle-Version	2.3.3	High
Version	Manifest	Implementation-Version	2.3.3	High
Version	pom	version	2.3.3	Highest

Identifiers

pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3 (Confidence:High)

Description:

Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/jboss/jandex/2.0.4.Final/jandex-2.0.4.Final.jar
MD5: 2938e9457bf0c1fba50d8b03a05218de
SHA1: 1796bb21a7a19a10caa7c555f81da66f4bf490cb
SHA256:f75da95aa66d841c5341480247a39a5c3c615aa6966058306d49a5d3db9b3b61
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jandex	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	indexer	Highest
Vendor	jar	package name	jandex	Highest
Vendor	jar	package name	jboss	Highest
Vendor	Manifest	build-timestamp	Mon, 23 Oct 2017 13:00:50 -0500	Low
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	Manifest	bundle-symbolicname	org.jboss.jandex	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/jandex	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	Implementation-Vendor-Id	org.jboss	Medium
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	artifactid	jandex	Highest
Vendor	pom	artifactid	jandex	Low
Vendor	pom	groupid	org.jboss	Highest
Vendor	pom	name	Java Annotation Indexer	High
Vendor	pom	parent-artifactid	jboss-parent	Low
Product	file	name	jandex	High
Product	jar	package name	indexer	Highest
Product	jar	package name	jandex	Highest
Product	jar	package name	jboss	Highest
Product	Manifest	build-timestamp	Mon, 23 Oct 2017 13:00:50 -0500	Low
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	Manifest	Bundle-Name	Java Annotation Indexer	Medium
Product	Manifest	bundle-symbolicname	org.jboss.jandex	Medium
Product	Manifest	Implementation-Title	Java Annotation Indexer	High
Product	Manifest	implementation-url	http://www.jboss.org/jandex	Low
Product	Manifest	os-arch	amd64	Low
Product	Manifest	os-name	Linux	Medium
Product	Manifest	specification-title	Java Annotation Indexer	Medium
Product	pom	artifactid	jandex	Highest
Product	pom	groupid	org.jboss	Highest
Product	pom	name	Java Annotation Indexer	High
Product	pom	parent-artifactid	jboss-parent	Medium
Version	Manifest	Bundle-Version	2.0.4.Final	High
Version	Manifest	Implementation-Version	2.0.4.Final	High
Version	pom	parent-version	2.0.4.Final	Low
Version	pom	version	2.0.4.Final	Highest

Identifiers

pkg:maven/org.jboss/jandex@2.0.4.Final (Confidence:High)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/googlecode/java-ipv6/java-ipv6/0.17/java-ipv6-0.17.jar
MD5: 7eab662f5ec5c0f1d964e1c551a5ac02
SHA1: 243426a162fa169ad40f5f59cb957321f00cba3f
SHA256:37cf71baf707041cb494834c559ad12b631f5c7747c804ec19598bc0e0f01162
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	java-ipv6	High
Vendor	jar	package name	googlecode	Highest
Vendor	jar	package name	googlecode	Low
Vendor	jar	package name	ipv6	Highest
Vendor	jar	package name	ipv6	Low
Vendor	pom	artifactid	java-ipv6	Highest
Vendor	pom	artifactid	java-ipv6	Low
Vendor	pom	groupid	com.googlecode.java-ipv6	Highest
Vendor	pom	name	Java IPv6 Library	High
Vendor	pom	url	janvanbesien/java-ipv6/	Highest
Product	file	name	java-ipv6	High
Product	jar	package name	googlecode	Highest
Product	jar	package name	ipv6	Highest
Product	jar	package name	ipv6	Low
Product	pom	artifactid	java-ipv6	Highest
Product	pom	groupid	com.googlecode.java-ipv6	Highest
Product	pom	name	Java IPv6 Library	High
Product	pom	url	janvanbesien/java-ipv6/	High
Version	file	version	0.17	High
Version	pom	version	0.17	Highest

Identifiers

pkg:maven/com.googlecode.java-ipv6/java-ipv6@0.17 (Confidence:High)

Description:

Java implementation of JSON Web Token (JWT)

License:

The MIT License (MIT): https://raw.githubusercontent.com/auth0/java-jwt/master/LICENSE

File Path: /home/grprdist/.m2/repository/com/auth0/java-jwt/3.10.3/java-jwt-3.10.3.jar
MD5: 69ca7c81203e238a71437325580b3663
SHA1: 138b7ea9ca2c8c8e66acf5a70e809490bcf08955
SHA256:c5901a5dadf420867cd6cb598f7ae09b0cde7f7e46b7e1a70b56be8d5a5c64a6
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	java-jwt	High
Vendor	jar	package name	auth0	Highest
Vendor	jar	package name	jwt	Highest
Vendor	pom	artifactid	java-jwt	Highest
Vendor	pom	artifactid	java-jwt	Low
Vendor	pom	developer email	hernan@auth0.com	Low
Vendor	pom	developer email	luciano.balmaceda@auth0.com	Low
Vendor	pom	developer email	oss@auth0.com	Low
Vendor	pom	developer id	auth0	Medium
Vendor	pom	developer id	hzalaz	Medium
Vendor	pom	developer id	lbalmaceda	Medium
Vendor	pom	developer name	Auth0	Medium
Vendor	pom	developer name	Hernan Zalazar	Medium
Vendor	pom	developer name	Luciano Balmaceda	Medium
Vendor	pom	groupid	com.auth0	Highest
Vendor	pom	name	java jwt	High
Vendor	pom	url	auth0/java-jwt	Highest
Product	file	name	java-jwt	High
Product	jar	package name	auth0	Highest
Product	jar	package name	jwt	Highest
Product	Manifest	Implementation-Title	java-jwt	High
Product	pom	artifactid	java-jwt	Highest
Product	pom	developer email	hernan@auth0.com	Low
Product	pom	developer email	luciano.balmaceda@auth0.com	Low
Product	pom	developer email	oss@auth0.com	Low
Product	pom	developer id	auth0	Low
Product	pom	developer id	hzalaz	Low
Product	pom	developer id	lbalmaceda	Low
Product	pom	developer name	Auth0	Low
Product	pom	developer name	Hernan Zalazar	Low
Product	pom	developer name	Luciano Balmaceda	Low
Product	pom	groupid	com.auth0	Highest
Product	pom	name	java jwt	High
Product	pom	url	auth0/java-jwt	High
Version	file	version	3.10.3	High
Version	Manifest	Implementation-Version	3.10.3	High
Version	pom	version	3.10.3	Highest

Identifiers

pkg:maven/com.auth0/java-jwt@3.10.3 (Confidence:High)

Description:

Java(TM) EE 7 Specification APIs

License:

CDDL + GPLv2 with classpath exception: http://glassfish.java.net/nonav/public/CDDL+GPL.html

File Path: /home/grprdist/.m2/repository/javax/javaee-api/7.0/javaee-api-7.0.jar
MD5: 4574e0b1f14590cb3280d37a6cedc27d
SHA1: 51399f902cc27a808122edcbebfaa1ad989954ba
SHA256:16e51bfb2a6ed95d600e7a541e53a42b8d39c87d23b5f0e6460dd0dffe84903e
Referenced In Projects/Scopes:

Grouper WS SCIM:compile
Grouper WS:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javaee-api	High
Vendor	jar	package name	api	Highest
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	javax	Low
Vendor	pom	artifactid	javaee-api	Highest
Vendor	pom	artifactid	javaee-api	Low
Vendor	pom	developer id	ldemichiel	Medium
Vendor	pom	developer id	shannon	Medium
Vendor	pom	developer name	Bill Shannon	Medium
Vendor	pom	developer name	Linda De Michiel	Medium
Vendor	pom	developer org	Oracle Corp.	Medium
Vendor	pom	groupid	javax	Highest
Vendor	pom	groupid	org.glassfish.main	Highest
Vendor	pom	name	Java(TM) EE 7 Specification APIs	High
Vendor	pom	parent-artifactid	javaee-api-parent	Low
Vendor	pom	parent-artifactid	jvnet-parent	Low
Vendor	pom	parent-groupid	net.java	Medium
Product	file	name	javaee-api	High
Product	jar	package name	api	Highest
Product	jar	package name	javax	Highest
Product	pom	artifactid	javaee-api	Highest
Product	pom	developer id	ldemichiel	Low
Product	pom	developer id	shannon	Low
Product	pom	developer name	Bill Shannon	Low
Product	pom	developer name	Linda De Michiel	Low
Product	pom	developer org	Oracle Corp.	Low
Product	pom	groupid	javax	Highest
Product	pom	groupid	org.glassfish.main	Highest
Product	pom	name	Java(TM) EE 7 Specification APIs	High
Product	pom	parent-artifactid	javaee-api-parent	Medium
Product	pom	parent-artifactid	jvnet-parent	Medium
Product	pom	parent-groupid	net.java	Medium
Version	file	version	7.0	High
Version	pom	parent-version	7.0	Low
Version	pom	version	7.0	Highest

Identifiers

pkg:maven/javax/javaee-api@7.0 (Confidence:High)
pkg:maven/org.glassfish.main/javaee-api@4.0-SNAPSHOT (Confidence:High)

Description:

  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/

File Path: /home/grprdist/.m2/repository/org/javassist/javassist/3.22.0-GA/javassist-3.22.0-GA.jar
MD5: 69f277ed4c6631e45ec4cacd0e6e46c6
SHA1: 3e83394258ae2089be7219b971ec21a8288528ad
SHA256:59531c00f3e3aa1ff48b3a8cf4ead47d203ab0e2fd9e0ad401f764e05947e252
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javassist	High
Vendor	jar	package name	bytecode	Highest
Vendor	jar	package name	javassist	Highest
Vendor	Manifest	bundle-symbolicname	javassist	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	Shigeru Chiba, www.javassist.org	Low
Vendor	pom	artifactid	javassist	Highest
Vendor	pom	artifactid	javassist	Low
Vendor	pom	developer email	adinn@redhat.com	Low
Vendor	pom	developer email	chiba@javassist.org	Low
Vendor	pom	developer email	kabir.khan@jboss.com	Low
Vendor	pom	developer email	smarlow@redhat.com	Low
Vendor	pom	developer id	adinn	Medium
Vendor	pom	developer id	chiba	Medium
Vendor	pom	developer id	kabir.khan@jboss.com	Medium
Vendor	pom	developer id	scottmarlow	Medium
Vendor	pom	developer name	Andrew Dinn	Medium
Vendor	pom	developer name	Kabir Khan	Medium
Vendor	pom	developer name	Scott Marlow	Medium
Vendor	pom	developer name	Shigeru Chiba	Medium
Vendor	pom	developer org	JBoss	Medium
Vendor	pom	developer org	The Javassist Project	Medium
Vendor	pom	developer org URL	http://www.javassist.org/	Medium
Vendor	pom	developer org URL	http://www.jboss.org/	Medium
Vendor	pom	groupid	org.javassist	Highest
Vendor	pom	name	Javassist	High
Vendor	pom	organization name	Shigeru Chiba, www.javassist.org	High
Vendor	pom	url	http://www.javassist.org/	Highest
Product	file	name	javassist	High
Product	jar	package name	bytecode	Highest
Product	jar	package name	javassist	Highest
Product	Manifest	Bundle-Name	Javassist	Medium
Product	Manifest	bundle-symbolicname	javassist	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Javassist	Medium
Product	pom	artifactid	javassist	Highest
Product	pom	developer email	adinn@redhat.com	Low
Product	pom	developer email	chiba@javassist.org	Low
Product	pom	developer email	kabir.khan@jboss.com	Low
Product	pom	developer email	smarlow@redhat.com	Low
Product	pom	developer id	adinn	Low
Product	pom	developer id	chiba	Low
Product	pom	developer id	kabir.khan@jboss.com	Low
Product	pom	developer id	scottmarlow	Low
Product	pom	developer name	Andrew Dinn	Low
Product	pom	developer name	Kabir Khan	Low
Product	pom	developer name	Scott Marlow	Low
Product	pom	developer name	Shigeru Chiba	Low
Product	pom	developer org	JBoss	Low
Product	pom	developer org	The Javassist Project	Low
Product	pom	developer org URL	http://www.javassist.org/	Low
Product	pom	developer org URL	http://www.jboss.org/	Low
Product	pom	groupid	org.javassist	Highest
Product	pom	name	Javassist	High
Product	pom	organization name	Shigeru Chiba, www.javassist.org	Low
Product	pom	url	http://www.javassist.org/	Medium
Version	Manifest	specification-version	3.22.0-GA	High
Version	pom	version	3.22.0-GA	Highest

Identifiers

pkg:maven/org.javassist/javassist@3.22.0-GA (Confidence:High)

Description:

JavaBeans Activation Framework API jar

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt

File Path: /home/grprdist/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar
MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b
SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16
SHA256:43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javax.activation-api	High
Vendor	jar	package name	activation	Highest
Vendor	jar	package name	javax	Highest
Vendor	Manifest	automatic-module-name	java.activation	Medium
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	javax.activation-api	Medium
Vendor	Manifest	extension-name	javax.activation	Medium
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	originally-created-by	1.8.0_141 (Oracle Corporation)	Low
Vendor	Manifest	specification-vendor	Oracle	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	Manifest (hint)	specification-vendor	sun	Low
Vendor	pom	artifactid	javax.activation-api	Highest
Vendor	pom	artifactid	javax.activation-api	Low
Vendor	pom	groupid	javax.activation	Highest
Vendor	pom	name	JavaBeans Activation Framework API jar	High
Vendor	pom	parent-artifactid	all	Low
Vendor	pom	parent-groupid	com.sun.activation	Medium
Product	file	name	javax.activation-api	High
Product	jar	package name	activation	Highest
Product	jar	package name	javax	Highest
Product	Manifest	automatic-module-name	java.activation	Medium
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	JavaBeans Activation Framework API jar	Medium
Product	Manifest	bundle-symbolicname	javax.activation-api	Medium
Product	Manifest	extension-name	javax.activation	Medium
Product	Manifest	Implementation-Title	javax.activation.javax.activation-api	High
Product	Manifest	originally-created-by	1.8.0_141 (Oracle Corporation)	Low
Product	Manifest	specification-title	javax.activation.javax.activation-api	Medium
Product	pom	artifactid	javax.activation-api	Highest
Product	pom	groupid	javax.activation	Highest
Product	pom	name	JavaBeans Activation Framework API jar	High
Product	pom	parent-artifactid	all	Medium
Product	pom	parent-groupid	com.sun.activation	Medium
Version	file	version	1.2.0	High
Version	Manifest	Bundle-Version	1.2.0	High
Version	Manifest	Implementation-Version	1.2.0	High
Version	pom	version	1.2.0	Highest

Identifiers

pkg:maven/javax.activation/javax.activation-api@1.2.0 (Confidence:High)

Description:

JavaMail API

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html

File Path: /home/grprdist/.m2/repository/com/sun/mail/javax.mail/1.5.0/javax.mail-1.5.0.jar
MD5: dabf8c0f32c7f6eb5c87aebd53e07fce
SHA1: ec2410fdf7e0a3022e7c2a2e6241039d1abc1e98
SHA256:9568765e086609fc4d511b27cb89b3351a40ebda0552852a7daf65b769a01511
Referenced In Projects/Scopes:

Grouper WS SCIM:compile
Grouper WS:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javax.mail	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	mail	Highest
Vendor	jar	package name	provider	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	com.sun.mail.javax.mail	Medium
Vendor	Manifest	extension-name	javax.mail	Medium
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml	Medium
Vendor	Manifest	specification-vendor	Oracle	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	Manifest (hint)	specification-vendor	sun	Low
Vendor	pom	artifactid	javax.mail	Highest
Vendor	pom	artifactid	javax.mail	Low
Vendor	pom	groupid	com.sun.mail	Highest
Vendor	pom	name	JavaMail API	High
Vendor	pom	parent-artifactid	all	Low
Product	file	name	javax.mail	High
Product	jar	package name	javax	Highest
Product	jar	package name	mail	Highest
Product	jar	package name	provider	Highest
Product	jar	package name	sun	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	JavaMail API	Medium
Product	Manifest	bundle-symbolicname	com.sun.mail.javax.mail	Medium
Product	Manifest	extension-name	javax.mail	Medium
Product	Manifest	Implementation-Title	javax.mail	High
Product	Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml	Medium
Product	Manifest	specification-title	JavaMail(TM) API Design Specification	Medium
Product	pom	artifactid	javax.mail	Highest
Product	pom	groupid	com.sun.mail	Highest
Product	pom	name	JavaMail API	High
Product	pom	parent-artifactid	all	Medium
Version	file	version	1.5.0	High
Version	Manifest	Bundle-Version	1.5.0	High
Version	Manifest	Implementation-Version	1.5.0	High
Version	pom	version	1.5.0	Highest

Identifiers

pkg:maven/com.sun.mail/javax.mail@1.5.0 (Confidence:High)

Description:

JavaMail API jar

License:

https://javaee.github.io/javamail/LICENSE

File Path: /home/grprdist/.m2/repository/javax/mail/javax.mail-api/1.6.0/javax.mail-api-1.6.0.jar
MD5: f641c3a2ad76a53acfbec7d7f5d8021d
SHA1: 1941270d3b04ded5bdc274351450b4afe47be080
SHA256:cddf58552871afe398061fffc36aec20899ad1f05a8141d90914e26d83980a66
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javax.mail-api	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	mail	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	javax.mail-api	Medium
Vendor	Manifest	extension-name	javax.mail	Medium
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	originally-created-by	1.8.0_131 (Oracle Corporation)	Low
Vendor	Manifest	probe-provider-xml-file-names		Medium
Vendor	Manifest	specification-vendor	Oracle	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	Manifest (hint)	specification-vendor	sun	Low
Vendor	pom	artifactid	javax.mail-api	Highest
Vendor	pom	artifactid	javax.mail-api	Low
Vendor	pom	groupid	javax.mail	Highest
Vendor	pom	name	JavaMail API jar	High
Vendor	pom	parent-artifactid	all	Low
Vendor	pom	parent-groupid	com.sun.mail	Medium
Product	file	name	javax.mail-api	High
Product	jar	package name	javax	Highest
Product	jar	package name	mail	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	JavaMail API jar	Medium
Product	Manifest	bundle-symbolicname	javax.mail-api	Medium
Product	Manifest	extension-name	javax.mail	Medium
Product	Manifest	Implementation-Title	javax.mail.javax.mail-api	High
Product	Manifest	originally-created-by	1.8.0_131 (Oracle Corporation)	Low
Product	Manifest	probe-provider-xml-file-names		Medium
Product	Manifest	specification-title	javax.mail.javax.mail-api	Medium
Product	pom	artifactid	javax.mail-api	Highest
Product	pom	groupid	javax.mail	Highest
Product	pom	name	JavaMail API jar	High
Product	pom	parent-artifactid	all	Medium
Product	pom	parent-groupid	com.sun.mail	Medium
Version	file	version	1.6.0	High
Version	Manifest	Bundle-Version	1.6.0	High
Version	Manifest	Implementation-Version	1.6.0	High
Version	pom	version	1.6.0	Highest

Identifiers

pkg:maven/javax.mail/javax.mail-api@1.6.0 (Confidence:High)

Description:

Java(TM) Persistence API

License:

Eclipse Public License v1.0: http://www.eclipse.org/legal/epl-v10.html
Eclipse Distribution License v. 1.0: http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/grprdist/.m2/repository/javax/persistence/javax.persistence-api/2.2/javax.persistence-api-2.2.jar
MD5: e6520b3435f5b6d58eee415b5542abf8
SHA1: 25665ac8c0b62f50e6488173233239120fc52c96
SHA256:5578b71b37999a5eaed3fea0d14aa61c60c6ec6328256f2b63472f336318baf4
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javax.persistence-api	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	persistence	Highest
Vendor	Manifest	automatic-module-name	java.persistence	Medium
Vendor	Manifest	bundle-symbolicname	javax.persistence-api	Medium
Vendor	Manifest	extension-name	javax.persistence	Medium
Vendor	Manifest	Implementation-Vendor-Id	com.oracle	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	artifactid	javax.persistence-api	Highest
Vendor	pom	artifactid	javax.persistence-api	Low
Vendor	pom	groupid	javax.persistence	Highest
Vendor	pom	parent-artifactid	jvnet-parent	Low
Vendor	pom	parent-groupid	net.java	Medium
Vendor	pom	url	javaee/jpa-spec	Highest
Product	file	name	javax.persistence-api	High
Product	jar	package name	javax	Highest
Product	jar	package name	persistence	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	java.persistence	Medium
Product	Manifest	Bundle-Name	Java(TM) Persistence API jar	Medium
Product	Manifest	bundle-symbolicname	javax.persistence-api	Medium
Product	Manifest	extension-name	javax.persistence	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	javax.persistence-api	Highest
Product	pom	groupid	javax.persistence	Highest
Product	pom	parent-artifactid	jvnet-parent	Medium
Product	pom	parent-groupid	net.java	Medium
Product	pom	url	javaee/jpa-spec	High
Version	file	version	2.2	High
Version	Manifest	Bundle-Version	2.2	High
Version	Manifest	Implementation-Version	2.2	High
Version	pom	parent-version	2.2	Low
Version	pom	version	2.2	Highest

Identifiers

pkg:maven/javax.persistence/javax.persistence-api@2.2 (Confidence:High)
cpe:2.3:a:oracle:java_se:2.2:*:*:*:*:*:*:* (Confidence:Low)

Description:

Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html

File Path: /home/grprdist/.m2/repository/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482
Referenced In Project/Scope:Grouper WS:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	javax.servlet-api	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	servlet	Highest
Vendor	Manifest	bundle-docurl	https://glassfish.dev.java.net	Low
Vendor	Manifest	bundle-symbolicname	javax.servlet-api	Medium
Vendor	Manifest	extension-name	javax.servlet	Medium
Vendor	Manifest	Implementation-Vendor	GlassFish Community	High
Vendor	Manifest	Implementation-Vendor-Id	org.glassfish	Medium
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	artifactid	javax.servlet-api	Highest
Vendor	pom	artifactid	javax.servlet-api	Low
Vendor	pom	developer id	mode	Medium
Vendor	pom	developer id	swchan2	Medium
Vendor	pom	developer name	Rajiv Mordani	Medium
Vendor	pom	developer name	Shing Wai Chan	Medium
Vendor	pom	developer org	Oracle	Medium
Vendor	pom	groupid	javax.servlet	Highest
Vendor	pom	name	Java Servlet API	High
Vendor	pom	organization name	GlassFish Community	High
Vendor	pom	organization url	https://glassfish.dev.java.net	Medium
Vendor	pom	parent-artifactid	jvnet-parent	Low
Vendor	pom	parent-groupid	net.java	Medium
Vendor	pom	url	http://servlet-spec.java.net	Highest
Vendor	pom (hint)	developer org	sun	Medium
Product	file	name	javax.servlet-api	High
Product	jar	package name	javax	Highest
Product	jar	package name	servlet	Highest
Product	Manifest	bundle-docurl	https://glassfish.dev.java.net	Low
Product	Manifest	Bundle-Name	Java Servlet API	Medium
Product	Manifest	bundle-symbolicname	javax.servlet-api	Medium
Product	Manifest	extension-name	javax.servlet	Medium
Product	pom	artifactid	javax.servlet-api	Highest
Product	pom	developer id	mode	Low
Product	pom	developer id	swchan2	Low
Product	pom	developer name	Rajiv Mordani	Low
Product	pom	developer name	Shing Wai Chan	Low
Product	pom	developer org	Oracle	Low
Product	pom	groupid	javax.servlet	Highest
Product	pom	name	Java Servlet API	High
Product	pom	organization name	GlassFish Community	Low
Product	pom	organization url	https://glassfish.dev.java.net	Low
Product	pom	parent-artifactid	jvnet-parent	Medium
Product	pom	parent-groupid	net.java	Medium
Product	pom	url	http://servlet-spec.java.net	Medium
Version	file	version	3.1.0	High
Version	Manifest	Bundle-Version	3.1.0	High
Version	Manifest	Implementation-Version	3.1.0	High
Version	pom	parent-version	3.1.0	Low
Version	pom	version	3.1.0	Highest

Identifiers

pkg:maven/javax.servlet/javax.servlet-api@3.1.0 (Confidence:High)
cpe:2.3:a:oracle:java_se:3.1.0:*:*:*:*:*:*:* (Confidence:Medium)

Description:

JAXB (JSR 222) API

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1

File Path: /home/grprdist/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar
MD5: bcf270d320f645ad19f5edb60091e87f
SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d
SHA256:88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jaxb-api	High
Vendor	jar	package name	bind	Highest
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	jaxb	Highest
Vendor	jar	package name	xml	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com/	Low
Vendor	Manifest	bundle-symbolicname	jaxb-api	Medium
Vendor	Manifest	extension-name	javax.xml.bind	Medium
Vendor	Manifest	implementation-build-id	UNKNOWN-7de2ca118a0cfc4a373872915aef59148dff5f93, 2018-09-12T06:28:43-0700	Low
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	Manifest	Implementation-Vendor-Id	org.glassfish	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.8))"	Low
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	artifactid	jaxb-api	Highest
Vendor	pom	artifactid	jaxb-api	Low
Vendor	pom	groupid	javax.xml.bind	Highest
Vendor	pom	parent-artifactid	jaxb-api-parent	Low
Product	file	name	jaxb-api	High
Product	jar	package name	bind	Highest
Product	jar	package name	javax	Highest
Product	jar	package name	jaxb	Highest
Product	jar	package name	xml	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com/	Low
Product	Manifest	Bundle-Name	jaxb-api	Medium
Product	Manifest	bundle-symbolicname	jaxb-api	Medium
Product	Manifest	extension-name	javax.xml.bind	Medium
Product	Manifest	implementation-build-id	UNKNOWN-7de2ca118a0cfc4a373872915aef59148dff5f93, 2018-09-12T06:28:43-0700	Low
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.8))"	Low
Product	Manifest	specification-title	jaxb-api	Medium
Product	pom	artifactid	jaxb-api	Highest
Product	pom	groupid	javax.xml.bind	Highest
Product	pom	parent-artifactid	jaxb-api-parent	Medium
Version	file	version	2.3.1	High
Version	Manifest	Bundle-Version	2.3.1	High
Version	pom	version	2.3.1	Highest

Identifiers

pkg:maven/javax.xml.bind/jaxb-api@2.3.1 (Confidence:High)
cpe:2.3:a:oracle:java_se:2.3.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

JAXB (JSR 222) Reference Implementation

File Path: /home/grprdist/.m2/repository/org/glassfish/jaxb/jaxb-runtime/2.3.1/jaxb-runtime-2.3.1.jar
MD5: 848098e3eda0d37738d51a7acacd8e95
SHA1: dd6dda9da676a54c5b36ca2806ff95ee017d8738
SHA256:45fecfa5c8217ce1f3652ab95179790ec8cc0dec0384bca51cbeb94a293d9f2f
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jaxb-runtime	High
Vendor	jar	package name	bind	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	git-revision	ad5fa4c697632694cbcfa80177707db908cd98b2	Low
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.oracle	Medium
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	pom	artifactid	jaxb-runtime	Highest
Vendor	pom	artifactid	jaxb-runtime	Low
Vendor	pom	groupid	org.glassfish.jaxb	Highest
Vendor	pom	name	JAXB Runtime	High
Vendor	pom	parent-artifactid	jaxb-runtime-parent	Low
Vendor	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Product	file	name	jaxb-runtime	High
Product	jar	package name	bind	Highest
Product	jar	package name	sun	Highest
Product	jar	package name	xml	Highest
Product	Manifest	git-revision	ad5fa4c697632694cbcfa80177707db908cd98b2	Low
Product	Manifest	Implementation-Title	JAXB Implementation	High
Product	Manifest	specification-title	Java Architecture for XML Binding	Medium
Product	pom	artifactid	jaxb-runtime	Highest
Product	pom	groupid	org.glassfish.jaxb	Highest
Product	pom	name	JAXB Runtime	High
Product	pom	parent-artifactid	jaxb-runtime-parent	Medium
Product	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Version	file	version	2.3.1	High
Version	Manifest	build-id	2.3.1	Medium
Version	Manifest	Implementation-Version	2.3.1	High
Version	Manifest	major-version	2.3.1	Medium
Version	pom	version	2.3.1	Highest

Identifiers

pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1 (Confidence:High)

Description:

Jaxen is a universal Java XPath engine.

License:

http://jaxen.codehaus.org/license.html

File Path: /home/grprdist/.m2/repository/jaxen/jaxen/1.1.6/jaxen-1.1.6.jar
MD5: a140517286b56eea981e188dcc3a13f6
SHA1: 3f8c36d9a0578e8e98f030c662b69888b1430ac0
SHA256:5ac9c74bbb3964b34a886ba6b1b6c0b0dc3ebeebc1dc4a44942a76634490b3eb
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jaxen	High
Vendor	jar	package name	jaxen	Highest
Vendor	jar	package name	xpath	Highest
Vendor	Manifest	bundle-docurl	http://codehaus.org	Low
Vendor	Manifest	bundle-symbolicname	jaxen	Medium
Vendor	pom	artifactid	jaxen	Highest
Vendor	pom	artifactid	jaxen	Low
Vendor	pom	developer email	bob@eng.werken.com	Low
Vendor	pom	developer email	brian.ewins@gmail.com	Low
Vendor	pom	developer email	contact@megginson.com	Low
Vendor	pom	developer email	elharo@ibiblio.org	Low
Vendor	pom	developer email	erwin@klomp.org	Low
Vendor	pom	developer email	james_strachan@yahoo.co.uk	Low
Vendor	pom	developer email	jdvorak@users.sourceforge.net	Low
Vendor	pom	developer email	mbelonga@users.sourceforge.net	Low
Vendor	pom	developer email	peter.royal@pobox.com	Low
Vendor	pom	developer email	purpletech@users.sourceforge.net	Low
Vendor	pom	developer email	scott@dotnot.org	Low
Vendor	pom	developer email	szegedia@users.sourceforge.net	Low
Vendor	pom	developer email	xcut@users.sourceforge.net	Low
Vendor	pom	developer id	bewins	Medium
Vendor	pom	developer id	bob	Medium
Vendor	pom	developer id	cnentwich	Medium
Vendor	pom	developer id	dmegginson	Medium
Vendor	pom	developer id	eboldwidt	Medium
Vendor	pom	developer id	elharo	Medium
Vendor	pom	developer id	jdvorak	Medium
Vendor	pom	developer id	jstrachan	Medium
Vendor	pom	developer id	mbelonga	Medium
Vendor	pom	developer id	proyal	Medium
Vendor	pom	developer id	purpletech	Medium
Vendor	pom	developer id	ssanders	Medium
Vendor	pom	developer id	szegedia	Medium
Vendor	pom	developer name	Alexander Day Chaffee	Medium
Vendor	pom	developer name	Attila Szegedi	Medium
Vendor	pom	developer name	Bob McWhirter	Medium
Vendor	pom	developer name	Brian Ewins	Medium
Vendor	pom	developer name	Christian Nentwich	Medium
Vendor	pom	developer name	David Megginson	Medium
Vendor	pom	developer name	Elliotte Rusty Harold	Medium
Vendor	pom	developer name	Erwin Bolwidt	Medium
Vendor	pom	developer name	James Strachan	Medium
Vendor	pom	developer name	Jan Dvorak	Medium
Vendor	pom	developer name	Mark A. Belonga	Medium
Vendor	pom	developer name	Peter Royal	Medium
Vendor	pom	developer name	Scott Sanders	Medium
Vendor	pom	developer org	Cafe au Lait	Medium
Vendor	pom	developer org	dotnot	Medium
Vendor	pom	developer org	Megginson Technologies	Medium
Vendor	pom	developer org	Purple Technologies	Medium
Vendor	pom	developer org	Spiritsoft	Medium
Vendor	pom	developer org	The Werken Company	Medium
Vendor	pom	groupid	jaxen	Highest
Vendor	pom	name	jaxen	High
Vendor	pom	organization name	Codehaus	High
Vendor	pom	organization url	http://codehaus.org	Medium
Vendor	pom	url	http://jaxen.codehaus.org/	Highest
Product	file	name	jaxen	High
Product	jar	package name	jaxen	Highest
Product	jar	package name	xpath	Highest
Product	Manifest	bundle-docurl	http://codehaus.org	Low
Product	Manifest	Bundle-Name	jaxen	Medium
Product	Manifest	bundle-symbolicname	jaxen	Medium
Product	pom	artifactid	jaxen	Highest
Product	pom	developer email	bob@eng.werken.com	Low
Product	pom	developer email	brian.ewins@gmail.com	Low
Product	pom	developer email	contact@megginson.com	Low
Product	pom	developer email	elharo@ibiblio.org	Low
Product	pom	developer email	erwin@klomp.org	Low
Product	pom	developer email	james_strachan@yahoo.co.uk	Low
Product	pom	developer email	jdvorak@users.sourceforge.net	Low
Product	pom	developer email	mbelonga@users.sourceforge.net	Low
Product	pom	developer email	peter.royal@pobox.com	Low
Product	pom	developer email	purpletech@users.sourceforge.net	Low
Product	pom	developer email	scott@dotnot.org	Low
Product	pom	developer email	szegedia@users.sourceforge.net	Low
Product	pom	developer email	xcut@users.sourceforge.net	Low
Product	pom	developer id	bewins	Low
Product	pom	developer id	bob	Low
Product	pom	developer id	cnentwich	Low
Product	pom	developer id	dmegginson	Low
Product	pom	developer id	eboldwidt	Low
Product	pom	developer id	elharo	Low
Product	pom	developer id	jdvorak	Low
Product	pom	developer id	jstrachan	Low
Product	pom	developer id	mbelonga	Low
Product	pom	developer id	proyal	Low
Product	pom	developer id	purpletech	Low
Product	pom	developer id	ssanders	Low
Product	pom	developer id	szegedia	Low
Product	pom	developer name	Alexander Day Chaffee	Low
Product	pom	developer name	Attila Szegedi	Low
Product	pom	developer name	Bob McWhirter	Low
Product	pom	developer name	Brian Ewins	Low
Product	pom	developer name	Christian Nentwich	Low
Product	pom	developer name	David Megginson	Low
Product	pom	developer name	Elliotte Rusty Harold	Low
Product	pom	developer name	Erwin Bolwidt	Low
Product	pom	developer name	James Strachan	Low
Product	pom	developer name	Jan Dvorak	Low
Product	pom	developer name	Mark A. Belonga	Low
Product	pom	developer name	Peter Royal	Low
Product	pom	developer name	Scott Sanders	Low
Product	pom	developer org	Cafe au Lait	Low
Product	pom	developer org	dotnot	Low
Product	pom	developer org	Megginson Technologies	Low
Product	pom	developer org	Purple Technologies	Low
Product	pom	developer org	Spiritsoft	Low
Product	pom	developer org	The Werken Company	Low
Product	pom	groupid	jaxen	Highest
Product	pom	name	jaxen	High
Product	pom	organization name	Codehaus	Low
Product	pom	organization url	http://codehaus.org	Low
Product	pom	url	http://jaxen.codehaus.org/	Medium
Version	file	version	1.1.6	High
Version	Manifest	Bundle-Version	1.1.6	High
Version	pom	version	1.1.6	Highest

Identifiers

pkg:maven/jaxen/jaxen@1.1.6 (Confidence:High)

Description:

The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/jboss/logging/jboss-logging/3.3.1.Final/jboss-logging-3.3.1.Final.jar
MD5: 93cf8945ff84aaf9f0ed9a76991338fb
SHA1: c46217ab74b532568c0ed31dc599db3048bd1b67
SHA256:9f7d8b884370763b131bf48a0fc91edec89ad80e0e40c47658098a686a905bb2
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jboss-logging	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	logging	Highest
Vendor	Manifest	build-timestamp	Wed, 15 Mar 2017 13:22:07 -0700	Low
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	Manifest	bundle-symbolicname	org.jboss.logging.jboss-logging	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.logging	Medium
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	artifactid	jboss-logging	Highest
Vendor	pom	artifactid	jboss-logging	Low
Vendor	pom	groupid	org.jboss.logging	Highest
Vendor	pom	name	JBoss Logging 3	High
Vendor	pom	parent-artifactid	jboss-parent	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Vendor	pom	url	http://www.jboss.org	Highest
Product	file	name	jboss-logging	High
Product	jar	package name	jboss	Highest
Product	jar	package name	logging	Highest
Product	Manifest	build-timestamp	Wed, 15 Mar 2017 13:22:07 -0700	Low
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	Manifest	Bundle-Name	JBoss Logging 3	Medium
Product	Manifest	bundle-symbolicname	org.jboss.logging.jboss-logging	Medium
Product	Manifest	Implementation-Title	JBoss Logging 3	High
Product	Manifest	implementation-url	http://www.jboss.org	Low
Product	Manifest	os-arch	amd64	Low
Product	Manifest	os-name	Linux	Medium
Product	Manifest	specification-title	JBoss Logging 3	Medium
Product	pom	artifactid	jboss-logging	Highest
Product	pom	groupid	org.jboss.logging	Highest
Product	pom	name	JBoss Logging 3	High
Product	pom	parent-artifactid	jboss-parent	Medium
Product	pom	parent-groupid	org.jboss	Medium
Product	pom	url	http://www.jboss.org	Medium
Version	Manifest	Bundle-Version	3.3.1.Final	High
Version	Manifest	Implementation-Version	3.3.1.Final	High
Version	pom	parent-version	3.3.1.Final	Low
Version	pom	version	3.3.1.Final	Highest

Identifiers

pkg:maven/org.jboss.logging/jboss-logging@3.3.1.Final (Confidence:High)

Description:

The Java Transaction 1.2 API classes

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt

File Path: /home/grprdist/.m2/repository/org/jboss/spec/javax/transaction/jboss-transaction-api_1.2_spec/1.1.1.Final/jboss-transaction-api_1.2_spec-1.1.1.Final.jar
MD5: 1e633c47138aba999d39692a31a1a124
SHA1: a8485cab9484dda36e9a8c319e76b5cc18797b58
SHA256:a310a50b9bdc44aaf36362dc9bb212235a147ffa8ef72dc9544a39c329eabbc3
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jboss-transaction-api_1.2_spec-1.1.1.Final	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	transaction	Highest
Vendor	Manifest	automatic-module-name	java.transaction	Medium
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	Manifest	bundle-symbolicname	org.jboss.spec.javax.transaction.jboss-transaction-api_1.2_spec	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/jboss-transaction-api_1.2_spec	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.spec.javax.transaction	Medium
Vendor	Manifest	os-arch	x86	Low
Vendor	Manifest	os-name	Windows 10	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	artifactid	jboss-transaction-api_1.2_spec	Highest
Vendor	pom	artifactid	jboss-transaction-api_1.2_spec	Low
Vendor	pom	groupid	org.jboss.spec.javax.transaction	Highest
Vendor	pom	name	Java Transaction API	High
Vendor	pom	parent-artifactid	jboss-parent	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Product	file	name	jboss-transaction-api_1.2_spec-1.1.1.Final	High
Product	jar	package name	javax	Highest
Product	jar	package name	transaction	Highest
Product	Manifest	automatic-module-name	java.transaction	Medium
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	Manifest	Bundle-Name	Java Transaction API	Medium
Product	Manifest	bundle-symbolicname	org.jboss.spec.javax.transaction.jboss-transaction-api_1.2_spec	Medium
Product	Manifest	Implementation-Title	Java Transaction API	High
Product	Manifest	implementation-url	http://www.jboss.org/jboss-transaction-api_1.2_spec	Low
Product	Manifest	os-arch	x86	Low
Product	Manifest	os-name	Windows 10	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	JSR 907: Java Transaction API (JTA)	Medium
Product	pom	artifactid	jboss-transaction-api_1.2_spec	Highest
Product	pom	groupid	org.jboss.spec.javax.transaction	Highest
Product	pom	name	Java Transaction API	High
Product	pom	parent-artifactid	jboss-parent	Medium
Product	pom	parent-groupid	org.jboss	Medium
Version	Manifest	Bundle-Version	1.1.1.Final	High
Version	Manifest	Implementation-Version	1.1.1.Final	High
Version	pom	parent-version	1.1.1.Final	Low
Version	pom	version	1.1.1.Final	Highest

Identifiers

pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.2_spec@1.1.1.Final (Confidence:High)

Description:

    A clean room implementation of the JCIP Annotations based entirely on the specification provided by the javadocs.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/github/stephenc/jcip/jcip-annotations/1.0-1/jcip-annotations-1.0-1.jar
MD5: d62dbfa8789378457ada685e2f614846
SHA1: ef31541dd28ae2cefdd17c7ebf352d93e9058c63
SHA256:4fccff8382aafc589962c4edb262f6aa595e34f1e11e61057d1c6a96e8fc7323
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jcip-annotations	High
Vendor	jar	package name	annotations	Highest
Vendor	jar	package name	annotations	Low
Vendor	jar	package name	jcip	Highest
Vendor	jar	package name	jcip	Low
Vendor	jar	package name	net	Low
Vendor	pom	artifactid	jcip-annotations	Highest
Vendor	pom	artifactid	jcip-annotations	Low
Vendor	pom	developer id	stephenc	Medium
Vendor	pom	developer name	Stephen Connolly	Medium
Vendor	pom	groupid	com.github.stephenc.jcip	Highest
Vendor	pom	name	JCIP Annotations under Apache License	High
Vendor	pom	url	http://stephenc.github.com/jcip-annotations	Highest
Product	file	name	jcip-annotations	High
Product	jar	package name	annotations	Highest
Product	jar	package name	annotations	Low
Product	jar	package name	jcip	Highest
Product	jar	package name	jcip	Low
Product	pom	artifactid	jcip-annotations	Highest
Product	pom	developer id	stephenc	Low
Product	pom	developer name	Stephen Connolly	Low
Product	pom	groupid	com.github.stephenc.jcip	Highest
Product	pom	name	JCIP Annotations under Apache License	High
Product	pom	url	http://stephenc.github.com/jcip-annotations	Medium
Version	pom	version	1.0-1	Highest

Identifiers

pkg:maven/com.github.stephenc.jcip/jcip-annotations@1.0-1 (Confidence:High)

Description:

Jersey core server implementation

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
The GNU General Public License (GPL), Version 2, With Classpath Exception: https://www.gnu.org/software/classpath/license.html
Apache License, 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
Modified BSD: https://asm.ow2.io/license.html

File Path: /home/grprdist/.m2/repository/org/glassfish/jersey/core/jersey-server/2.36/jersey-server-2.36.jar
MD5: 8dd2bd5634c82b57eebb0fe35aaccee2
SHA1: 73cf67d0d761b60860b7721529503a121cfa9df4
SHA256:2699758d1c33a9137363fd022d8c9c00423c800c4fde2b49d53530987e8da72d
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jersey-server	High
Vendor	jar	package name	glassfish	Highest
Vendor	jar	package name	jersey	Highest
Vendor	jar	package name	org	Highest
Vendor	jar	package name	server	Highest
Vendor	Manifest	bundle-docurl	https://www.eclipse.org/org/foundation/	Low
Vendor	Manifest	bundle-symbolicname	org.glassfish.jersey.core.jersey-server	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	jersey-server	Highest
Vendor	pom	artifactid	jersey-server	Low
Vendor	pom	groupid	org.glassfish.jersey.core	Highest
Vendor	pom	name	jersey-core-server	High
Vendor	pom	parent-artifactid	project	Low
Vendor	pom	parent-groupid	org.glassfish.jersey	Medium
Product	file	name	jersey-server	High
Product	jar	package name	filter	Highest
Product	jar	package name	glassfish	Highest
Product	jar	package name	jersey	Highest
Product	jar	package name	org	Highest
Product	jar	package name	server	Highest
Product	Manifest	bundle-docurl	https://www.eclipse.org/org/foundation/	Low
Product	Manifest	Bundle-Name	jersey-core-server	Medium
Product	Manifest	bundle-symbolicname	org.glassfish.jersey.core.jersey-server	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	jersey-server	Highest
Product	pom	groupid	org.glassfish.jersey.core	Highest
Product	pom	name	jersey-core-server	High
Product	pom	parent-artifactid	project	Medium
Product	pom	parent-groupid	org.glassfish.jersey	Medium
Version	file	version	2.36	High
Version	pom	version	2.36	Highest

Related Dependencies

jersey-client-2.36.jar
- File Path: /home/grprdist/.m2/repository/org/glassfish/jersey/core/jersey-client/2.36/jersey-client-2.36.jar
- MD5: ee13f5ef0926cdbcb447415e0c5e2812
- SHA1: 0755709fb31407d36c114afbe345b47cebf0fe60
- SHA256: 027b7061001f186bd7a48bbe5f070e2774b108969776935fc9b55591a93f689d
- pkg:maven/org.glassfish.jersey.core/jersey-client@2.36
jersey-common-2.36.jar
- File Path: /home/grprdist/.m2/repository/org/glassfish/jersey/core/jersey-common/2.36/jersey-common-2.36.jar
- MD5: 4b155e7fd084ad25b5e836af5efbe4c8
- SHA1: 5d259ea71ca3c1f4566ec5bfee7320e63d79673b
- SHA256: 543b8df0bfa07e54fe65e45b351088010a2a7079ac2564023761f8dfe8eb7b33
- pkg:maven/org.glassfish.jersey.core/jersey-common@2.36
jersey-container-servlet-2.36.jar
- File Path: /home/grprdist/.m2/repository/org/glassfish/jersey/containers/jersey-container-servlet/2.36/jersey-container-servlet-2.36.jar
- MD5: 4571ad55cb3afc068f90ecc1d7c41a25
- SHA1: fa6b0f7d47d5c3e054c71eea613a6bbe62b1b733
- SHA256: 64f06051710734565486ab18910a4d3e2dbc1292a410146b66045dc1aea7cf1a
- pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet@2.36
jersey-container-servlet-core-2.36.jar
- File Path: /home/grprdist/.m2/repository/org/glassfish/jersey/containers/jersey-container-servlet-core/2.36/jersey-container-servlet-core-2.36.jar
- MD5: f7166bcea4836fa9abb54220df1a5acf
- SHA1: d3bd5067597fa7252e603502ee4ae34563852eb5
- SHA256: 08dec2b2be0e126b01632b9ac22982cf746c6f2a1aae5c65f880ac8376f010da
- pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core@2.36
jersey-entity-filtering-2.36.jar
- File Path: /home/grprdist/.m2/repository/org/glassfish/jersey/ext/jersey-entity-filtering/2.36/jersey-entity-filtering-2.36.jar
- MD5: 92de2dfb2b8a82be5644df79a67e7ca9
- SHA1: ae4e2601c0ece31d03a148391a201a2569524472
- SHA256: e186ac37c5042e36cc96f7cdd394a792f3313de81bca746fc4906e0743acda0e
- pkg:maven/org.glassfish.jersey.ext/jersey-entity-filtering@2.36
jersey-hk2-2.36.jar
- File Path: /home/grprdist/.m2/repository/org/glassfish/jersey/inject/jersey-hk2/2.36/jersey-hk2-2.36.jar
- MD5: 11f928a24e0cb52fd8999cca0268b3b3
- SHA1: 69a57963b35428a261ac4313cfa89f6b3dc255c6
- SHA256: bdc4a8250be82943f7af1ccea4f58a92a8a73c15307ec4226fd60b8a455672f6
- pkg:maven/org.glassfish.jersey.inject/jersey-hk2@2.36
jersey-media-json-jackson-2.36.jar
- File Path: /home/grprdist/.m2/repository/org/glassfish/jersey/media/jersey-media-json-jackson/2.36/jersey-media-json-jackson-2.36.jar
- MD5: dfea909ce709536a7fe319086e6124a6
- SHA1: e83a57e43c4bd7b21d7921aa45a164555a5d1bea
- SHA256: ec49d0acae6cc9e82e8426afada26b4178929d47c66b108ae827f88f4c60609d
- pkg:maven/org.glassfish.jersey.media/jersey-media-json-jackson@2.36

Identifiers

pkg:maven/org.glassfish.jersey.core/jersey-server@2.36 (Confidence:High)
cpe:2.3:a:jersey_project:jersey:2.36:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Jetty server core

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php

File Path: /home/grprdist/.m2/repository/org/mortbay/jetty/jetty/6.1.26/jetty-6.1.26.jar
MD5: 12b65438bbaf225102d0396c21236052
SHA1: 2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0
SHA256:21091d3a9c1349f640fdc421504a604c040ed89087ecc12afbe32353326ed4e5
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jetty	High
Vendor	jar	package name	jetty	Highest
Vendor	jar	package name	mortbay	Highest
Vendor	jar	package name	server	Highest
Vendor	Manifest	bundle-docurl	http://jetty.mortbay.org	Low
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Vendor	Manifest	bundle-symbolicname	org.mortbay.jetty.server	Medium
Vendor	Manifest	mode	development	Low
Vendor	Manifest	originally-created-by	1.6.0_22 (Sun Microsystems Inc.)	Low
Vendor	Manifest	url	http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty	Low
Vendor	pom	artifactid	jetty	Highest
Vendor	pom	artifactid	jetty	Low
Vendor	pom	groupid	org.mortbay.jetty	Highest
Vendor	pom	name	Jetty Server	High
Vendor	pom	parent-artifactid	project	Low
Product	file	name	jetty	High
Product	jar	package name	jetty	Highest
Product	jar	package name	mortbay	Highest
Product	jar	package name	server	Highest
Product	Manifest	bundle-docurl	http://jetty.mortbay.org	Low
Product	Manifest	Bundle-Name	Jetty Server	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Product	Manifest	bundle-symbolicname	org.mortbay.jetty.server	Medium
Product	Manifest	mode	development	Low
Product	Manifest	originally-created-by	1.6.0_22 (Sun Microsystems Inc.)	Low
Product	Manifest	url	http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty	Low
Product	pom	artifactid	jetty	Highest
Product	pom	groupid	org.mortbay.jetty	Highest
Product	pom	name	Jetty Server	High
Product	pom	parent-artifactid	project	Medium
Version	file	version	6.1.26	High
Version	Manifest	Bundle-Version	6.1.26	High
Version	Manifest	implementation-version	6.1.26	High
Version	pom	version	6.1.26	Highest

Related Dependencies

Identifiers

pkg:maven/org.mortbay.jetty/jetty@6.1.26 (Confidence:High)
cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2011-4461

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

CWE-310 Cryptographic Issues

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

BUGTRAQ - 20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table
CERT-VN - VU#903934
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
CONFIRM - https://security.netapp.com/advisory/ntap-20190307-0004/
HP - HPSBST03346
MISC - http://www.nruns.com/_downloads/advisory28122011.pdf
MISC - http://www.ocert.org/advisories/ocert-2011-003.html
OSSINDEX - [CVE-2011-4461] CWE-310
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461
OSSIndex - http://www.ocert.org/advisories/ocert-2011-003.html
OSSIndex - http://www.ubuntu.com/usn/USN-1429-1/
SECTRACK - 1026475
SECUNIA - 47408
SECUNIA - 48981
UBUNTU - USN-1429-1
XF - jetty-hash-dos(72017)

Vulnerable Software & Versions: (show all)

CVE-2009-1523

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

BID - 34800
BID - 35675
CERT-VN - VU#402580
CONFIRM - http://jira.codehaus.org/browse/JETTY-1004
CONFIRM - http://www.kb.cert.org/vuls/id/CRDY-7RKQCY
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=499867
FEDORA - FEDORA-2009-5500
FEDORA - FEDORA-2009-5509
FEDORA - FEDORA-2009-5513
HP - SSRT100184
SECTRACK - 1022563
SECUNIA - 34975
SECUNIA - 35143
SECUNIA - 35225
SECUNIA - 35776
SECUNIA - 40553
VUPEN - ADV-2009-1900
VUPEN - ADV-2010-1792

Vulnerable Software & Versions: (show all)

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php

File Path: /home/grprdist/.m2/repository/jline/jline/2.14.5/jline-2.14.5.jar
MD5: 54de3b3c5a84e395d8066c143802985e
SHA1: fdedd5f2522122102f0b3db85fe7aa563a009926
SHA256:4f347bc90d6f5ce61c0f8928d44a7b993275ceaa7d7f237714518a9bdd5003ce
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jline	High
Vendor	jar	package name	jline	Highest
Vendor	Manifest	bundle-symbolicname	jline	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	pom	artifactid	jline	Highest
Vendor	pom	artifactid	jline	Low
Vendor	pom	developer email	gnodet@gmail.com	Low
Vendor	pom	developer email	jason@planet57.com	Low
Vendor	pom	developer email	mprudhom@gmail.com	Low
Vendor	pom	developer id	gnodet	Medium
Vendor	pom	developer id	jdillon	Medium
Vendor	pom	developer id	mprudhom	Medium
Vendor	pom	developer name	Guillaume Nodet	Medium
Vendor	pom	developer name	Jason Dillon	Medium
Vendor	pom	developer name	Marc Prud'hommeaux	Medium
Vendor	pom	groupid	jline	Highest
Vendor	pom	name	JLine	High
Product	file	name	jline	High
Product	jar	package name	jline	Highest
Product	Manifest	Bundle-Name	JLine	Medium
Product	Manifest	bundle-symbolicname	jline	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	pom	artifactid	jline	Highest
Product	pom	developer email	gnodet@gmail.com	Low
Product	pom	developer email	jason@planet57.com	Low
Product	pom	developer email	mprudhom@gmail.com	Low
Product	pom	developer id	gnodet	Low
Product	pom	developer id	jdillon	Low
Product	pom	developer id	mprudhom	Low
Product	pom	developer name	Guillaume Nodet	Low
Product	pom	developer name	Jason Dillon	Low
Product	pom	developer name	Marc Prud'hommeaux	Low
Product	pom	groupid	jline	Highest
Product	pom	name	JLine	High
Version	file	version	2.14.5	High
Version	Manifest	Bundle-Version	2.14.5	High
Version	pom	version	2.14.5	Highest

Identifiers

pkg:maven/jline/jline@2.14.5 (Confidence:High)

Description:

Implementation of the JMES Path JSON Query langauge for Java.

License:

Apache License, Version 2.0: https://aws.amazon.com/apache2.0

File Path: /home/grprdist/.m2/repository/com/amazonaws/jmespath-java/1.12.267/jmespath-java-1.12.267.jar
MD5: e2a19172a5599b97ba09a270eac7acda
SHA1: 27260189acb9fbfc3a72c8f67dbdf4ce7d11276b
SHA256:dfa93938d0c40fd07e8e97fc0db2d9b062eb69d295e524c5dd614956bf13844e
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jmespath-java	High
Vendor	jar	package name	amazonaws	Highest
Vendor	jar	package name	amazonaws	Low
Vendor	jar	package name	jmespath	Highest
Vendor	jar	package name	jmespath	Low
Vendor	pom	artifactid	jmespath-java	Highest
Vendor	pom	artifactid	jmespath-java	Low
Vendor	pom	developer id	amazonwebservices	Medium
Vendor	pom	developer org	Amazon Web Services	Medium
Vendor	pom	developer org URL	https://aws.amazon.com	Medium
Vendor	pom	groupid	com.amazonaws	Highest
Vendor	pom	name	JMES Path Query library	High
Vendor	pom	parent-artifactid	aws-java-sdk-pom	Low
Vendor	pom	url	https://aws.amazon.com/sdkforjava	Highest
Product	file	name	jmespath-java	High
Product	jar	package name	amazonaws	Highest
Product	jar	package name	jmespath	Highest
Product	jar	package name	jmespath	Low
Product	pom	artifactid	jmespath-java	Highest
Product	pom	developer id	amazonwebservices	Low
Product	pom	developer org	Amazon Web Services	Low
Product	pom	developer org URL	https://aws.amazon.com	Low
Product	pom	groupid	com.amazonaws	Highest
Product	pom	name	JMES Path Query library	High
Product	pom	parent-artifactid	aws-java-sdk-pom	Medium
Product	pom	url	https://aws.amazon.com/sdkforjava	Medium
Version	file	version	1.12.267	High
Version	pom	version	1.12.267	Highest

Identifiers

pkg:maven/com.amazonaws/jmespath-java@1.12.267 (Confidence:High)
cpe:2.3:a:amazon:aws-sdk-java:1.12.267:*:*:*:*:*:*:* (Confidence:Low)

Description:

Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/joda-time/joda-time/2.9.9/joda-time-2.9.9.jar
MD5: eca438c8cc2b1de38e28d884b7f15dbc
SHA1: f7b520c458572890807d143670c9b24f4de90897
SHA256:b049a43c1057942e6acfbece008e4949b2e35d1658d0c8e06f4485397e2fa4e7
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	joda-time	High
Vendor	jar	package name	joda	Highest
Vendor	jar	package name	time	Highest
Vendor	Manifest	bundle-docurl	http://www.joda.org/joda-time/	Low
Vendor	Manifest	bundle-symbolicname	joda-time	Medium
Vendor	Manifest	extension-name	joda-time	Medium
Vendor	Manifest	implementation-url	http://www.joda.org/joda-time/	Low
Vendor	Manifest	Implementation-Vendor	Joda.org	High
Vendor	Manifest	Implementation-Vendor-Id	org.joda	Medium
Vendor	Manifest	specification-vendor	Joda.org	Low
Vendor	pom	artifactid	joda-time	Highest
Vendor	pom	artifactid	joda-time	Low
Vendor	pom	developer id	broneill	Medium
Vendor	pom	developer id	jodastephen	Medium
Vendor	pom	developer name	Brian S O'Neill	Medium
Vendor	pom	developer name	Stephen Colebourne	Medium
Vendor	pom	groupid	joda-time	Highest
Vendor	pom	name	Joda-Time	High
Vendor	pom	organization name	Joda.org	High
Vendor	pom	organization url	http://www.joda.org	Medium
Vendor	pom	url	http://www.joda.org/joda-time/	Highest
Product	file	name	joda-time	High
Product	jar	package name	joda	Highest
Product	jar	package name	time	Highest
Product	Manifest	bundle-docurl	http://www.joda.org/joda-time/	Low
Product	Manifest	Bundle-Name	Joda-Time	Medium
Product	Manifest	bundle-symbolicname	joda-time	Medium
Product	Manifest	extension-name	joda-time	Medium
Product	Manifest	Implementation-Title	org.joda.time	High
Product	Manifest	implementation-url	http://www.joda.org/joda-time/	Low
Product	Manifest	specification-title	Joda-Time	Medium
Product	pom	artifactid	joda-time	Highest
Product	pom	developer id	broneill	Low
Product	pom	developer id	jodastephen	Low
Product	pom	developer name	Brian S O'Neill	Low
Product	pom	developer name	Stephen Colebourne	Low
Product	pom	groupid	joda-time	Highest
Product	pom	name	Joda-Time	High
Product	pom	organization name	Joda.org	Low
Product	pom	organization url	http://www.joda.org	Low
Product	pom	url	http://www.joda.org/joda-time/	Medium
Version	file	version	2.9.9	High
Version	Manifest	Bundle-Version	2.9.9	High
Version	Manifest	Implementation-Version	2.9.9	High
Version	pom	version	2.9.9	Highest

Identifiers

pkg:maven/joda-time/joda-time@2.9.9 (Confidence:High)
cpe:2.3:a:time_project:time:2.9.9:*:*:*:*:*:*:* (Confidence:Highest)

Description:

JSch is a pure Java implementation of SSH2

License:

Revised BSD: http://www.jcraft.com/jsch/LICENSE.txt

File Path: /home/grprdist/.m2/repository/com/jcraft/jsch/0.1.55/jsch-0.1.55.jar
MD5: c395ada0fc012d66f11bd30246f6c84d
SHA1: bbd40e5aa7aa3cfad5db34965456cee738a42a50
SHA256:d492b15a6d2ea3f1cc39c422c953c40c12289073dbe8360d98c0f6f9ec74fc44
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jsch	High
Vendor	jar	package name	jcraft	Highest
Vendor	jar	package name	jcraft	Low
Vendor	jar	package name	jsch	Highest
Vendor	jar	package name	jsch	Low
Vendor	pom	artifactid	jsch	Highest
Vendor	pom	artifactid	jsch	Low
Vendor	pom	developer email	ymnk at jcraft D0t com	Low
Vendor	pom	developer id	ymnk	Medium
Vendor	pom	developer name	Atsuhiko Yamanaka	Medium
Vendor	pom	developer org	JCraft,Inc.	Medium
Vendor	pom	developer org URL	http://www.jcraft.com/	Medium
Vendor	pom	groupid	com.jcraft	Highest
Vendor	pom	name	JSch	High
Vendor	pom	organization name	JCraft,Inc.	High
Vendor	pom	organization url	http://www.jcraft.com/	Medium
Vendor	pom	url	http://www.jcraft.com/jsch/	Highest
Product	file	name	jsch	High
Product	jar	package name	jcraft	Highest
Product	jar	package name	jsch	Highest
Product	jar	package name	jsch	Low
Product	pom	artifactid	jsch	Highest
Product	pom	developer email	ymnk at jcraft D0t com	Low
Product	pom	developer id	ymnk	Low
Product	pom	developer name	Atsuhiko Yamanaka	Low
Product	pom	developer org	JCraft,Inc.	Low
Product	pom	developer org URL	http://www.jcraft.com/	Low
Product	pom	groupid	com.jcraft	Highest
Product	pom	name	JSch	High
Product	pom	organization name	JCraft,Inc.	Low
Product	pom	organization url	http://www.jcraft.com/	Low
Product	pom	url	http://www.jcraft.com/jsch/	Medium
Version	file	version	0.1.55	High
Version	pom	version	0.1.55	Highest

Identifiers

pkg:maven/com.jcraft/jsch@0.1.55 (Confidence:High)
cpe:2.3:a:jcraft:jsch:0.1.55:*:*:*:*:*:*:* (Confidence:Highest)

File Path: /home/grprdist/.m2/repository/net/sf/json-lib/json-lib/2.4/json-lib-2.4-jdk15.jar
MD5: f5db294d05b3d5a5bfb873455b0a8626
SHA1: 136743e0d12df4e785e62b48618cee169b2ae546
SHA256:8290f8871ebd3db52e36c6fa844fe172895b2c714ea589cfed3d78ad9c01a924
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	json-lib	High
Vendor	jar	package name	json	Low
Vendor	jar	package name	net	Low
Vendor	jar	package name	sf	Low
Vendor	pom	artifactid	json-lib	Highest
Vendor	pom	groupid	net.sf.json-lib	Highest
Product	file	name	json-lib	High
Product	jar	package name	json	Low
Product	jar	package name	sf	Low
Product	pom	artifactid	json-lib	Highest
Version	file	name	json-lib	Medium
Version	file	version	2.4.jdk15	High
Version	pom	version	2.4	Highest

Identifiers

pkg:maven/net.sf.json-lib/json-lib@2.4 (Confidence:Highest)

Description:

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/net/minidev/json-smart/2.4.8/json-smart-2.4.8.jar
MD5: 20a8427206313ed3aa85cdc47f730415
SHA1: 7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f
SHA256:174a9ad578b56644e62b3965d8bf94ac3a76e707c6343b8abac9d3671438b4b2
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	json-smart	High
Vendor	jar	package name	json	Highest
Vendor	jar	package name	minidev	Highest
Vendor	jar	package name	net	Highest
Vendor	jar	package name	parser	Highest
Vendor	Manifest	bundle-docurl	https://urielch.github.io/	Low
Vendor	Manifest	bundle-symbolicname	net.minidev.json-smart	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	json-smart	Highest
Vendor	pom	artifactid	json-smart	Low
Vendor	pom	developer email	adoneitan@gmail.com	Low
Vendor	pom	developer email	shoothzj@gmail.com	Low
Vendor	pom	developer email	uchemouni@gmail.com	Low
Vendor	pom	developer id	erav	Medium
Vendor	pom	developer id	Shoothzj	Medium
Vendor	pom	developer id	uriel	Medium
Vendor	pom	developer name	Eitan Raviv	Medium
Vendor	pom	developer name	Uriel Chemouni	Medium
Vendor	pom	developer name	ZhangJian He	Medium
Vendor	pom	groupid	net.minidev	Highest
Vendor	pom	name	JSON Small and Fast Parser	High
Vendor	pom	organization name	Chemouni Uriel	High
Vendor	pom	organization url	https://urielch.github.io/	Medium
Vendor	pom	url	https://urielch.github.io/	Highest
Product	file	name	json-smart	High
Product	jar	package name	json	Highest
Product	jar	package name	minidev	Highest
Product	jar	package name	net	Highest
Product	jar	package name	parser	Highest
Product	Manifest	bundle-docurl	https://urielch.github.io/	Low
Product	Manifest	Bundle-Name	json-smart	Medium
Product	Manifest	bundle-symbolicname	net.minidev.json-smart	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	json-smart	Highest
Product	pom	developer email	adoneitan@gmail.com	Low
Product	pom	developer email	shoothzj@gmail.com	Low
Product	pom	developer email	uchemouni@gmail.com	Low
Product	pom	developer id	erav	Low
Product	pom	developer id	Shoothzj	Low
Product	pom	developer id	uriel	Low
Product	pom	developer name	Eitan Raviv	Low
Product	pom	developer name	Uriel Chemouni	Low
Product	pom	developer name	ZhangJian He	Low
Product	pom	groupid	net.minidev	Highest
Product	pom	name	JSON Small and Fast Parser	High
Product	pom	organization name	Chemouni Uriel	Low
Product	pom	organization url	https://urielch.github.io/	Low
Product	pom	url	https://urielch.github.io/	Medium
Version	file	version	2.4.8	High
Version	Manifest	Bundle-Version	2.4.8	High
Version	pom	version	2.4.8	Highest

Identifiers

pkg:maven/net.minidev/json-smart@2.4.8 (Confidence:High)
cpe:2.3:a:ini-parser_project:ini-parser:2.4.8:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:json-smart_project:json-smart-v2:2.4.8:*:*:*:*:*:*:* (Confidence:Low)

Description:

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for fetching URLs and extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

License:

The MIT License: https://jsoup.org/license

File Path: /home/grprdist/.m2/repository/org/jsoup/jsoup/1.15.3/jsoup-1.15.3.jar
MD5: 4f16c3b17b8c1b0173b1ed9f99f2c27c
SHA1: f6e1d8a8819f854b681c8eaa57fd59a42329e10c
SHA256:e20a5e78b1372f2a4e620832db4442d5077e5cbde280b24c666a3770844999bc
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jsoup	High
Vendor	jar	package name	jsoup	Highest
Vendor	jar	package name	parser	Highest
Vendor	Manifest	automatic-module-name	org.jsoup	Medium
Vendor	Manifest	build-jdk-spec	18	Low
Vendor	Manifest	bundle-docurl	https://jsoup.org/	Low
Vendor	Manifest	bundle-symbolicname	org.jsoup	Medium
Vendor	Manifest	Implementation-Vendor	Jonathan Hedley	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	jsoup	Highest
Vendor	pom	artifactid	jsoup	Low
Vendor	pom	developer email	jonathan@hedley.net	Low
Vendor	pom	developer id	jhy	Medium
Vendor	pom	developer name	Jonathan Hedley	Medium
Vendor	pom	groupid	org.jsoup	Highest
Vendor	pom	name	jsoup Java HTML Parser	High
Vendor	pom	organization name	Jonathan Hedley	High
Vendor	pom	organization url	https://jhy.io/	Medium
Vendor	pom	url	https://jsoup.org/	Highest
Product	file	name	jsoup	High
Product	jar	package name	jsoup	Highest
Product	jar	package name	parser	Highest
Product	Manifest	automatic-module-name	org.jsoup	Medium
Product	Manifest	build-jdk-spec	18	Low
Product	Manifest	bundle-docurl	https://jsoup.org/	Low
Product	Manifest	Bundle-Name	jsoup Java HTML Parser	Medium
Product	Manifest	bundle-symbolicname	org.jsoup	Medium
Product	Manifest	Implementation-Title	jsoup Java HTML Parser	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	jsoup	Highest
Product	pom	developer email	jonathan@hedley.net	Low
Product	pom	developer id	jhy	Low
Product	pom	developer name	Jonathan Hedley	Low
Product	pom	groupid	org.jsoup	Highest
Product	pom	name	jsoup Java HTML Parser	High
Product	pom	organization name	Jonathan Hedley	Low
Product	pom	organization url	https://jhy.io/	Low
Product	pom	url	https://jsoup.org/	Medium
Version	file	version	1.15.3	High
Version	Manifest	Bundle-Version	1.15.3	High
Version	Manifest	Implementation-Version	1.15.3	High
Version	pom	version	1.15.3	Highest

Identifiers

pkg:maven/org.jsoup/jsoup@1.15.3 (Confidence:High)
cpe:2.3:a:jsoup:jsoup:1.15.3:*:*:*:*:*:*:* (Confidence:Highest)

License:

                CDDL License
            : http://www.opensource.org/licenses/cddl1.php

File Path: /home/grprdist/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar
MD5: c9803468299ec255c047a280ddec510f
SHA1: 59033da2a1afd56af1ac576750a8d0b1830d59e6
SHA256:ab1534b73b5fa055808e6598a5e73b599ccda28c3159c3c0908977809422ee4a
Referenced In Projects/Scopes:

Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jsr311-api	High
Vendor	hint analyzer	vendor	web services	Medium
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	rs	Highest
Vendor	jar	package name	ws	Highest
Vendor	Manifest	bundle-docurl	http://www.sun.com/	Low
Vendor	Manifest	bundle-symbolicname	javax.ws.rs.jsr311-api	Medium
Vendor	Manifest	extension-name	javax.ws.rs	Medium
Vendor	Manifest	specification-vendor	Sun Microsystems, Inc.	Low
Vendor	pom	artifactid	jsr311-api	Highest
Vendor	pom	artifactid	jsr311-api	Low
Vendor	pom	groupid	javax.ws.rs	Highest
Vendor	pom	name	jsr311-api	High
Vendor	pom	organization name	Sun Microsystems, Inc	High
Vendor	pom	organization url	http://www.sun.com/	Medium
Vendor	pom	url	https://jsr311.dev.java.net	Highest
Product	file	name	jsr311-api	High
Product	hint analyzer	product	web services	Medium
Product	jar	package name	javax	Highest
Product	jar	package name	rs	Highest
Product	jar	package name	ws	Highest
Product	Manifest	bundle-docurl	http://www.sun.com/	Low
Product	Manifest	Bundle-Name	jsr311-api	Medium
Product	Manifest	bundle-symbolicname	javax.ws.rs.jsr311-api	Medium
Product	Manifest	extension-name	javax.ws.rs	Medium
Product	Manifest	specification-title	JAX-RS: Java API for RESTful Web Services	Medium
Product	pom	artifactid	jsr311-api	Highest
Product	pom	groupid	javax.ws.rs	Highest
Product	pom	name	jsr311-api	High
Product	pom	organization name	Sun Microsystems, Inc	Low
Product	pom	organization url	http://www.sun.com/	Low
Product	pom	url	https://jsr311.dev.java.net	Medium
Version	file	version	1.1.1	High
Version	Manifest	Bundle-Version	1.1.1	High
Version	Manifest	specification-version	1.1.1	High
Version	pom	version	1.1.1	Highest

Identifiers

pkg:maven/javax.ws.rs/jsr311-api@1.1.1 (Confidence:High)
cpe:2.3:a:web_project:web:1.1.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

    The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.

File Path: /home/grprdist/.m2/repository/javax/transaction/jta/1.1/jta-1.1.jar
MD5: 82a10ce714f411b28f13850059de09ee
SHA1: 2ca09f0b36ca7d71b762e14ea2ff09d5eac57558
SHA256:b8ec163b4a47bad16f9a0b7d03c3210c6b0a29216d768031073ac20817c0ba50
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jta	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	transaction	Highest
Vendor	Manifest	extension-name	javax.transaction	Medium
Vendor	Manifest	specification-vendor	Sun Microsystems, Inc.	Low
Vendor	pom	artifactid	jta	Highest
Vendor	pom	artifactid	jta	Low
Vendor	pom	groupid	javax.transaction	Highest
Vendor	pom	name	Java Transaction API	High
Vendor	pom	url	http://java.sun.com/products/jta	Highest
Product	file	name	jta	High
Product	jar	package name	javax	Highest
Product	jar	package name	transaction	Highest
Product	Manifest	extension-name	javax.transaction	Medium
Product	Manifest	specification-title	Java Transaction API Specification	Medium
Product	pom	artifactid	jta	Highest
Product	pom	groupid	javax.transaction	Highest
Product	pom	name	Java Transaction API	High
Product	pom	url	http://java.sun.com/products/jta	Medium
Version	file	version	1.1	High
Version	Manifest	specification-version	1.1	High
Version	pom	version	1.1	Highest

Identifiers

pkg:maven/javax.transaction/jta@1.1 (Confidence:High)

Description:

Java implementation of "Tags for Identifying Languages" (RFC 5646)

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/nimbusds/lang-tag/1.7/lang-tag-1.7.jar
MD5: 31b8a4f76fdbf21f1d667f9d6618e0b2
SHA1: 97c73ecd70bc7e8eefb26c5eea84f251a63f1031
SHA256:e8c1c594e2425bdbea2d860de55c69b69fc5d59454452449a0f0913c2a5b8a31
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	lang-tag	High
Vendor	jar	package name	langtag	Highest
Vendor	jar	package name	nimbusds	Highest
Vendor	Manifest	build-date	${timestamp}	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	Manifest	build-number	${buildNumber}	Low
Vendor	Manifest	build-tag	1.7	Low
Vendor	Manifest	bundle-docurl	https://connect2id.com/	Low
Vendor	Manifest	bundle-symbolicname	lang-tag	Medium
Vendor	Manifest	Implementation-Vendor	Connect2id Ltd.	High
Vendor	Manifest	Implementation-Vendor-Id	com.nimbusds	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	specification-vendor	Connect2id Ltd.	Low
Vendor	pom	artifactid	lang-tag	Highest
Vendor	pom	artifactid	lang-tag	Low
Vendor	pom	developer email	vladimir@dzhuvinov.com	Low
Vendor	pom	developer id	vdzhuvinov	Medium
Vendor	pom	developer name	Vladimir Dzhuvinov	Medium
Vendor	pom	groupid	com.nimbusds	Highest
Vendor	pom	name	Nimbus LangTag	High
Vendor	pom	organization name	Connect2id Ltd.	High
Vendor	pom	organization url	https://connect2id.com/	Medium
Vendor	pom	url	https://bitbucket.org/connect2id/nimbus-language-tags	Highest
Product	file	name	lang-tag	High
Product	jar	package name	langtag	Highest
Product	jar	package name	nimbusds	Highest
Product	Manifest	build-date	${timestamp}	Low
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	build-number	${buildNumber}	Low
Product	Manifest	build-tag	1.7	Low
Product	Manifest	bundle-docurl	https://connect2id.com/	Low
Product	Manifest	Bundle-Name	Nimbus LangTag	Medium
Product	Manifest	bundle-symbolicname	lang-tag	Medium
Product	Manifest	Implementation-Title	Nimbus LangTag	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	specification-title	Nimbus LangTag	Medium
Product	pom	artifactid	lang-tag	Highest
Product	pom	developer email	vladimir@dzhuvinov.com	Low
Product	pom	developer id	vdzhuvinov	Low
Product	pom	developer name	Vladimir Dzhuvinov	Low
Product	pom	groupid	com.nimbusds	Highest
Product	pom	name	Nimbus LangTag	High
Product	pom	organization name	Connect2id Ltd.	Low
Product	pom	organization url	https://connect2id.com/	Low
Product	pom	url	https://bitbucket.org/connect2id/nimbus-language-tags	Medium
Version	file	version	1.7	High
Version	Manifest	build-tag	1.7	Low
Version	Manifest	Implementation-Version	1.7	High
Version	pom	version	1.7	Highest

Identifiers

pkg:maven/com.nimbusds/lang-tag@1.7 (Confidence:High)

Description:

Ldaptive API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt, http://www.gnu.org/licenses/lgpl-3.0.txt

File Path: /home/grprdist/.m2/repository/org/ldaptive/ldaptive/1.2.4/ldaptive-1.2.4.jar
MD5: fb195e2011383d6dc6678ceea2406ba8
SHA1: 05866d99f046d84c243c57ad120cb7d5bc8b07a5
SHA256:3e8bac957050e1261c06933b4e11eff4a8e45bad3dd8e42af0d851d5d942722b
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	ldaptive	High
Vendor	jar	package name	ldaptive	Highest
Vendor	Manifest	bundle-symbolicname	org.ldaptive	Medium
Vendor	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	ldaptive	Highest
Vendor	pom	artifactid	ldaptive	Low
Vendor	pom	groupid	org.ldaptive	Highest
Vendor	pom	name	LDAPTIVE CORE	High
Vendor	pom	parent-artifactid	ldaptive-parent	Low
Product	file	name	ldaptive	High
Product	jar	package name	ldaptive	Highest
Product	Manifest	Bundle-Name	LDAPTIVE CORE	Medium
Product	Manifest	bundle-symbolicname	org.ldaptive	Medium
Product	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	ldaptive	Highest
Product	pom	groupid	org.ldaptive	Highest
Product	pom	name	LDAPTIVE CORE	High
Product	pom	parent-artifactid	ldaptive-parent	Medium
Version	file	version	1.2.4	High
Version	Manifest	Bundle-Version	1.2.4	High
Version	pom	version	1.2.4	Highest

Related Dependencies

Identifiers

pkg:maven/org.ldaptive/ldaptive@1.2.4 (Confidence:High)
cpe:2.3:a:ldaptive:ldaptive:1.2.4:*:*:*:*:*:*:* (Confidence:Highest)

Description:

The Apache Log4j Implementation

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.jar
MD5: 8d2f5c52700336dae846b2c3ecde7a6e
SHA1: 779f60f3844dadc3ef597976fcb1e5127b1f343d
SHA256:c967f223487980b9364e94a7c7f9a8a01fd3ee7c19bdbf0b0f9f8cb8511f3d41
Referenced In Projects/Scopes:

Grouper WS Parent:compile
Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile
Grouper WS Manual Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	log4j-core	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	core	Highest
Vendor	jar	package name	log4j	Highest
Vendor	jar	package name	logging	Highest
Vendor	jar	package name	org	Highest
Vendor	Manifest	automatic-module-name	org.apache.logging.log4j.core	Medium
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.logging.log4j.core	Medium
Vendor	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-core/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.logging.log4j	Medium
Vendor	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Vendor	Manifest	log4jreleasemanager	Matt Sicker	Low
Vendor	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	log4j-core	Highest
Vendor	pom	artifactid	log4j-core	Low
Vendor	pom	groupid	org.apache.logging.log4j	Highest
Vendor	pom	name	Apache Log4j Core	High
Vendor	pom	parent-artifactid	log4j	Low
Product	file	name	log4j-core	High
Product	jar	package name	apache	Highest
Product	jar	package name	core	Highest
Product	jar	package name	log4j	Highest
Product	jar	package name	logging	Highest
Product	jar	package name	org	Highest
Product	Manifest	automatic-module-name	org.apache.logging.log4j.core	Medium
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache Log4j Core	Medium
Product	Manifest	bundle-symbolicname	org.apache.logging.log4j.core	Medium
Product	Manifest	Implementation-Title	Apache Log4j Core	High
Product	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-core/	Low
Product	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Product	Manifest	log4jreleasemanager	Matt Sicker	Low
Product	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Log4j Core	Medium
Product	pom	artifactid	log4j-core	Highest
Product	pom	groupid	org.apache.logging.log4j	Highest
Product	pom	name	Apache Log4j Core	High
Product	pom	parent-artifactid	log4j	Medium
Version	file	version	2.17.1	High
Version	Manifest	Bundle-Version	2.17.1	High
Version	Manifest	Implementation-Version	2.17.1	High
Version	Manifest	log4jreleaseversion	2.17.1	Medium
Version	pom	version	2.17.1	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1 (Confidence:High)
cpe:2.3:a:apache:log4j:2.17.1:*:*:*:*:*:*:* (Confidence:Highest)

Description:

The Apache Log4j SLF4J API binding to Log4j 2 Core

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/logging/log4j/log4j-slf4j-impl/2.17.1/log4j-slf4j-impl-2.17.1.jar
MD5: 8d0e5934a9c341dbc3493d4039afd985
SHA1: 84692d456bcce689355d33d68167875e486954dd
SHA256:e9a03720e5d5076009c2530635da9d08485e28a0b0ec20708dadc51afb78e41e
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	log4j-slf4j-impl	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	impl	Highest
Vendor	jar	package name	logging	Highest
Vendor	jar	package name	slf4j	Highest
Vendor	Manifest	automatic-module-name	org.apache.logging.log4j.slf4j	Medium
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.logging.log4j.slf4j-impl	Medium
Vendor	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.logging.log4j	Medium
Vendor	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Vendor	Manifest	log4jreleasemanager	Matt Sicker	Low
Vendor	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	log4j-slf4j-impl	Highest
Vendor	pom	artifactid	log4j-slf4j-impl	Low
Vendor	pom	groupid	org.apache.logging.log4j	Highest
Vendor	pom	name	Apache Log4j SLF4J Binding	High
Vendor	pom	parent-artifactid	log4j	Low
Product	file	name	log4j-slf4j-impl	High
Product	jar	package name	apache	Highest
Product	jar	package name	impl	Highest
Product	jar	package name	logging	Highest
Product	jar	package name	slf4j	Highest
Product	Manifest	automatic-module-name	org.apache.logging.log4j.slf4j	Medium
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache Log4j SLF4J Binding	Medium
Product	Manifest	bundle-symbolicname	org.apache.logging.log4j.slf4j-impl	Medium
Product	Manifest	Implementation-Title	Apache Log4j SLF4J Binding	High
Product	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/	Low
Product	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Product	Manifest	log4jreleasemanager	Matt Sicker	Low
Product	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Log4j SLF4J Binding	Medium
Product	pom	artifactid	log4j-slf4j-impl	Highest
Product	pom	groupid	org.apache.logging.log4j	Highest
Product	pom	name	Apache Log4j SLF4J Binding	High
Product	pom	parent-artifactid	log4j	Medium
Version	file	version	2.17.1	High
Version	Manifest	Bundle-Version	2.17.1	High
Version	Manifest	Implementation-Version	2.17.1	High
Version	Manifest	log4jreleaseversion	2.17.1	Medium
Version	pom	version	2.17.1	Highest

Identifiers

pkg:maven/org.apache.logging.log4j/log4j-slf4j-impl@2.17.1 (Confidence:High)

Description:

Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!

License:

The MIT License: http://projectlombok.org/LICENSE

File Path: /home/grprdist/.m2/repository/org/projectlombok/lombok/1.14.8/lombok-1.14.8.jar
MD5: 1cbc1782a86f6e2d3b7337b1889cdfe5
SHA1: 8ac073941721e0b521ec8e8bad088b1e7b8cd332
SHA256:0493e0a2e0873763a74959fb07b2ec74fcfd4d277a2b010df58bf33fb3fec639
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	lombok	High
Vendor	jar	package name	java	Highest
Vendor	jar	package name	lombok	Highest
Vendor	jar	package name	org	Highest
Vendor	jar	package name	tostring	Highest
Vendor	Manifest	can-redefine-classes	true	Low
Vendor	pom	artifactid	lombok	Highest
Vendor	pom	artifactid	lombok	Low
Vendor	pom	developer email	reinier@projectlombok.org	Low
Vendor	pom	developer email	roel@projectlombok.org	Low
Vendor	pom	developer id	rgrootjans	Medium
Vendor	pom	developer id	rspilker	Medium
Vendor	pom	developer id	rzwitserloot	Medium
Vendor	pom	developer name	Reinier Zwitserloot	Medium
Vendor	pom	developer name	Robbert Jan Grootjans	Medium
Vendor	pom	developer name	Roel Spilker	Medium
Vendor	pom	groupid	org.projectlombok	Highest
Vendor	pom	name	Project Lombok	High
Vendor	pom	url	http://projectlombok.org	Highest
Product	file	name	lombok	High
Product	jar	package name	java	Highest
Product	jar	package name	lombok	Highest
Product	jar	package name	org	Highest
Product	jar	package name	tostring	Highest
Product	Manifest	can-redefine-classes	true	Low
Product	pom	artifactid	lombok	Highest
Product	pom	developer email	reinier@projectlombok.org	Low
Product	pom	developer email	roel@projectlombok.org	Low
Product	pom	developer id	rgrootjans	Low
Product	pom	developer id	rspilker	Low
Product	pom	developer id	rzwitserloot	Low
Product	pom	developer name	Reinier Zwitserloot	Low
Product	pom	developer name	Robbert Jan Grootjans	Low
Product	pom	developer name	Roel Spilker	Low
Product	pom	groupid	org.projectlombok	Highest
Product	pom	name	Project Lombok	High
Product	pom	url	http://projectlombok.org	Medium
Version	file	version	1.14.8	High
Version	Manifest	lombok-version	1.14.8	Medium
Version	pom	version	1.14.8	Highest

Identifiers

pkg:maven/org.projectlombok/lombok@1.14.8 (Confidence:High)

Description:

JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.html

File Path: /home/grprdist/.m2/repository/javax/mail/mail/1.4.7/mail-1.4.7.jar
MD5: 77f53ff0c78ba43c4812ecc9f53e20f8
SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
SHA256:78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	mail	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	mail	Highest
Vendor	jar	package name	provider	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	Manifest	bundle-symbolicname	javax.mail	Medium
Vendor	Manifest	extension-name	javax.mail	Medium
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	originally-created-by	1.7.0_15 (Oracle Corporation)	Low
Vendor	Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml	Medium
Vendor	Manifest	specification-vendor	Oracle	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	Manifest (hint)	specification-vendor	sun	Low
Vendor	pom	artifactid	mail	Highest
Vendor	pom	artifactid	mail	Low
Vendor	pom	groupid	javax.mail	Highest
Vendor	pom	name	JavaMail API (compat)	High
Vendor	pom	parent-artifactid	all	Low
Vendor	pom	parent-groupid	com.sun.mail	Medium
Product	file	name	mail	High
Product	jar	package name	javax	Highest
Product	jar	package name	mail	Highest
Product	jar	package name	provider	Highest
Product	jar	package name	sun	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	Manifest	Bundle-Name	JavaMail API (compat)	Medium
Product	Manifest	bundle-symbolicname	javax.mail	Medium
Product	Manifest	extension-name	javax.mail	Medium
Product	Manifest	Implementation-Title	javax.mail	High
Product	Manifest	originally-created-by	1.7.0_15 (Oracle Corporation)	Low
Product	Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml	Medium
Product	Manifest	specification-title	JavaMail(TM) API Design Specification	Medium
Product	pom	artifactid	mail	Highest
Product	pom	groupid	javax.mail	Highest
Product	pom	name	JavaMail API (compat)	High
Product	pom	parent-artifactid	all	Medium
Product	pom	parent-groupid	com.sun.mail	Medium
Version	file	version	1.4.7	High
Version	Manifest	Bundle-Version	1.4.7	High
Version	Manifest	Implementation-Version	1.4.7	High
Version	pom	version	1.4.7	Highest

Identifiers

pkg:maven/javax.mail/mail@1.4.7 (Confidence:High)

Description:

mchange-commons-java

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.html

File Path: /home/grprdist/.m2/repository/com/mchange/mchange-commons-java/0.2.15/mchange-commons-java-0.2.15.jar
MD5: 97c4575d9d49d9afb71492e6bb4417da
SHA1: 6ef5abe5f1b94ac45b7b5bad42d871da4fda6bbc
SHA256:2b8fce65e95a3e968d5ab3507e2833f43df3daee0635ee51c7ce33343bb3a21c
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	mchange-commons-java	High
Vendor	jar	package name	mchange	Highest
Vendor	Manifest	Implementation-Vendor	com.mchange	High
Vendor	Manifest	Implementation-Vendor-Id	com.mchange	Medium
Vendor	Manifest	specification-vendor	com.mchange	Low
Vendor	pom	artifactid	mchange-commons-java	Highest
Vendor	pom	artifactid	mchange-commons-java	Low
Vendor	pom	developer email	swaldman@mchange.com	Low
Vendor	pom	developer id	swaldman	Medium
Vendor	pom	developer name	Steve Waldman	Medium
Vendor	pom	groupid	com.mchange	Highest
Vendor	pom	name	mchange-commons-java	High
Vendor	pom	organization name	com.mchange	High
Vendor	pom	url	swaldman/mchange-commons-java	Highest
Product	file	name	mchange-commons-java	High
Product	jar	package name	mchange	Highest
Product	Manifest	Implementation-Title	mchange-commons-java	High
Product	Manifest	specification-title	mchange-commons-java	Medium
Product	pom	artifactid	mchange-commons-java	Highest
Product	pom	developer email	swaldman@mchange.com	Low
Product	pom	developer id	swaldman	Low
Product	pom	developer name	Steve Waldman	Low
Product	pom	groupid	com.mchange	Highest
Product	pom	name	mchange-commons-java	High
Product	pom	organization name	com.mchange	Low
Product	pom	url	swaldman/mchange-commons-java	High
Version	file	version	0.2.15	High
Version	Manifest	Implementation-Version	0.2.15	High
Version	pom	version	0.2.15	Highest

Identifiers

pkg:maven/com.mchange/mchange-commons-java@0.2.15 (Confidence:High)

Description:

WS-Metadata Exchange implementation

File Path: /home/grprdist/.m2/repository/org/apache/axis2/mex/1.6.3/mex-1.6.3-impl.jar
MD5: 982464882b55d5c4bfe30527e2513be9
SHA1: 630125f012a1b9e02b876fadacdee2072b45df3a
SHA256:bc408486709a4636a95255dec40256cf1ee606469017c3b96e366e517bda5bd3
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	mex	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	axis2	Highest
Vendor	jar	package name	mex	Highest
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.axis2	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	mex	Highest
Vendor	pom	artifactid	mex	Low
Vendor	pom	groupid	org.apache.axis2	Highest
Vendor	pom	name	Apache Axis2 - MEX	High
Vendor	pom	parent-artifactid	axis2-parent	Low
Vendor	pom	url	http://axis.apache.org/axis2/java/core/	Highest
Product	file	name	mex	High
Product	jar	package name	apache	Highest
Product	jar	package name	axis2	Highest
Product	jar	package name	mex	Highest
Product	Manifest	Implementation-Title	Apache Axis2 - MEX	High
Product	Manifest	specification-title	Apache Axis2 - MEX	Medium
Product	pom	artifactid	mex	Highest
Product	pom	groupid	org.apache.axis2	Highest
Product	pom	name	Apache Axis2 - MEX	High
Product	pom	parent-artifactid	axis2-parent	Medium
Product	pom	url	http://axis.apache.org/axis2/java/core/	Medium
Version	file	version	1.6.3	High
Version	Manifest	Implementation-Version	1.6.3	High
Version	pom	version	1.6.3	Highest

Identifiers

pkg:maven/org.apache.axis2/mex@1.6.3 (Confidence:High)
cpe:2.3:a:apache:axis:1.6.3:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:apache:axis2:1.6.3:*:*:*:*:*:*:* (Confidence:Highest)

Description:

    MXParser is a fork of xpp3_min 1.1.7 containing only the parser with merged changes of the Plexus fork.

License:

Indiana University Extreme! Lab Software License: https://raw.githubusercontent.com/x-stream/mxparser/master/LICENSE.txt

File Path: /home/grprdist/.m2/repository/io/github/x-stream/mxparser/1.2.2/mxparser-1.2.2.jar
MD5: 9d7e42409dfdcee9bd17903015bdeae2
SHA1: 476fb3b3bb3716cad797cd054ce45f89445794e9
SHA256:aeeee23a3303d811bca8790ea7f25b534314861c03cff36dafdcc2180969eb97
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	mxparser	High
Vendor	jar	package name	github	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	mxparser	Highest
Vendor	jar	package name	xstream	Highest
Vendor	Manifest	automatic-module-name	io.github.xstream.mxparser	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-symbolicname	mxparser	Medium
Vendor	Manifest	java_1_4_home	/opt/blackdown-jdk-1.4.2.03	Low
Vendor	Manifest	java_1_5_home	/opt/sun-jdk-1.5.0.22	Low
Vendor	Manifest	java_1_6_home	/opt/sun-jdk-1.6.0.45	Low
Vendor	Manifest	java_1_7_home	/opt/oracle-jdk-bin-1.7.0.80	Low
Vendor	Manifest	java_1_8_home	/opt/oracle-jdk-bin-1.8.0.202	Low
Vendor	Manifest	java_9_home	/opt/oracle-jdk-bin-9.0.4	Low
Vendor	Manifest	x-build-os	Linux	Low
Vendor	Manifest	x-build-time	2021-08-18T22:35:34Z	Low
Vendor	Manifest	x-builder	Maven 3.8.1	Low
Vendor	Manifest	x-compile-source	1.4	Low
Vendor	Manifest	x-compile-target	1.4	Low
Vendor	pom	artifactid	mxparser	Highest
Vendor	pom	artifactid	mxparser	Low
Vendor	pom	developer id	mxparser	Medium
Vendor	pom	developer name	XStream Committers	Medium
Vendor	pom	groupid	io.github.x-stream	Highest
Vendor	pom	name	MXParser	High
Vendor	pom	url	http://x-stream.github.io/mxparser	Highest
Product	file	name	mxparser	High
Product	jar	package name	github	Highest
Product	jar	package name	io	Highest
Product	jar	package name	mxparser	Highest
Product	jar	package name	xstream	Highest
Product	Manifest	automatic-module-name	io.github.xstream.mxparser	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	Bundle-Name	MXParser	Medium
Product	Manifest	bundle-symbolicname	mxparser	Medium
Product	Manifest	Implementation-Title	MXParser	High
Product	Manifest	java_1_4_home	/opt/blackdown-jdk-1.4.2.03	Low
Product	Manifest	java_1_5_home	/opt/sun-jdk-1.5.0.22	Low
Product	Manifest	java_1_6_home	/opt/sun-jdk-1.6.0.45	Low
Product	Manifest	java_1_7_home	/opt/oracle-jdk-bin-1.7.0.80	Low
Product	Manifest	java_1_8_home	/opt/oracle-jdk-bin-1.8.0.202	Low
Product	Manifest	java_9_home	/opt/oracle-jdk-bin-9.0.4	Low
Product	Manifest	specification-title	MXParser	Medium
Product	Manifest	x-build-os	Linux	Low
Product	Manifest	x-build-time	2021-08-18T22:35:34Z	Low
Product	Manifest	x-builder	Maven 3.8.1	Low
Product	Manifest	x-compile-source	1.4	Low
Product	Manifest	x-compile-target	1.4	Low
Product	pom	artifactid	mxparser	Highest
Product	pom	developer id	mxparser	Low
Product	pom	developer name	XStream Committers	Low
Product	pom	groupid	io.github.x-stream	Highest
Product	pom	name	MXParser	High
Product	pom	url	http://x-stream.github.io/mxparser	Medium
Version	file	version	1.2.2	High
Version	Manifest	Bundle-Version	1.2.2	High
Version	Manifest	Implementation-Version	1.2.2	High
Version	pom	version	1.2.2	Highest

Identifiers

pkg:maven/io.github.x-stream/mxparser@1.2.2 (Confidence:High)

Description:

JDBC Type 4 driver for MySQL

License:

The GNU General Public License, v2 with FOSS exception

File Path: /home/grprdist/.m2/repository/mysql/mysql-connector-java/8.0.28/mysql-connector-java-8.0.28.jar
MD5: 95cde01c78e7b04e13305338d60e056a
SHA1: 33678b1729d4f832b9e4bcb2d5bbd67940920a7a
SHA256:a00ccdf537ff50e50067b989108c2235197ffb65e197149bbb669db843cd1c3e
Referenced In Projects/Scopes:

Grouper WS Generated Client:runtime
Grouper WS:runtime
Grouper WS Test:runtime
Grouper WS SCIM:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	mysql-connector-java	High
Vendor	hint analyzer	vendor	oracle	Highest
Vendor	hint analyzer (hint)	vendor	sun	Highest
Vendor	jar	package name	cj	Highest
Vendor	jar	package name	driver	Highest
Vendor	jar	package name	jdbc	Highest
Vendor	jar	package name	mysql	Highest
Vendor	jar	package name	type	Highest
Vendor	Manifest	bundle-symbolicname	com.mysql.cj	Medium
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.mysql	Medium
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	pom	artifactid	mysql-connector-java	Highest
Vendor	pom	artifactid	mysql-connector-java	Low
Vendor	pom	groupid	mysql	Highest
Vendor	pom	name	MySQL Connector/J	High
Vendor	pom	organization name	Oracle Corporation	High
Vendor	pom	organization url	http://www.oracle.com	Medium
Vendor	pom	url	http://dev.mysql.com/doc/connector-j/en/	Highest
Product	file	name	mysql-connector-java	High
Product	hint analyzer	product	mysql_connector/j	Highest
Product	hint analyzer	product	mysql_connector_j	Highest
Product	hint analyzer	product	mysql_connectors	Highest
Product	jar	package name	cj	Highest
Product	jar	package name	driver	Highest
Product	jar	package name	jdbc	Highest
Product	jar	package name	mysql	Highest
Product	jar	package name	type	Highest
Product	jar	package name	xdevapi	Highest
Product	Manifest	Bundle-Name	Oracle Corporation's JDBC and XDevAPI Driver for MySQL	Medium
Product	Manifest	bundle-symbolicname	com.mysql.cj	Medium
Product	Manifest	Implementation-Title	MySQL Connector/J	High
Product	Manifest	specification-title	JDBC	Medium
Product	pom	artifactid	mysql-connector-java	Highest
Product	pom	groupid	mysql	Highest
Product	pom	name	MySQL Connector/J	High
Product	pom	organization name	Oracle Corporation	Low
Product	pom	organization url	http://www.oracle.com	Low
Product	pom	url	http://dev.mysql.com/doc/connector-j/en/	Medium
Version	file	version	8.0.28	High
Version	Manifest	Bundle-Version	8.0.28	High
Version	Manifest	Implementation-Version	8.0.28	High
Version	pom	version	8.0.28	Highest

Identifiers

pkg:maven/mysql/mysql-connector-java@8.0.28 (Confidence:High)
cpe:2.3:a:mysql:mysql:8.0.28:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:oracle:mysql_connector\/j:8.0.28:*:*:*:*:*:*:* (Confidence:Highest)

Description:

Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/neethi/neethi/3.0.2/neethi-3.0.2.jar
MD5: 51aed43fd54c1fcc86d531fd93250bc4
SHA1: 129d23d29de183eafe787b9566c2d0bbb8eab47a
SHA256:6131cc1fc941a49c0523c85574baeb5cf3380ab243bcc5f3ebe833b6b29c8859
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	neethi	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	neethi	Highest
Vendor	jar	package name	policy	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.neethi	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	neethi	Highest
Vendor	pom	artifactid	neethi	Low
Vendor	pom	developer email	chatra@gmail.com	Low
Vendor	pom	developer email	dims@yahoo.com	Low
Vendor	pom	developer email	dkulp@apache.org	Low
Vendor	pom	developer email	sanjiva@opensource.lk	Low
Vendor	pom	developer email	sanka@apache.org	Low
Vendor	pom	developer email	veithen@apache.org	Low
Vendor	pom	developer email	werner.dittmann@siemens.com	Low
Vendor	pom	developer id	chatra	Medium
Vendor	pom	developer id	dims	Medium
Vendor	pom	developer id	dkulp	Medium
Vendor	pom	developer id	sanjiva	Medium
Vendor	pom	developer id	sanka	Medium
Vendor	pom	developer id	veithen	Medium
Vendor	pom	developer id	werner	Medium
Vendor	pom	developer name	Andreas Veithen	Medium
Vendor	pom	developer name	Chatra Nakkawita	Medium
Vendor	pom	developer name	Daniel Kulp	Medium
Vendor	pom	developer name	Davanum Srinivas	Medium
Vendor	pom	developer name	Dittmann, Werner	Medium
Vendor	pom	developer name	Sanjiva Weerawarana	Medium
Vendor	pom	developer name	Sanka Samaranayake	Medium
Vendor	pom	developer org	IBM	Medium
Vendor	pom	developer org	WSO2 Inc.	Medium
Vendor	pom	groupid	org.apache.neethi	Highest
Vendor	pom	name	Apache Neethi	High
Vendor	pom	organization name	The Apache Software Foundation	High
Vendor	pom	organization url	http://www.apache.org/	Medium
Vendor	pom	parent-artifactid	apache	Low
Vendor	pom	parent-groupid	org.apache	Medium
Vendor	pom	url	http://ws.apache.org/neethi/	Highest
Product	file	name	neethi	High
Product	jar	package name	apache	Highest
Product	jar	package name	neethi	Highest
Product	jar	package name	policy	Highest
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache Neethi	Medium
Product	Manifest	bundle-symbolicname	org.apache.neethi	Medium
Product	Manifest	Implementation-Title	Apache Neethi	High
Product	Manifest	specification-title	Apache Neethi	Medium
Product	pom	artifactid	neethi	Highest
Product	pom	developer email	chatra@gmail.com	Low
Product	pom	developer email	dims@yahoo.com	Low
Product	pom	developer email	dkulp@apache.org	Low
Product	pom	developer email	sanjiva@opensource.lk	Low
Product	pom	developer email	sanka@apache.org	Low
Product	pom	developer email	veithen@apache.org	Low
Product	pom	developer email	werner.dittmann@siemens.com	Low
Product	pom	developer id	chatra	Low
Product	pom	developer id	dims	Low
Product	pom	developer id	dkulp	Low
Product	pom	developer id	sanjiva	Low
Product	pom	developer id	sanka	Low
Product	pom	developer id	veithen	Low
Product	pom	developer id	werner	Low
Product	pom	developer name	Andreas Veithen	Low
Product	pom	developer name	Chatra Nakkawita	Low
Product	pom	developer name	Daniel Kulp	Low
Product	pom	developer name	Davanum Srinivas	Low
Product	pom	developer name	Dittmann, Werner	Low
Product	pom	developer name	Sanjiva Weerawarana	Low
Product	pom	developer name	Sanka Samaranayake	Low
Product	pom	developer org	IBM	Low
Product	pom	developer org	WSO2 Inc.	Low
Product	pom	groupid	org.apache.neethi	Highest
Product	pom	name	Apache Neethi	High
Product	pom	organization name	The Apache Software Foundation	Low
Product	pom	organization url	http://www.apache.org/	Low
Product	pom	parent-artifactid	apache	Medium
Product	pom	parent-groupid	org.apache	Medium
Product	pom	url	http://ws.apache.org/neethi/	Medium
Version	file	version	3.0.2	High
Version	Manifest	Bundle-Version	3.0.2	High
Version	Manifest	Implementation-Version	3.0.2	High
Version	pom	parent-version	3.0.2	Low
Version	pom	version	3.0.2	Highest

Identifiers

pkg:maven/org.apache.neethi/neethi@3.0.2 (Confidence:High)

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.24.4/nimbus-jose-jwt-9.24.4.jar/META-INF/maven/com.google.code.gson/gson/pom.xml
MD5: 7bd7595123078326684b630486e49fa8
SHA1: f0cf3edcef8dcb74d27cb427544a309eb718d772
SHA256:e5966323d7142570b37a4be979e21bc2dae848107e4dc416d8f44d9aa3f02903
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	gson	Low
Vendor	pom	groupid	com.google.code.gson	Highest
Vendor	pom	name	Gson	High
Vendor	pom	parent-artifactid	gson-parent	Low
Product	pom	artifactid	gson	Highest
Product	pom	groupid	com.google.code.gson	Highest
Product	pom	name	Gson	High
Product	pom	parent-artifactid	gson-parent	Medium
Version	pom	version	2.9.1	Highest

Identifiers

pkg:maven/com.google.code.gson/gson@2.9.1 (Confidence:High)
cpe:2.3:a:google:gson:2.9.1:*:*:*:*:*:*:* (Confidence:Highest)

Description:

        Java library for Javascript Object Signing and Encryption (JOSE) and
        JSON Web Tokens (JWT)

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.24.4/nimbus-jose-jwt-9.24.4.jar
MD5: f00923fe2eb333891619668391ac4d14
SHA1: 29a1f6a00a4daa3e1873f6bf4f16ddf4d6fd6d37
SHA256:8d589630722a4c56349248652477fdaa4e30df9c732c4d6eac2f271437246304
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	nimbus-jose-jwt	High
Vendor	jar	package name	jose	Highest
Vendor	jar	package name	jwt	Highest
Vendor	jar	package name	nimbusds	Highest
Vendor	Manifest	automatic-module-name	com.nimbusds.jose.jwt	Medium
Vendor	Manifest	build-date	${timestamp}	Low
Vendor	Manifest	build-number	${buildNumber}	Low
Vendor	Manifest	build-tag	9.24.4	Low
Vendor	Manifest	bundle-docurl	https://connect2id.com	Low
Vendor	Manifest	bundle-symbolicname	com.nimbusds.nimbus-jose-jwt	Medium
Vendor	Manifest	implementation-url	https://bitbucket.org/connect2id/nimbus-jose-jwt	Low
Vendor	Manifest	Implementation-Vendor	Connect2id Ltd.	High
Vendor	Manifest	Implementation-Vendor-Id	com.nimbusds	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	Connect2id Ltd.	Low
Vendor	pom	artifactid	nimbus-jose-jwt	Highest
Vendor	pom	artifactid	nimbus-jose-jwt	Low
Vendor	pom	developer email	vladimir@dzhuvinov.com	Low
Vendor	pom	developer id	vdzhuvinov	Medium
Vendor	pom	developer name	Vladimir Dzhuvinov	Medium
Vendor	pom	groupid	com.nimbusds	Highest
Vendor	pom	name	Nimbus JOSE+JWT	High
Vendor	pom	organization name	Connect2id Ltd.	High
Vendor	pom	organization url	https://connect2id.com	Medium
Vendor	pom	url	https://bitbucket.org/connect2id/nimbus-jose-jwt	Highest
Product	file	name	nimbus-jose-jwt	High
Product	jar	package name	9	Highest
Product	jar	package name	jose	Highest
Product	jar	package name	jwt	Highest
Product	jar	package name	nimbusds	Highest
Product	Manifest	automatic-module-name	com.nimbusds.jose.jwt	Medium
Product	Manifest	build-date	${timestamp}	Low
Product	Manifest	build-number	${buildNumber}	Low
Product	Manifest	build-tag	9.24.4	Low
Product	Manifest	bundle-docurl	https://connect2id.com	Low
Product	Manifest	Bundle-Name	Nimbus JOSE+JWT	Medium
Product	Manifest	bundle-symbolicname	com.nimbusds.nimbus-jose-jwt	Medium
Product	Manifest	Implementation-Title	Nimbus JOSE+JWT	High
Product	Manifest	implementation-url	https://bitbucket.org/connect2id/nimbus-jose-jwt	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	Nimbus JOSE+JWT	Medium
Product	pom	artifactid	nimbus-jose-jwt	Highest
Product	pom	developer email	vladimir@dzhuvinov.com	Low
Product	pom	developer id	vdzhuvinov	Low
Product	pom	developer name	Vladimir Dzhuvinov	Low
Product	pom	groupid	com.nimbusds	Highest
Product	pom	name	Nimbus JOSE+JWT	High
Product	pom	organization name	Connect2id Ltd.	Low
Product	pom	organization url	https://connect2id.com	Low
Product	pom	url	https://bitbucket.org/connect2id/nimbus-jose-jwt	Medium
Version	file	version	9.24.4	High
Version	Manifest	build-tag	9.24.4	Low
Version	Manifest	Bundle-Version	9.24.4	High
Version	Manifest	Implementation-Version	9.24.4	High
Version	pom	version	9.24.4	Highest

Identifiers

pkg:maven/com.nimbusds/nimbus-jose-jwt@9.24.4 (Confidence:High)
cpe:2.3:a:connect2id:nimbus_jose\+jwt:9.24.4:*:*:*:*:*:*:* (Confidence:Highest)

Description:

		OAuth 2.0 SDK with OpenID Connection extensions for developing
		client and server applications.

License:

Apache License, version 2.0: https://www.apache.org/licenses/LICENSE-2.0.html

File Path: /home/grprdist/.m2/repository/com/nimbusds/oauth2-oidc-sdk/9.43.1/oauth2-oidc-sdk-9.43.1.jar
MD5: 564a5b104ad66dce737a0e281dac4293
SHA1: a25abc8ea0a91296063d55dbb57b698f81a4649c
SHA256:65d360ca0d7bb89302a8153c7acb30214d5c027b177c714d72dc05d41f993204
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	oauth2-oidc-sdk	High
Vendor	jar	package name	client	Highest
Vendor	jar	package name	connect	Highest
Vendor	jar	package name	nimbusds	Highest
Vendor	jar	package name	oauth2	Highest
Vendor	jar	package name	openid	Highest
Vendor	jar	package name	sdk	Highest
Vendor	Manifest	build-date	20220909.152910.032	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	Manifest	build-number	e3848927b9884a3f19aa947388ec605a7bcc4d65	Low
Vendor	Manifest	build-tag	9.43.1	Low
Vendor	Manifest	bundle-developers	vdzhuvinov;email="vd@connect2id.com";name="Vladimir Dzhuvinov"	Low
Vendor	Manifest	bundle-docurl	https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions	Low
Vendor	Manifest	bundle-symbolicname	oauth2-oidc-sdk	Medium
Vendor	Manifest	Implementation-Vendor	Connect2id Ltd.	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	specification-vendor	Connect2id Ltd.	Low
Vendor	pom	artifactid	oauth2-oidc-sdk	Highest
Vendor	pom	artifactid	oauth2-oidc-sdk	Low
Vendor	pom	developer email	vd@connect2id.com	Low
Vendor	pom	developer id	vdzhuvinov	Medium
Vendor	pom	developer name	Vladimir Dzhuvinov	Medium
Vendor	pom	groupid	com.nimbusds	Highest
Vendor	pom	name	OAuth 2.0 SDK with OpenID Connect extensions	High
Vendor	pom	organization name	Connect2id Ltd.	High
Vendor	pom	organization url	https://connect2id.com	Medium
Vendor	pom	url	https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions	Highest
Product	file	name	oauth2-oidc-sdk	High
Product	jar	package name	client	Highest
Product	jar	package name	connect	Highest
Product	jar	package name	nimbusds	Highest
Product	jar	package name	oauth2	Highest
Product	jar	package name	openid	Highest
Product	jar	package name	sdk	Highest
Product	Manifest	build-date	20220909.152910.032	Low
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	build-number	e3848927b9884a3f19aa947388ec605a7bcc4d65	Low
Product	Manifest	build-tag	9.43.1	Low
Product	Manifest	bundle-developers	vdzhuvinov;email="vd@connect2id.com";name="Vladimir Dzhuvinov"	Low
Product	Manifest	bundle-docurl	https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions	Low
Product	Manifest	Bundle-Name	OAuth 2.0 SDK with OpenID Connect extensions	Medium
Product	Manifest	bundle-symbolicname	oauth2-oidc-sdk	Medium
Product	Manifest	Implementation-Title	OAuth 2.0 SDK with OpenID Connect extensions	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	specification-title	OAuth 2.0 SDK with OpenID Connect extensions	Medium
Product	pom	artifactid	oauth2-oidc-sdk	Highest
Product	pom	developer email	vd@connect2id.com	Low
Product	pom	developer id	vdzhuvinov	Low
Product	pom	developer name	Vladimir Dzhuvinov	Low
Product	pom	groupid	com.nimbusds	Highest
Product	pom	name	OAuth 2.0 SDK with OpenID Connect extensions	High
Product	pom	organization name	Connect2id Ltd.	Low
Product	pom	organization url	https://connect2id.com	Low
Product	pom	url	https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions	Medium
Version	file	version	9.43.1	High
Version	Manifest	build-tag	9.43.1	Low
Version	Manifest	Bundle-Version	9.43.1	High
Version	Manifest	Implementation-Version	9.43.1	High
Version	pom	version	9.43.1	Highest

Identifiers

pkg:maven/com.nimbusds/oauth2-oidc-sdk@9.43.1 (Confidence:High)

Description:

        The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language
        (SAML).

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar
MD5: 70e20154abc9a94e230b5679e3603e5a
SHA1: de2c742b770bd58328fd05ebd9d9efc85f79d88c
SHA256:b8297a0b783113a5e0113ee69683addf99194b3ff981c0c90b85dda492f30064
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	opensaml	High
Vendor	hint analyzer	vendor	shibboleth	Highest
Vendor	jar	package name	assertion	Highest
Vendor	jar	package name	opensaml	Highest
Vendor	jar	package name	security	Highest
Vendor	jar	package name	support	Highest
Vendor	manifest: org/opensaml/	Implementation-Vendor	www.opensaml.org	Medium
Vendor	pom	artifactid	opensaml	Highest
Vendor	pom	artifactid	opensaml	Low
Vendor	pom	developer id	cantor	Medium
Vendor	pom	developer id	lajoie	Medium
Vendor	pom	developer id	ndk	Medium
Vendor	pom	developer id	putmanb	Medium
Vendor	pom	developer id	rdw	Medium
Vendor	pom	developer name	Brent Putman	Medium
Vendor	pom	developer name	Chad La Joie	Medium
Vendor	pom	developer name	Nate Klingenstein	Medium
Vendor	pom	developer name	Rod Widdowson	Medium
Vendor	pom	developer name	Scott Cantor	Medium
Vendor	pom	developer org	Georgetown University	Medium
Vendor	pom	developer org	Internet2	Medium
Vendor	pom	developer org	Itumi, LLC	Medium
Vendor	pom	developer org	The Ohio State University	Medium
Vendor	pom	developer org	University of Edinburgh	Medium
Vendor	pom	developer org URL	http://itumi.biz	Medium
Vendor	pom	developer org URL	http://www.ed.ac.uk/	Medium
Vendor	pom	developer org URL	http://www.georgetown.edu/	Medium
Vendor	pom	developer org URL	http://www.internet2.edu/	Medium
Vendor	pom	developer org URL	http://www.ohio-state.edu/	Medium
Vendor	pom	groupid	org.opensaml	Highest
Vendor	pom	name	OpenSAML-J	High
Vendor	pom	organization name	Internet2	High
Vendor	pom	organization url	http://www.internet2.edu/	Medium
Vendor	pom	parent-artifactid	parent-v2	Low
Vendor	pom	parent-groupid	net.shibboleth	Medium
Vendor	pom	url	http://opensaml.org/	Highest
Product	file	name	opensaml	High
Product	hint analyzer	product	opensaml	Highest
Product	jar	package name	assertion	Highest
Product	jar	package name	opensaml	Highest
Product	jar	package name	profile	Highest
Product	jar	package name	saml	Highest
Product	jar	package name	security	Highest
Product	jar	package name	support	Highest
Product	jar	package name	version	Highest
Product	jar	package name	xacml	Highest
Product	manifest: org/opensaml/	Implementation-Title	opensaml	Medium
Product	manifest: org/opensaml/saml1/	Specification-Title	Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1	Medium
Product	manifest: org/opensaml/saml2/	Specification-Title	Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0	Medium
Product	manifest: org/opensaml/xacml/	Specification-Title	eXtensible Access Control Markup Language (XACML) Version 2.0	Medium
Product	manifest: org/opensaml/xacml/profile/saml/	Specification-Title	SAML 2.0 Profile of XACML, Version 2	Medium
Product	pom	artifactid	opensaml	Highest
Product	pom	developer id	cantor	Low
Product	pom	developer id	lajoie	Low
Product	pom	developer id	ndk	Low
Product	pom	developer id	putmanb	Low
Product	pom	developer id	rdw	Low
Product	pom	developer name	Brent Putman	Low
Product	pom	developer name	Chad La Joie	Low
Product	pom	developer name	Nate Klingenstein	Low
Product	pom	developer name	Rod Widdowson	Low
Product	pom	developer name	Scott Cantor	Low
Product	pom	developer org	Georgetown University	Low
Product	pom	developer org	Internet2	Low
Product	pom	developer org	Itumi, LLC	Low
Product	pom	developer org	The Ohio State University	Low
Product	pom	developer org	University of Edinburgh	Low
Product	pom	developer org URL	http://itumi.biz	Low
Product	pom	developer org URL	http://www.ed.ac.uk/	Low
Product	pom	developer org URL	http://www.georgetown.edu/	Low
Product	pom	developer org URL	http://www.internet2.edu/	Low
Product	pom	developer org URL	http://www.ohio-state.edu/	Low
Product	pom	groupid	org.opensaml	Highest
Product	pom	name	OpenSAML-J	High
Product	pom	organization name	Internet2	Low
Product	pom	organization url	http://www.internet2.edu/	Low
Product	pom	parent-artifactid	parent-v2	Medium
Product	pom	parent-groupid	net.shibboleth	Medium
Product	pom	url	http://opensaml.org/	Medium
Version	file	version	2.6.4	High
Version	manifest: org/opensaml/	Implementation-Version	2.6.4	Medium
Version	pom	parent-version	2.6.4	Low
Version	pom	version	2.6.4	Highest

Identifiers

pkg:maven/org.opensaml/opensaml@2.6.4 (Confidence:High)
cpe:2.3:a:shibboleth:opensaml:2.6.4:*:*:*:*:*:*:* (Confidence:Highest)

Description:

        The OpenWS library provides a growing set of tools to work with web services at a low level. These tools include
        classes for creating and reading SOAP messages, transport-independent clients for connecting to web services,
        and various transports for use with those clients.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/opensaml/openws/1.5.4/openws-1.5.4.jar
MD5: 5b5f0fbe27277f2d119d4c4feab48a12
SHA1: 942bd987e5956fcdf1eaa56cde87112ea871d0e8
SHA256:6bb7ed759c3c5318ee44cfe1cf483a91e31688df78b9501fcebd05dca559df76
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	openws	High
Vendor	jar	package name	opensaml	Highest
Vendor	jar	package name	soap	Highest
Vendor	jar	package name	transport	Highest
Vendor	manifest: org/opensaml/ws/	Implementation-Vendor	www.opensaml.org	Medium
Vendor	pom	artifactid	openws	Highest
Vendor	pom	artifactid	openws	Low
Vendor	pom	developer id	cantor	Medium
Vendor	pom	developer id	lajoie	Medium
Vendor	pom	developer id	ndk	Medium
Vendor	pom	developer id	putmanb	Medium
Vendor	pom	developer id	rdw	Medium
Vendor	pom	developer name	Brent Putman	Medium
Vendor	pom	developer name	Chad La Joie	Medium
Vendor	pom	developer name	Nate Klingenstein	Medium
Vendor	pom	developer name	Rod Widdowson	Medium
Vendor	pom	developer name	Scott Cantor	Medium
Vendor	pom	developer org	Georgetown University	Medium
Vendor	pom	developer org	Internet2	Medium
Vendor	pom	developer org	Itumi, LLC	Medium
Vendor	pom	developer org	The Ohio State University	Medium
Vendor	pom	developer org	University of Edinburgh	Medium
Vendor	pom	developer org URL	http://itumi.biz	Medium
Vendor	pom	developer org URL	http://www.ed.ac.uk/	Medium
Vendor	pom	developer org URL	http://www.georgetown.edu/	Medium
Vendor	pom	developer org URL	http://www.internet2.edu/	Medium
Vendor	pom	developer org URL	http://www.ohio-state.edu/	Medium
Vendor	pom	groupid	org.opensaml	Highest
Vendor	pom	name	OpenWS	High
Vendor	pom	organization name	Internet2	High
Vendor	pom	organization url	http://www.internet2.edu/	Medium
Vendor	pom	parent-artifactid	parent-v2	Low
Vendor	pom	parent-groupid	net.shibboleth	Medium
Vendor	pom	url	http://opensaml.org/	Highest
Product	file	name	openws	High
Product	jar	package name	opensaml	Highest
Product	jar	package name	policy	Highest
Product	jar	package name	security	Highest
Product	jar	package name	soap	Highest
Product	jar	package name	transport	Highest
Product	jar	package name	ws	Highest
Product	manifest: org/opensaml/ws/	Implementation-Title	openws	Medium
Product	manifest: org/opensaml/ws/soap/soap11/	Specification-Title	Simple Object Access Protocol (SOAP) 1.1	Medium
Product	manifest: org/opensaml/ws/wsaddressing/	Specification-Title	WS-Addressing	Medium
Product	manifest: org/opensaml/ws/wsfed/	Specification-Title	WS-Federation	Medium
Product	manifest: org/opensaml/ws/wspolicy/	Specification-Title	WS-Policy	Medium
Product	manifest: org/opensaml/ws/wssecurity/	Specification-Title	WS-Security	Medium
Product	manifest: org/opensaml/ws/wstrust/	Specification-Title	WS-Trust	Medium
Product	pom	artifactid	openws	Highest
Product	pom	developer id	cantor	Low
Product	pom	developer id	lajoie	Low
Product	pom	developer id	ndk	Low
Product	pom	developer id	putmanb	Low
Product	pom	developer id	rdw	Low
Product	pom	developer name	Brent Putman	Low
Product	pom	developer name	Chad La Joie	Low
Product	pom	developer name	Nate Klingenstein	Low
Product	pom	developer name	Rod Widdowson	Low
Product	pom	developer name	Scott Cantor	Low
Product	pom	developer org	Georgetown University	Low
Product	pom	developer org	Internet2	Low
Product	pom	developer org	Itumi, LLC	Low
Product	pom	developer org	The Ohio State University	Low
Product	pom	developer org	University of Edinburgh	Low
Product	pom	developer org URL	http://itumi.biz	Low
Product	pom	developer org URL	http://www.ed.ac.uk/	Low
Product	pom	developer org URL	http://www.georgetown.edu/	Low
Product	pom	developer org URL	http://www.internet2.edu/	Low
Product	pom	developer org URL	http://www.ohio-state.edu/	Low
Product	pom	groupid	org.opensaml	Highest
Product	pom	name	OpenWS	High
Product	pom	organization name	Internet2	Low
Product	pom	organization url	http://www.internet2.edu/	Low
Product	pom	parent-artifactid	parent-v2	Medium
Product	pom	parent-groupid	net.shibboleth	Medium
Product	pom	url	http://opensaml.org/	Medium
Version	file	version	1.5.4	High
Version	manifest: org/opensaml/ws/	Implementation-Version	1.5.4	Medium
Version	pom	parent-version	1.5.4	Low
Version	pom	version	1.5.4	Highest

Identifiers

pkg:maven/org.opensaml/openws@1.5.4 (Confidence:High)

Description:

OSGi R8 framework implementation.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/felix/org.apache.felix.framework/7.0.3/org.apache.felix.framework-7.0.3.jar
MD5: ea392d1ab3f5f416f8aa1ac14c1c14ff
SHA1: c60632913c11ae47e8a6dcd5b617f48ee17693f5
SHA256:afd53fb601da924552129a965e3c2fbe1a17a3824b77c7f74b318606ef9a174d
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	org.apache.felix.framework	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	felix	Highest
Vendor	jar	package name	framework	Highest
Vendor	Manifest	add-opens	java.base/java.net java.base/sun.net.www.protocol.file java.base/sun.net.www.protocol.ftp java.base/sun.net.www.protocol.http java.base/sun.net.www.protocol.https java.base/sun.net.www.protocol.jar java.base/sun.net.www.protocol.jmod java.base/sun.net.www.protocol.mailto java.base/sun.net.www.protocol.jrt java.base/jdk.internal.loader java.base/java.security	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.felix.framework	Medium
Vendor	Manifest	provide-capability	osgi.service;objectClass="org.osgi.service.packageadmin.PackageAdmin",osgi.service;objectClass="org.osgi.service.startlevel.StartLevel"	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	apache.felix.framework	Low
Vendor	pom	artifactid	org.apache.felix.framework	Highest
Vendor	pom	groupid	org.apache.felix	Highest
Vendor	pom	name	Apache Felix Framework	High
Vendor	pom	parent-artifactid	felix-parent	Low
Product	file	name	org.apache.felix.framework	High
Product	jar	package name	apache	Highest
Product	jar	package name	felix	Highest
Product	jar	package name	filter	Highest
Product	jar	package name	framework	Highest
Product	jar	package name	osgi	Highest
Product	jar	package name	packageadmin	Highest
Product	jar	package name	service	Highest
Product	jar	package name	startlevel	Highest
Product	jar	package name	version	Highest
Product	Manifest	add-opens	java.base/java.net java.base/sun.net.www.protocol.file java.base/sun.net.www.protocol.ftp java.base/sun.net.www.protocol.http java.base/sun.net.www.protocol.https java.base/sun.net.www.protocol.jar java.base/sun.net.www.protocol.jmod java.base/sun.net.www.protocol.mailto java.base/sun.net.www.protocol.jrt java.base/jdk.internal.loader java.base/java.security	Low
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache Felix Framework	Medium
Product	Manifest	bundle-symbolicname	org.apache.felix.framework	Medium
Product	Manifest	provide-capability	osgi.service;objectClass="org.osgi.service.packageadmin.PackageAdmin",osgi.service;objectClass="org.osgi.service.startlevel.StartLevel"	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	apache.felix.framework	Highest
Product	pom	artifactid	org.apache.felix.framework	Highest
Product	pom	groupid	org.apache.felix	Highest
Product	pom	name	Apache Felix Framework	High
Product	pom	parent-artifactid	felix-parent	Medium
Version	file	version	7.0.3	High
Version	Manifest	Bundle-Version	7.0.3	High
Version	pom	parent-version	7.0.3	Low
Version	pom	version	7.0.3	Highest

Identifiers

pkg:maven/org.apache.felix/org.apache.felix.framework@7.0.3 (Confidence:High)
cpe:2.3:a:sun:sun_ftp:7.0.3:*:*:*:*:*:*:* (Confidence:Low)

File Path: /home/grprdist/.m2/repository/oro/oro/2.0.8/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
SHA256:e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26e
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	oro	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	oro	Highest
Vendor	manifest: org/apache/oro	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	pom	artifactid	oro	Highest
Vendor	pom	artifactid	oro	Low
Vendor	pom	groupid	oro	Highest
Product	file	name	oro	High
Product	jar	package name	apache	Highest
Product	jar	package name	oro	Highest
Product	manifest: org/apache/oro	Implementation-Title	org.apache.oro	Medium
Product	manifest: org/apache/oro	Specification-Title	Jakarta ORO	Medium
Product	pom	artifactid	oro	Highest
Product	pom	groupid	oro	Highest
Version	file	version	2.0.8	High
Version	pom	version	2.0.8	Highest

Identifiers

pkg:maven/oro/oro@2.0.8 (Confidence:High)

Description:

Used by various API providers that rely on META-INF/services mechanism to locate providers.

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html

File Path: /home/grprdist/.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.3/osgi-resource-locator-1.0.3.jar
MD5: e7e82b82118c5387ae45f7bf3892909b
SHA1: de3b21279df7e755e38275137539be5e2c80dd58
SHA256:aab5d7849f7cfcda2cc7c541ba1bd365151d42276f151c825387245dfde3dd74
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	osgi-resource-locator	High
Vendor	jar	package name	glassfish	Highest
Vendor	jar	package name	hk2	Highest
Vendor	Manifest	bundle-activationpolicy	lazy	Low
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	Manifest	bundle-symbolicname	org.glassfish.hk2.osgi-resource-locator	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	artifactid	osgi-resource-locator	Highest
Vendor	pom	artifactid	osgi-resource-locator	Low
Vendor	pom	developer id	ss141213	Medium
Vendor	pom	developer name	Sahoo	Medium
Vendor	pom	developer org	Oracle Corporation	Medium
Vendor	pom	groupid	org.glassfish.hk2	Highest
Vendor	pom	name	OSGi resource locator	High
Vendor	pom	parent-artifactid	project	Low
Vendor	pom	parent-groupid	org.eclipse.ee4j	Medium
Product	file	name	osgi-resource-locator	High
Product	jar	package name	glassfish	Highest
Product	jar	package name	hk2	Highest
Product	Manifest	bundle-activationpolicy	lazy	Low
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	Manifest	Bundle-Name	OSGi resource locator	Medium
Product	Manifest	bundle-symbolicname	org.glassfish.hk2.osgi-resource-locator	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	artifactid	osgi-resource-locator	Highest
Product	pom	developer id	ss141213	Low
Product	pom	developer name	Sahoo	Low
Product	pom	developer org	Oracle Corporation	Low
Product	pom	groupid	org.glassfish.hk2	Highest
Product	pom	name	OSGi resource locator	High
Product	pom	parent-artifactid	project	Medium
Product	pom	parent-groupid	org.eclipse.ee4j	Medium
Version	file	version	1.0.3	High
Version	Manifest	Bundle-Version	1.0.3	High
Version	pom	parent-version	1.0.3	Low
Version	pom	version	1.0.3	Highest

Identifiers

pkg:maven/org.glassfish.hk2/osgi-resource-locator@1.0.3 (Confidence:High)
cpe:2.3:a:oracle:java_se:1.0.3:*:*:*:*:*:*:* (Confidence:Low)

Description:

Java command line parser with both an annotations API and a programmatic API. Usage help with ANSI styles and colors. Autocomplete. Nested subcommands. Easily included as source to avoid adding a dependency.

License:

The Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/info/picocli/picocli/4.3.2/picocli-4.3.2.jar
MD5: f20bf12b29c0ffea894d557336171f39
SHA1: 37a9ed41f7a028611775b6e8ad831e3e5fcd6280
SHA256:43c9cf516012aad1ac5ce6b54642e9cb1271e66d827b06a879fd314144d57550
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	picocli	High
Vendor	jar	package name	autocomplete	Highest
Vendor	jar	package name	picocli	Highest
Vendor	Manifest	bundle-symbolicname	picocli	Medium
Vendor	Manifest	Implementation-Vendor	Remko Popma	High
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	Manifest	specification-vendor	Remko Popma	Low
Vendor	pom	artifactid	picocli	Highest
Vendor	pom	artifactid	picocli	Low
Vendor	pom	developer email	rpopma@apache.org	Low
Vendor	pom	developer id	rpopma	Medium
Vendor	pom	developer name	Remko Popma	Medium
Vendor	pom	groupid	info.picocli	Highest
Vendor	pom	name	picocli - a mighty tiny Command Line Interface	High
Vendor	pom	url	http://picocli.info	Highest
Product	file	name	picocli	High
Product	jar	package name	autocomplete	Highest
Product	jar	package name	picocli	Highest
Product	Manifest	Bundle-Name	picocli	Medium
Product	Manifest	bundle-symbolicname	picocli	Medium
Product	Manifest	Implementation-Title	picocli	High
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	Manifest	specification-title	picocli	Medium
Product	pom	artifactid	picocli	Highest
Product	pom	developer email	rpopma@apache.org	Low
Product	pom	developer id	rpopma	Low
Product	pom	developer name	Remko Popma	Low
Product	pom	groupid	info.picocli	Highest
Product	pom	name	picocli - a mighty tiny Command Line Interface	High
Product	pom	url	http://picocli.info	Medium
Version	file	version	4.3.2	High
Version	Manifest	Bundle-Version	4.3.2	High
Version	Manifest	Implementation-Version	4.3.2	High
Version	pom	version	4.3.2	Highest

Identifiers

pkg:maven/info.picocli/picocli@4.3.2 (Confidence:High)

Description:

PostgreSQL JDBC Driver Postgresql

License:

BSD-2-Clause: https://jdbc.postgresql.org/about/license.html

File Path: /home/grprdist/.m2/repository/org/postgresql/postgresql/42.5.1/postgresql-42.5.1.jar
MD5: 378f8a2ddab2564a281e5f852800e2e9
SHA1: ac2f61eb3b1b4e47ea45de47e73d2e92f49e3ce1
SHA256:89e8bffa8b37b9487946012c690cf04f3103953051c1c193d88ee36b68d365ae
Referenced In Projects/Scopes:

Grouper WS Generated Client:runtime
Grouper WS:runtime
Grouper WS Test:runtime
Grouper WS SCIM:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	postgresql	High
Vendor	jar	package name	driver	Highest
Vendor	jar	package name	jdbc	Highest
Vendor	jar	package name	postgresql	Highest
Vendor	Manifest	automatic-module-name	org.postgresql.jdbc	Medium
Vendor	Manifest	bundle-copyright	Copyright (c) 2003-2020, PostgreSQL Global Development Group	Low
Vendor	Manifest	bundle-docurl	https://jdbc.postgresql.org/	Low
Vendor	Manifest	bundle-symbolicname	org.postgresql.jdbc	Medium
Vendor	Manifest	Implementation-Vendor	PostgreSQL Global Development Group	High
Vendor	Manifest	Implementation-Vendor-Id	org.postgresql	Medium
Vendor	Manifest	provide-capability	osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory";osgi.jdbc.driver.class="org.postgresql.Driver";osgi.jdbc.driver.name="PostgreSQL JDBC Driver"	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(\|(osgi.ee=J2SE)(osgi.ee=JavaSE))(version>=1.8))"	Low
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	artifactid	postgresql	Highest
Vendor	pom	artifactid	postgresql	Low
Vendor	pom	developer id	bokken	Medium
Vendor	pom	developer id	davecramer	Medium
Vendor	pom	developer id	jurka	Medium
Vendor	pom	developer id	oliver	Medium
Vendor	pom	developer id	ringerc	Medium
Vendor	pom	developer id	vlsi	Medium
Vendor	pom	developer name	Brett Okken	Medium
Vendor	pom	developer name	Craig Ringer	Medium
Vendor	pom	developer name	Dave Cramer	Medium
Vendor	pom	developer name	Kris Jurka	Medium
Vendor	pom	developer name	Oliver Jowett	Medium
Vendor	pom	developer name	Vladimir Sitnikov	Medium
Vendor	pom	groupid	org.postgresql	Highest
Vendor	pom	name	PostgreSQL JDBC Driver	High
Vendor	pom	organization name	PostgreSQL Global Development Group	High
Vendor	pom	organization url	https://jdbc.postgresql.org/	Medium
Vendor	pom	url	https://jdbc.postgresql.org	Highest
Product	file	name	postgresql	High
Product	hint analyzer	product	pgjdbc	Highest
Product	hint analyzer	product	postgresql_jdbc_driver	Highest
Product	jar	package name	driver	Highest
Product	jar	package name	jdbc	Highest
Product	jar	package name	osgi	Highest
Product	jar	package name	postgresql	Highest
Product	jar	package name	version	Highest
Product	Manifest	automatic-module-name	org.postgresql.jdbc	Medium
Product	Manifest	bundle-copyright	Copyright (c) 2003-2020, PostgreSQL Global Development Group	Low
Product	Manifest	bundle-docurl	https://jdbc.postgresql.org/	Low
Product	Manifest	Bundle-Name	PostgreSQL JDBC Driver	Medium
Product	Manifest	bundle-symbolicname	org.postgresql.jdbc	Medium
Product	Manifest	Implementation-Title	PostgreSQL JDBC Driver	High
Product	Manifest	provide-capability	osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory";osgi.jdbc.driver.class="org.postgresql.Driver";osgi.jdbc.driver.name="PostgreSQL JDBC Driver"	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(\|(osgi.ee=J2SE)(osgi.ee=JavaSE))(version>=1.8))"	Low
Product	Manifest	specification-title	JDBC	Medium
Product	pom	artifactid	postgresql	Highest
Product	pom	developer id	bokken	Low
Product	pom	developer id	davecramer	Low
Product	pom	developer id	jurka	Low
Product	pom	developer id	oliver	Low
Product	pom	developer id	ringerc	Low
Product	pom	developer id	vlsi	Low
Product	pom	developer name	Brett Okken	Low
Product	pom	developer name	Craig Ringer	Low
Product	pom	developer name	Dave Cramer	Low
Product	pom	developer name	Kris Jurka	Low
Product	pom	developer name	Oliver Jowett	Low
Product	pom	developer name	Vladimir Sitnikov	Low
Product	pom	groupid	org.postgresql	Highest
Product	pom	name	PostgreSQL JDBC Driver	High
Product	pom	organization name	PostgreSQL Global Development Group	Low
Product	pom	organization url	https://jdbc.postgresql.org/	Low
Product	pom	url	https://jdbc.postgresql.org	Medium
Version	file	version	42.5.1	High
Version	Manifest	Bundle-Version	42.5.1	High
Version	Manifest	Implementation-Version	42.5.1	High
Version	pom	version	42.5.1	Highest

Identifiers

pkg:maven/org.postgresql/postgresql@42.5.1 (Confidence:High)
cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.1:*:*:*:*:*:*:* (Confidence:Low)

Description:

    Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
    efficient yet extensible format.

License:

https://opensource.org/licenses/BSD-3-Clause

File Path: /home/grprdist/.m2/repository/com/google/protobuf/protobuf-java/3.11.4/protobuf-java-3.11.4.jar
MD5: c4ceefed77d79affded2a1302e74606d
SHA1: 7ec0925cc3aef0335bbc7d57edfd42b0f86f8267
SHA256:42e98f58f53d1a49fd734c2dd193880f2dfec3436a2993a00d06b8800a22a3f2
Referenced In Projects/Scopes:

Grouper WS Generated Client:runtime
Grouper WS:runtime
Grouper WS Test:runtime
Grouper WS SCIM:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	protobuf-java	High
Vendor	jar	package name	google	Highest
Vendor	jar	package name	protobuf	Highest
Vendor	Manifest	automatic-module-name	com.google.protobuf	Medium
Vendor	Manifest	bundle-docurl	https://developers.google.com/protocol-buffers/	Low
Vendor	Manifest	bundle-symbolicname	com.google.protobuf	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	artifactid	protobuf-java	Highest
Vendor	pom	artifactid	protobuf-java	Low
Vendor	pom	groupid	com.google.protobuf	Highest
Vendor	pom	name	Protocol Buffers [Core]	High
Vendor	pom	parent-artifactid	protobuf-parent	Low
Product	file	name	protobuf-java	High
Product	jar	package name	google	Highest
Product	jar	package name	protobuf	Highest
Product	Manifest	automatic-module-name	com.google.protobuf	Medium
Product	Manifest	bundle-docurl	https://developers.google.com/protocol-buffers/	Low
Product	Manifest	Bundle-Name	Protocol Buffers [Core]	Medium
Product	Manifest	bundle-symbolicname	com.google.protobuf	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	artifactid	protobuf-java	Highest
Product	pom	groupid	com.google.protobuf	Highest
Product	pom	name	Protocol Buffers [Core]	High
Product	pom	parent-artifactid	protobuf-parent	Medium
Version	file	version	3.11.4	High
Version	Manifest	Bundle-Version	3.11.4	High
Version	pom	version	3.11.4	Highest

Identifiers

pkg:maven/com.google.protobuf/protobuf-java@3.11.4 (Confidence:High)
cpe:2.3:a:google:protobuf-java:3.11.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2022-3171

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

NVD-CWE-noinfo

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
FEDORA - FEDORA-2022-25f35ed634
GENTOO - GLSA-202301-09
OSSINDEX - [CVE-2022-3171] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3171
OSSIndex - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
OSSIndex - https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
OSSIndex - https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2

Vulnerable Software & Versions: (show all)

CVE-2022-3509 (OSSINDEX)

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2022-3509] CWE-20: Improper Input Validation
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3509
OSSIndex - https://github.com/protocolbuffers/protobuf/pull/10673
OSSIndex - https://security-tracker.debian.org/tracker/CVE-2022-3509

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:com.google.protobuf:protobuf-java:3.11.4:*:*:*:*:*:*:*

CVE-2022-3510 (OSSINDEX)

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-3510 for details

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2022-3510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3510
OSSIndex - https://github.com/advisories/GHSA-4gg5-vx3j-xwc7

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:com.google.protobuf:protobuf-java:3.11.4:*:*:*:*:*:*:*

CVE-2021-22569

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

NVD-CWE-noinfo

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSSv3:

Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

Description:

Enterprise Job Scheduler

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
Apache Software License, Version 2.0

File Path: /home/grprdist/.m2/repository/org/quartz-scheduler/quartz/2.3.2/quartz-2.3.2.jar
MD5: d7299dbaec0e0ed7af281b07cc40c8c1
SHA1: 18a6d6b5a40b77bd060b34cb9f2acadc4bae7c8a
SHA256:639c6a675bc472e1568df9d8c954ff702da6f83ed27da0ff9a7bd12ed73b8bf0
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	quartz	High
Vendor	hint analyzer	vendor	softwareag	Highest
Vendor	jar	package name	job	Highest
Vendor	jar	package name	quartz	Highest
Vendor	jar	package name	scheduler	Highest
Vendor	Manifest	bundle-docurl	http://www.terracotta.org	Low
Vendor	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.6	Low
Vendor	Manifest	bundle-symbolicname	org.quartz-scheduler.quartz	Medium
Vendor	Manifest	terracotta-name	quartz	Medium
Vendor	Manifest	terracotta-projectstatus	Supported	Low
Vendor	pom	artifactid	quartz	Highest
Vendor	pom	artifactid	quartz	Low
Vendor	pom	groupid	org.quartz-scheduler	Highest
Vendor	pom	name	quartz	High
Vendor	pom	parent-artifactid	quartz-parent	Low
Product	file	name	quartz	High
Product	jar	package name	job	Highest
Product	jar	package name	quartz	Highest
Product	jar	package name	scheduler	Highest
Product	jar	package name	terracotta	Highest
Product	Manifest	bundle-docurl	http://www.terracotta.org	Low
Product	Manifest	Bundle-Name	quartz	Medium
Product	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.6	Low
Product	Manifest	bundle-symbolicname	org.quartz-scheduler.quartz	Medium
Product	Manifest	terracotta-name	quartz	Medium
Product	Manifest	terracotta-projectstatus	Supported	Low
Product	pom	artifactid	quartz	Highest
Product	pom	groupid	org.quartz-scheduler	Highest
Product	pom	name	quartz	High
Product	pom	parent-artifactid	quartz-parent	Medium
Version	file	version	2.3.2	High
Version	Manifest	Bundle-Version	2.3.2	High
Version	pom	version	2.3.2	Highest

Identifiers

pkg:maven/org.quartz-scheduler/quartz@2.3.2 (Confidence:High)
cpe:2.3:a:softwareag:quartz:2.3.2:*:*:*:*:*:*:* (Confidence:Highest)

File Path: /home/grprdist/.m2/repository/org/apache/rampart/rampart-core/1.6.3/rampart-core-1.6.3.jar
MD5: 0cbfedf143fe82ac905007fa511b4edc
SHA1: 1e7bd2bd86b31cf3da506cedd7795f27dbb59786
SHA256:7b02ff1069eb88c269059dc1594367bdab5c5b71b2de8a3caf8c8bf231a5cf3e
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	rampart-core	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	rampart	Highest
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.rampart	Medium
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	pom	artifactid	rampart-core	Highest
Vendor	pom	artifactid	rampart-core	Low
Vendor	pom	groupid	org.apache.rampart	Highest
Vendor	pom	name	Rampart - Core	High
Vendor	pom	parent-artifactid	rampart-project	Low
Product	file	name	rampart-core	High
Product	jar	package name	apache	Highest
Product	jar	package name	rampart	Highest
Product	Manifest	Implementation-Title	Rampart - Core	High
Product	Manifest	specification-title	Rampart - Core	Medium
Product	pom	artifactid	rampart-core	Highest
Product	pom	groupid	org.apache.rampart	Highest
Product	pom	name	Rampart - Core	High
Product	pom	parent-artifactid	rampart-project	Medium
Version	file	version	1.6.3	High
Version	Manifest	Implementation-Version	1.6.3	High
Version	pom	version	1.6.3	Highest

Identifiers

pkg:maven/org.apache.rampart/rampart-core@1.6.3 (Confidence:High)

File Path: /home/grprdist/.m2/repository/org/apache/rampart/rampart-policy/1.6.3/rampart-policy-1.6.3.jar
MD5: 8ca68b706a67111b8befb4aa4719b0e1
SHA1: f30fdc22cd01ac3af5e7993671f3a39e84e8817f
SHA256:6d2c5f7813aa45e1efd4bba19c8b4a973a8f979a397b1b6e7da4536fb3ac21c5
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	rampart-policy	High
Vendor	jar	package name	apache	Highest
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.rampart	Medium
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	pom	artifactid	rampart-policy	Highest
Vendor	pom	artifactid	rampart-policy	Low
Vendor	pom	groupid	org.apache.rampart	Highest
Vendor	pom	name	Rampart - Policy	High
Vendor	pom	parent-artifactid	rampart-project	Low
Product	file	name	rampart-policy	High
Product	jar	package name	apache	Highest
Product	Manifest	Implementation-Title	Rampart - Policy	High
Product	Manifest	specification-title	Rampart - Policy	Medium
Product	pom	artifactid	rampart-policy	Highest
Product	pom	groupid	org.apache.rampart	Highest
Product	pom	name	Rampart - Policy	High
Product	pom	parent-artifactid	rampart-project	Medium
Version	file	version	1.6.3	High
Version	Manifest	Implementation-Version	1.6.3	High
Version	pom	version	1.6.3	Highest

Identifiers

pkg:maven/org.apache.rampart/rampart-policy@1.6.3 (Confidence:High)

File Path: /home/grprdist/.m2/repository/org/apache/rampart/rampart-trust/1.6.3/rampart-trust-1.6.3.jar
MD5: 63b25725f4a2fe71065050a4fe25e50f
SHA1: f10e1cd5c7ba8b22a7569909ab06dde00191905d
SHA256:72fa50ae6524e65e3d15dda16aa64f2ad035efd3b4d658e1f5aac01302d59f23
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	rampart-trust	High
Vendor	jar	package name	apache	Highest
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.rampart	Medium
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	pom	artifactid	rampart-trust	Highest
Vendor	pom	artifactid	rampart-trust	Low
Vendor	pom	groupid	org.apache.rampart	Highest
Vendor	pom	name	Rampart - Trust	High
Vendor	pom	parent-artifactid	rampart-project	Low
Product	file	name	rampart-trust	High
Product	jar	package name	apache	Highest
Product	Manifest	Implementation-Title	Rampart - Trust	High
Product	Manifest	specification-title	Rampart - Trust	Medium
Product	pom	artifactid	rampart-trust	Highest
Product	pom	groupid	org.apache.rampart	Highest
Product	pom	name	Rampart - Trust	High
Product	pom	parent-artifactid	rampart-project	Medium
Version	file	version	1.6.3	High
Version	Manifest	Implementation-Version	1.6.3	High
Version	pom	version	1.6.3	Highest

Identifiers

pkg:maven/org.apache.rampart/rampart-trust@1.6.3 (Confidence:High)

Description:

Reflections - a Java runtime metadata analysis

License:

WTFPL: http://www.wtfpl.net/
The New BSD License: http://www.opensource.org/licenses/bsd-license.html

File Path: /home/grprdist/.m2/repository/org/reflections/reflections/0.9.9/reflections-0.9.9.jar
MD5: 5f13944b355f927f956b6298136ad959
SHA1: 0296d8adb2f22a38025f44b45cac89835ff0bbaf
SHA256:6a6c56d436f1f34e609bbf2d9b222f449f916941916dd874e7e15ff907daed1c
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	reflections	High
Vendor	jar	package name	reflections	Highest
Vendor	jar	package name	reflections	Low
Vendor	pom	artifactid	reflections	Highest
Vendor	pom	artifactid	reflections	Low
Vendor	pom	developer email	ronmamo at gmail	Low
Vendor	pom	groupid	org.reflections	Highest
Vendor	pom	name	Reflections	High
Vendor	pom	url	http://github.com/ronmamo/reflections	Highest
Product	file	name	reflections	High
Product	jar	package name	reflections	Highest
Product	pom	artifactid	reflections	Highest
Product	pom	developer email	ronmamo at gmail	Low
Product	pom	groupid	org.reflections	Highest
Product	pom	name	Reflections	High
Product	pom	url	http://github.com/ronmamo/reflections	Medium
Version	file	version	0.9.9	High
Version	pom	version	0.9.9	Highest

Identifiers

pkg:maven/org.reflections/reflections@0.9.9 (Confidence:High)

File Path: /home/grprdist/.m2/repository/edu/psu/swe/scim/scim-common/2.22/scim-common-2.22.jar
MD5: 863af25f99e1d327bc22532afeb42428
SHA1: 056ea5df19814b1f4e5dfea2e1030a6f3544c96c
SHA256:cda5ae540e8d2f44d3558d95758a7a0c1dc6004e17b0b732fe1f28012694eb81
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	scim-common	High
Vendor	jar	package name	edu	Highest
Vendor	jar	package name	psu	Highest
Vendor	jar	package name	scim	Highest
Vendor	jar	package name	swe	Highest
Vendor	Manifest	build-date	1525129157136	Low
Vendor	Manifest	build-number		Low
Vendor	Manifest	Implementation-Vendor-Id	edu.psu.swe.scim	Medium
Vendor	pom	artifactid	scim-common	Highest
Vendor	pom	artifactid	scim-common	Low
Vendor	pom	groupid	edu.psu.swe.scim	Highest
Vendor	pom	name	SCIM - Common	High
Vendor	pom	parent-artifactid	scim-parent	Low
Product	file	name	scim-common	High
Product	jar	package name	edu	Highest
Product	jar	package name	psu	Highest
Product	jar	package name	scim	Highest
Product	jar	package name	swe	Highest
Product	Manifest	build-date	1525129157136	Low
Product	Manifest	build-number		Low
Product	Manifest	Implementation-Title	SCIM - Common	High
Product	Manifest	specification-title	SCIM - Common	Medium
Product	pom	artifactid	scim-common	Highest
Product	pom	groupid	edu.psu.swe.scim	Highest
Product	pom	name	SCIM - Common	High
Product	pom	parent-artifactid	scim-parent	Medium
Version	file	version	2.22	High
Version	Manifest	Implementation-Version	2.22	High
Version	pom	version	2.22	Highest

Identifiers

pkg:maven/edu.psu.swe.scim/scim-common@2.22 (Confidence:High)

File Path: /home/grprdist/.m2/repository/edu/psu/swe/scim/scim-server-common/2.22/scim-server-common-2.22.jar
MD5: ca435af9a84e81e3ee458cccc20e6454
SHA1: 1be5948ac74c352a3c1d702d9239daeee5eaf1e6
SHA256:f031a0e309ffdf53f70cddaae2c6dc7b8fc3938818cdaa0f5df18acf42e8d5d6
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	scim-server-common	High
Vendor	jar	package name	edu	Highest
Vendor	jar	package name	psu	Highest
Vendor	jar	package name	scim	Highest
Vendor	jar	package name	swe	Highest
Vendor	Manifest	build-date	1525129244890	Low
Vendor	Manifest	build-number		Low
Vendor	Manifest	Implementation-Vendor-Id	edu.psu.swe.scim	Medium
Vendor	pom	artifactid	scim-server-common	Highest
Vendor	pom	artifactid	scim-server-common	Low
Vendor	pom	groupid	edu.psu.swe.scim	Highest
Vendor	pom	name	SCIM - Server - Common	High
Vendor	pom	parent-artifactid	scim-server	Low
Product	file	name	scim-server-common	High
Product	jar	package name	edu	Highest
Product	jar	package name	psu	Highest
Product	jar	package name	scim	Highest
Product	jar	package name	swe	Highest
Product	Manifest	build-date	1525129244890	Low
Product	Manifest	build-number		Low
Product	Manifest	Implementation-Title	SCIM - Server - Common	High
Product	Manifest	specification-title	SCIM - Server - Common	Medium
Product	pom	artifactid	scim-server-common	Highest
Product	pom	groupid	edu.psu.swe.scim	Highest
Product	pom	name	SCIM - Server - Common	High
Product	pom	parent-artifactid	scim-server	Medium
Version	file	version	2.22	High
Version	Manifest	Implementation-Version	2.22	High
Version	pom	version	2.22	Highest

Identifiers

pkg:maven/edu.psu.swe.scim/scim-server-common@2.22 (Confidence:High)

File Path: /home/grprdist/.m2/repository/edu/psu/swe/scim/scim-spec-protocol/2.22/scim-spec-protocol-2.22.jar
MD5: 275585181fda639f510f472f4bdf4295
SHA1: 03dc0a008c95546e57db16d573326727eba3cf19
SHA256:aa865bd68c7d2b307805f9e77e55f7b56d509bf620738b2f487a5a21759e8c57
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	scim-spec-protocol	High
Vendor	jar	package name	edu	Highest
Vendor	jar	package name	psu	Highest
Vendor	jar	package name	scim	Highest
Vendor	jar	package name	swe	Highest
Vendor	Manifest	build-date	1525129136538	Low
Vendor	Manifest	build-number		Low
Vendor	Manifest	Implementation-Vendor-Id	edu.psu.swe.scim	Medium
Vendor	pom	artifactid	scim-spec-protocol	Highest
Vendor	pom	artifactid	scim-spec-protocol	Low
Vendor	pom	groupid	edu.psu.swe.scim	Highest
Vendor	pom	name	SCIM - Specification - Protocol	High
Vendor	pom	parent-artifactid	scim-spec	Low
Product	file	name	scim-spec-protocol	High
Product	jar	package name	edu	Highest
Product	jar	package name	psu	Highest
Product	jar	package name	scim	Highest
Product	jar	package name	swe	Highest
Product	Manifest	build-date	1525129136538	Low
Product	Manifest	build-number		Low
Product	Manifest	Implementation-Title	SCIM - Specification - Protocol	High
Product	Manifest	specification-title	SCIM - Specification - Protocol	Medium
Product	pom	artifactid	scim-spec-protocol	Highest
Product	pom	groupid	edu.psu.swe.scim	Highest
Product	pom	name	SCIM - Specification - Protocol	High
Product	pom	parent-artifactid	scim-spec	Medium
Version	file	version	2.22	High
Version	Manifest	Implementation-Version	2.22	High
Version	pom	version	2.22	Highest

Identifiers

pkg:maven/edu.psu.swe.scim/scim-spec-protocol@2.22 (Confidence:High)

File Path: /home/grprdist/.m2/repository/edu/psu/swe/scim/scim-spec-schema/2.22/scim-spec-schema-2.22.jar
MD5: 67924518854e34c22ae83bc9df146993
SHA1: 07ba31a942dd8672640e0a47e605ad4ea6fb6159
SHA256:317b4d507593a37be9cd2a07dc75dc8331fc4b0f9d18554bf741a6ea68e14f2f
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	scim-spec-schema	High
Vendor	jar	package name	edu	Highest
Vendor	jar	package name	psu	Highest
Vendor	jar	package name	scim	Highest
Vendor	jar	package name	swe	Highest
Vendor	Manifest	build-date	1525129104207	Low
Vendor	Manifest	build-number		Low
Vendor	Manifest	Implementation-Vendor-Id	edu.psu.swe.scim	Medium
Vendor	pom	artifactid	scim-spec-schema	Highest
Vendor	pom	artifactid	scim-spec-schema	Low
Vendor	pom	groupid	edu.psu.swe.scim	Highest
Vendor	pom	name	SCIM - Specification - Schema	High
Vendor	pom	parent-artifactid	scim-spec	Low
Product	file	name	scim-spec-schema	High
Product	jar	package name	edu	Highest
Product	jar	package name	psu	Highest
Product	jar	package name	scim	Highest
Product	jar	package name	swe	Highest
Product	Manifest	build-date	1525129104207	Low
Product	Manifest	build-number		Low
Product	Manifest	Implementation-Title	SCIM - Specification - Schema	High
Product	Manifest	specification-title	SCIM - Specification - Schema	Medium
Product	pom	artifactid	scim-spec-schema	Highest
Product	pom	groupid	edu.psu.swe.scim	Highest
Product	pom	name	SCIM - Specification - Schema	High
Product	pom	parent-artifactid	scim-spec	Medium
Version	file	version	2.22	High
Version	Manifest	Implementation-Version	2.22	High
Version	pom	version	2.22	Highest

Identifiers

pkg:maven/edu.psu.swe.scim/scim-spec-schema@2.22 (Confidence:High)

Description:

      The UnboundID SCIM2 SDK is a library that may be used to interact with various
      types of SCIM-enabled endpoints (such as the UnboundID server products) to
      perform lightweight, cloud-based identity management via the SCIM Protocol.
      See http://simplecloud.info for more information.

License:

GNU General Public License version 2 (GPLv2): http://www.gnu.org/licenses/gpl-2.0.html
GNU Lesser General Public License version 2.1 (LGPLv2.1): http://www.gnu.org/licenses/lgpl-2.1.html
UnboundID SCIM2 SDK Free Use License: https://github.com/pingidentity/scim2

File Path: /home/grprdist/.m2/repository/com/unboundid/product/scim2/scim2-sdk-client/2.3.7/scim2-sdk-client-2.3.7.jar
MD5: e3e918223fb7cd140fbcd306b6135fc5
SHA1: 3d08d77a96d2fa5551183e9a9d226800053e233e
SHA256:6798a3c586dff309bf8913db9aeef755c8d651d3b64b7546378c8f46a683f550
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	scim2-sdk-client	High
Vendor	jar	package name	client	Highest
Vendor	jar	package name	client	Low
Vendor	jar	package name	scim2	Highest
Vendor	jar	package name	scim2	Low
Vendor	jar	package name	unboundid	Highest
Vendor	jar	package name	unboundid	Low
Vendor	pom	artifactid	scim2-sdk-client	Highest
Vendor	pom	artifactid	scim2-sdk-client	Low
Vendor	pom	developer email	support@unboundid.com	Low
Vendor	pom	developer id	unboundid	Medium
Vendor	pom	developer name	UnboundID Corp.	Medium
Vendor	pom	groupid	com.unboundid.product.scim2	Highest
Vendor	pom	name	UnboundID SCIM2 SDK Client	High
Vendor	pom	organization name	Ping Identity Corporation	High
Vendor	pom	organization url	https://www.pingidentity.com	Medium
Vendor	pom	parent-artifactid	scim2-parent	Low
Vendor	pom	url	pingidentity/scim2	Highest
Product	file	name	scim2-sdk-client	High
Product	jar	package name	client	Highest
Product	jar	package name	client	Low
Product	jar	package name	requests	Low
Product	jar	package name	scim2	Highest
Product	jar	package name	scim2	Low
Product	jar	package name	unboundid	Highest
Product	pom	artifactid	scim2-sdk-client	Highest
Product	pom	developer email	support@unboundid.com	Low
Product	pom	developer id	unboundid	Low
Product	pom	developer name	UnboundID Corp.	Low
Product	pom	groupid	com.unboundid.product.scim2	Highest
Product	pom	name	UnboundID SCIM2 SDK Client	High
Product	pom	organization name	Ping Identity Corporation	Low
Product	pom	organization url	https://www.pingidentity.com	Low
Product	pom	parent-artifactid	scim2-parent	Medium
Product	pom	url	pingidentity/scim2	High
Version	file	version	2.3.7	High
Version	pom	version	2.3.7	Highest

Identifiers

pkg:maven/com.unboundid.product.scim2/scim2-sdk-client@2.3.7 (Confidence:High)

Description:

      The UnboundID SCIM2 SDK is a library that may be used to interact with various
      types of SCIM-enabled endpoints (such as the UnboundID server products) to
      perform lightweight, cloud-based identity management via the SCIM Protocol.
      See http://simplecloud.info for more information.

License:

GNU General Public License version 2 (GPLv2): http://www.gnu.org/licenses/gpl-2.0.html
GNU Lesser General Public License version 2.1 (LGPLv2.1): http://www.gnu.org/licenses/lgpl-2.1.html
UnboundID SCIM2 SDK Free Use License: https://github.com/pingidentity/scim2

File Path: /home/grprdist/.m2/repository/com/unboundid/product/scim2/scim2-sdk-common/2.3.7/scim2-sdk-common-2.3.7.jar
MD5: 31431671351615ee26879cb2c0bf61ae
SHA1: facf6780a0804e0262e395da0eb7fe3dd9eaf5ad
SHA256:59f19cfcd48ba49ee2f62f53777d55bba2a3b0b290285f836235d8e2d878cdad
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	scim2-sdk-common	High
Vendor	jar	package name	common	Highest
Vendor	jar	package name	common	Low
Vendor	jar	package name	scim2	Highest
Vendor	jar	package name	scim2	Low
Vendor	jar	package name	types	Highest
Vendor	jar	package name	unboundid	Highest
Vendor	jar	package name	unboundid	Low
Vendor	pom	artifactid	scim2-sdk-common	Highest
Vendor	pom	artifactid	scim2-sdk-common	Low
Vendor	pom	developer email	support@unboundid.com	Low
Vendor	pom	developer id	unboundid	Medium
Vendor	pom	developer name	UnboundID Corp.	Medium
Vendor	pom	groupid	com.unboundid.product.scim2	Highest
Vendor	pom	name	UnboundID SCIM2 SDK Common	High
Vendor	pom	organization name	Ping Identity Corporation	High
Vendor	pom	organization url	https://www.pingidentity.com	Medium
Vendor	pom	parent-artifactid	scim2-parent	Low
Vendor	pom	url	pingidentity/scim2	Highest
Product	file	name	scim2-sdk-common	High
Product	jar	package name	common	Highest
Product	jar	package name	common	Low
Product	jar	package name	scim2	Highest
Product	jar	package name	scim2	Low
Product	jar	package name	types	Highest
Product	jar	package name	unboundid	Highest
Product	pom	artifactid	scim2-sdk-common	Highest
Product	pom	developer email	support@unboundid.com	Low
Product	pom	developer id	unboundid	Low
Product	pom	developer name	UnboundID Corp.	Low
Product	pom	groupid	com.unboundid.product.scim2	Highest
Product	pom	name	UnboundID SCIM2 SDK Common	High
Product	pom	organization name	Ping Identity Corporation	Low
Product	pom	organization url	https://www.pingidentity.com	Low
Product	pom	parent-artifactid	scim2-parent	Medium
Product	pom	url	pingidentity/scim2	High
Version	file	version	2.3.7	High
Version	pom	version	2.3.7	Highest

Identifiers

pkg:maven/com.unboundid.product.scim2/scim2-sdk-common@2.3.7 (Confidence:High)

Description:

    The UnboundID SCIM2 SDK is a library that may be used to interact with various
    types of SCIM-enabled endpoints (such as the UnboundID server products) to
    perform lightweight, cloud-based identity management via the SCIM Protocol.
    See http://simplecloud.info for more information.

License:

GNU General Public License version 2 (GPLv2): http://www.gnu.org/licenses/gpl-2.0.html
GNU Lesser General Public License version 2.1 (LGPLv2.1): http://www.gnu.org/licenses/lgpl-2.1.html
UnboundID SCIM2 SDK Free Use License: https://github.com/pingidentity/scim2

File Path: /home/grprdist/.m2/repository/com/unboundid/product/scim2/scim2-sdk-server/2.3.7/scim2-sdk-server-2.3.7.jar
MD5: e2d8a00f5cd272affd32637fa660ed1a
SHA1: 228a2ff37cc5163a9fbaaa8319a0dfeb50c9bf60
SHA256:ea54049f80d77233fddbb96e94e53205119de2db4626583227757ac19f7e6ea3
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	scim2-sdk-server	High
Vendor	jar	package name	scim2	Highest
Vendor	jar	package name	scim2	Low
Vendor	jar	package name	server	Highest
Vendor	jar	package name	server	Low
Vendor	jar	package name	unboundid	Highest
Vendor	jar	package name	unboundid	Low
Vendor	pom	artifactid	scim2-sdk-server	Highest
Vendor	pom	artifactid	scim2-sdk-server	Low
Vendor	pom	developer email	support@unboundid.com	Low
Vendor	pom	developer id	unboundid	Medium
Vendor	pom	developer name	UnboundID Corp.	Medium
Vendor	pom	groupid	com.unboundid.product.scim2	Highest
Vendor	pom	name	UnboundID SCIM2 SDK Server	High
Vendor	pom	organization name	Ping Identity Corporation	High
Vendor	pom	organization url	https://www.pingidentity.com	Medium
Vendor	pom	parent-artifactid	scim2-parent	Low
Vendor	pom	url	pingidentity/scim2	Highest
Product	file	name	scim2-sdk-server	High
Product	jar	package name	scim2	Highest
Product	jar	package name	scim2	Low
Product	jar	package name	server	Highest
Product	jar	package name	server	Low
Product	jar	package name	unboundid	Highest
Product	jar	package name	utils	Low
Product	pom	artifactid	scim2-sdk-server	Highest
Product	pom	developer email	support@unboundid.com	Low
Product	pom	developer id	unboundid	Low
Product	pom	developer name	UnboundID Corp.	Low
Product	pom	groupid	com.unboundid.product.scim2	Highest
Product	pom	name	UnboundID SCIM2 SDK Server	High
Product	pom	organization name	Ping Identity Corporation	Low
Product	pom	organization url	https://www.pingidentity.com	Low
Product	pom	parent-artifactid	scim2-parent	Medium
Product	pom	url	pingidentity/scim2	High
Version	file	version	2.3.7	High
Version	pom	version	2.3.7	Highest

Identifiers

pkg:maven/com.unboundid.product.scim2/scim2-sdk-server@2.3.7 (Confidence:High)

Description:

    Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
    SAX events.

File Path: /home/grprdist/.m2/repository/xalan/serializer/2.7.1/serializer-2.7.1.jar
MD5: a6b64dfe58229bdd810263fa0cc54cff
SHA1: 4b4b18df434451249bb65a63f2fb69e215a6a020
SHA256:a15078d243d4a20b6b4e8ae2f61ed4655e352054e121aada6f7441f1ed445a3c
Referenced In Project/Scope:Grouper WS Generated Client:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	serializer	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	serializer	Highest
Vendor	jar	package name	xml	Highest
Vendor	manifest: org/apache/xml/serializer/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/apache/xml/serializer/utils/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	pom	artifactid	serializer	Highest
Vendor	pom	artifactid	serializer	Low
Vendor	pom	groupid	xalan	Highest
Vendor	pom	name	Xalan Java Serializer	High
Vendor	pom	parent-artifactid	apache	Low
Vendor	pom	parent-groupid	org.apache	Medium
Vendor	pom	url	http://xml.apache.org/xalan-j/	Highest
Product	file	name	serializer	High
Product	jar	package name	apache	Highest
Product	jar	package name	serializer	Highest
Product	jar	package name	utils	Highest
Product	jar	package name	xml	Highest
Product	manifest: org/apache/xml/serializer/	Implementation-Title	org.apache.xml.serializer	Medium
Product	manifest: org/apache/xml/serializer/	Specification-Title	XSL Transformations (XSLT), at http://www.w3.org/TR/xslt	Medium
Product	manifest: org/apache/xml/serializer/utils/	Implementation-Title	org.apache.xml.serializer.utils	Medium
Product	pom	artifactid	serializer	Highest
Product	pom	groupid	xalan	Highest
Product	pom	name	Xalan Java Serializer	High
Product	pom	parent-artifactid	apache	Medium
Product	pom	parent-groupid	org.apache	Medium
Product	pom	url	http://xml.apache.org/xalan-j/	Medium
Version	file	version	2.7.1	High
Version	manifest: org/apache/xml/serializer/	Implementation-Version	2.7.1	Medium
Version	manifest: org/apache/xml/serializer/utils/	Implementation-Version	2.7.1	Medium
Version	pom	parent-version	2.7.1	Low
Version	pom	version	2.7.1	Highest

Identifiers

pkg:maven/xalan/serializer@2.7.1 (Confidence:High)
cpe:2.3:a:apache:xalan-java:2.7.1:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2014-0107

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

BID - 66397
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1581058
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674334
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676093
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677145
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21680703
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21681933
CONFIRM - http://www.ibm.com/support/docview.wss?uid=swg21677967
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
CONFIRM - https://issues.apache.org/jira/browse/XALANJ-2435
CONFIRM - https://www.tenable.com/security/tns-2018-15
DEBIAN - DSA-2886
GENTOO - GLSA-201604-02
MISC - http://www.ocert.org/advisories/ocert-2014-002.html
MISC - https://www.oracle.com/security-alerts/cpuoct2021.html
MISC - https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
MLIST - [tomcat-dev] 20210823 [Bug 65516] New: upgrade to xalan 2.7.2 to address CVE-2014-0107
MLIST - [tomcat-dev] 20210823 [Bug 65516] upgrade to xalan 2.7.2 to address CVE-2014-0107
N/A - N/A
OSSINDEX - [CVE-2014-0107] CWE-264: Permissions, Privileges, and Access Controls
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0107
OSSIndex - https://issues.apache.org/jira/browse/XALANJ-2435
REDHAT - RHSA-2014:0348
REDHAT - RHSA-2014:1351
REDHAT - RHSA-2015:1888
SECTRACK - 1034711
SECTRACK - 1034716
SECUNIA - 57563
SECUNIA - 59036
SECUNIA - 59151
SECUNIA - 59247
SECUNIA - 59290
SECUNIA - 59291
SECUNIA - 59369
SECUNIA - 59515
SECUNIA - 59711
SECUNIA - 60502
XF - apache-xalanjava-cve20140107-sec-bypass(92023)

Vulnerable Software & Versions: (show all)

CVE-2022-34169

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

CWE-681 Incorrect Conversion between Numeric Types

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

File Path: /home/grprdist/.m2/repository/javax/servlet/servlet-api/2.3/servlet-api-2.3.jar
MD5: c097f777c6fd453277c6891b3bb4dc09
SHA1: 0137a24e9f62973f01f16dd23fc1b5a9964fd9ef
SHA256:8478b902d0815ed066db860fb14cc5d404548d4b6348ab930b46270fcddeba68
Referenced In Project/Scope:Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	servlet-api	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	javax	Low
Vendor	jar	package name	servlet	Highest
Vendor	jar	package name	servlet	Low
Vendor	pom	artifactid	servlet-api	Highest
Vendor	pom	artifactid	servlet-api	Low
Vendor	pom	groupid	javax.servlet	Highest
Product	file	name	servlet-api	High
Product	jar	package name	javax	Highest
Product	jar	package name	servlet	Highest
Product	jar	package name	servlet	Low
Product	pom	artifactid	servlet-api	Highest
Product	pom	groupid	javax.servlet	Highest
Version	file	version	2.3	High
Version	pom	version	2.3	Highest

Identifiers

pkg:maven/javax.servlet/servlet-api@2.3 (Confidence:High)

Description:

The slf4j API

File Path: /home/grprdist/.m2/repository/org/slf4j/slf4j-api/1.7.32/slf4j-api-1.7.32.jar
MD5: fbcf58513bc25b80f075d812aad3e3cf
SHA1: cdcff33940d9f2de763bc41ea05a0be5941176c3
SHA256:3624f8474c1af46d75f98bc097d7864a323c81b3808aa43689a6e1c601c027be
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	slf4j-api	High
Vendor	jar	package name	slf4j	Highest
Vendor	Manifest	automatic-module-name	org.slf4j	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	Manifest	bundle-symbolicname	slf4j.api	Medium
Vendor	pom	artifactid	slf4j-api	Highest
Vendor	pom	artifactid	slf4j-api	Low
Vendor	pom	groupid	org.slf4j	Highest
Vendor	pom	name	SLF4J API Module	High
Vendor	pom	parent-artifactid	slf4j-parent	Low
Vendor	pom	url	http://www.slf4j.org	Highest
Product	file	name	slf4j-api	High
Product	jar	package name	slf4j	Highest
Product	Manifest	automatic-module-name	org.slf4j	Medium
Product	Manifest	Bundle-Name	slf4j-api	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	bundle-symbolicname	slf4j.api	Medium
Product	Manifest	Implementation-Title	slf4j-api	High
Product	pom	artifactid	slf4j-api	Highest
Product	pom	groupid	org.slf4j	Highest
Product	pom	name	SLF4J API Module	High
Product	pom	parent-artifactid	slf4j-parent	Medium
Product	pom	url	http://www.slf4j.org	Medium
Version	file	version	1.7.32	High
Version	Manifest	Bundle-Version	1.7.32	High
Version	Manifest	Implementation-Version	1.7.32	High
Version	pom	version	1.7.32	Highest

Identifiers

pkg:maven/org.slf4j/slf4j-api@1.7.32 (Confidence:High)

Description:

        Smack is an Open Source XMPP (Jabber) client library for instant messaging and presence. A pure Java library, it can be embedded into your applications to create anything from a full XMPP client to simple XMPP integrations such as sending notification messages.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0

File Path: /home/grprdist/.m2/repository/jivesoftware/smack/3.1.0/smack-3.1.0.jar
MD5: 362dd4c2fc9b23a33d47272456dd0c39
SHA1: 916a0fe08d840a08c950f49fb59b961e14d673b8
SHA256:c9a25e014608d3402b795d125c88a18a6e22e6c61c65b5e5d224e0f72f4aec8b
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	smack	High
Vendor	jar	package name	jivesoftware	Highest
Vendor	jar	package name	jivesoftware	Low
Vendor	jar	package name	presence	Highest
Vendor	jar	package name	smack	Highest
Vendor	jar	package name	smack	Low
Vendor	pom	artifactid	smack	Highest
Vendor	pom	artifactid	smack	Low
Vendor	pom	groupid	jivesoftware	Highest
Vendor	pom	name	Smack	High
Vendor	pom	url	http://www.jivesoftware.org/smack/	Highest
Product	file	name	smack	High
Product	jar	package name	jivesoftware	Highest
Product	jar	package name	presence	Highest
Product	jar	package name	smack	Highest
Product	jar	package name	smack	Low
Product	pom	artifactid	smack	Highest
Product	pom	groupid	jivesoftware	Highest
Product	pom	name	Smack	High
Product	pom	url	http://www.jivesoftware.org/smack/	Medium
Version	file	version	3.1.0	High
Version	pom	version	3.1.0	Highest

Identifiers

pkg:maven/jivesoftware/smack@3.1.0 (Confidence:High)

Published Vulnerabilities

CVE-2014-5075 (OSSINDEX)

The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CWE-310 Cryptographic Issues

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

OSSINDEX - [CVE-2014-5075] CWE-310
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5075
OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=1127276
OSSIndex - https://op-co.de/CVE-2014-5075.html

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:jivesoftware:smack:3.1.0:*:*:*:*:*:*:*

CVE-2014-0363 (OSSINDEX)

The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.

CWE-295 Improper Certificate Validation

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

OSSINDEX - [CVE-2014-0363] CWE-295: Improper Certificate Validation
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363
OSSIndex - https://issues.igniterealtime.org/browse/SMACK-410

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:jivesoftware:smack:3.1.0:*:*:*:*:*:*:*

Description:

Extensions to JSR-173 StAX API.

License:

                Dual license consisting of the CDDL v1.1 and GPL v2
            : https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html

File Path: /home/grprdist/.m2/repository/org/jvnet/staxex/stax-ex/1.8/stax-ex-1.8.jar
MD5: a0ebfdbc6b5a34b174a1d1f732d1bdda
SHA1: 8cc35f73da321c29973191f2cf143d29d26a1df7
SHA256:95b05d9590af4154c6513b9c5dc1fb2e55b539972ba0a9ef28e9a0c01d83ad77
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	stax-ex	High
Vendor	jar	package name	jvnet	Highest
Vendor	jar	package name	staxex	Highest
Vendor	Manifest	bundle-symbolicname	org.jvnet.staxex.stax-ex	Medium
Vendor	Manifest	implementation-build-id	${scmBranch}-${buildNumber}, ${timestamp}	Low
Vendor	Manifest	implementation-url	http://stax-ex.java.net/	Low
Vendor	Manifest	Implementation-Vendor-Id	org.jvnet.staxex	Medium
Vendor	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Vendor	pom	artifactid	stax-ex	Highest
Vendor	pom	artifactid	stax-ex	Low
Vendor	pom	developer email	Roman.Grigoriadi@oracle.com	Low
Vendor	pom	developer email	Zheng.Jun.Li@oracle.com	Low
Vendor	pom	developer id	bravehorsie	Medium
Vendor	pom	developer id	zhengjl	Medium
Vendor	pom	developer name	Roman Grigoriadi	Medium
Vendor	pom	developer name	Zheng Jun Li	Medium
Vendor	pom	groupid	org.jvnet.staxex	Highest
Vendor	pom	name	Extended StAX API	High
Vendor	pom	parent-artifactid	jvnet-parent	Low
Vendor	pom	parent-groupid	net.java	Medium
Vendor	pom	url	http://stax-ex.java.net/	Highest
Product	file	name	stax-ex	High
Product	jar	package name	jvnet	Highest
Product	jar	package name	staxex	Highest
Product	Manifest	Bundle-Name	Extended StAX API	Medium
Product	Manifest	bundle-symbolicname	org.jvnet.staxex.stax-ex	Medium
Product	Manifest	implementation-build-id	${scmBranch}-${buildNumber}, ${timestamp}	Low
Product	Manifest	Implementation-Title	Extended StAX API	High
Product	Manifest	implementation-url	http://stax-ex.java.net/	Low
Product	Manifest	originally-created-by	Apache Maven Bundle Plugin	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=9.0))"	Low
Product	pom	artifactid	stax-ex	Highest
Product	pom	developer email	Roman.Grigoriadi@oracle.com	Low
Product	pom	developer email	Zheng.Jun.Li@oracle.com	Low
Product	pom	developer id	bravehorsie	Low
Product	pom	developer id	zhengjl	Low
Product	pom	developer name	Roman Grigoriadi	Low
Product	pom	developer name	Zheng Jun Li	Low
Product	pom	groupid	org.jvnet.staxex	Highest
Product	pom	name	Extended StAX API	High
Product	pom	parent-artifactid	jvnet-parent	Medium
Product	pom	parent-groupid	net.java	Medium
Product	pom	url	http://stax-ex.java.net/	Medium
Version	file	version	1.8	High
Version	Manifest	Implementation-Version	1.8	High
Version	pom	parent-version	1.8	Low
Version	pom	version	1.8	Highest

Identifiers

pkg:maven/org.jvnet.staxex/stax-ex@1.8 (Confidence:High)
cpe:2.3:a:oracle:java_se:1.8:*:*:*:*:*:*:* (Confidence:Low)

Description:

Stax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php

File Path: /home/grprdist/.m2/repository/org/codehaus/woodstox/stax2-api/3.1.1/stax2-api-3.1.1.jar
MD5: 40d088c7b8b3f6759a40db54ce1f30e5
SHA1: 0466eab062e9d1a3ce2c4631b6d09b5e5c0cbd1b
SHA256:850bbbbaaa1e7ecc4ebecdb8a283ff36d1f2451c6797b0175bc40ae2ad9b31c4
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:runtime
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	stax2-api	High
Vendor	jar	package name	codehaus	Highest
Vendor	jar	package name	stax2	Highest
Vendor	jar	package name	typed	Highest
Vendor	jar	package name	validation	Highest
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Vendor	Manifest	bundle-symbolicname	stax2-api	Medium
Vendor	Manifest	Implementation-Vendor	http://woodstox.codehaus.org	High
Vendor	Manifest	specification-vendor	http://woodstox.codehaus.org	Low
Vendor	pom	artifactid	stax2-api	Highest
Vendor	pom	artifactid	stax2-api	Low
Vendor	pom	groupid	org.codehaus.woodstox	Highest
Vendor	pom	name	Stax2 API	High
Vendor	pom	organization name	Codehaus	High
Vendor	pom	organization url	http://www.codehaus.org/	Medium
Vendor	pom	url	http://woodstox.codehaus.org/StAX2	Highest
Product	file	name	stax2-api	High
Product	jar	package name	codehaus	Highest
Product	jar	package name	stax2	Highest
Product	jar	package name	typed	Highest
Product	jar	package name	validation	Highest
Product	Manifest	Bundle-Name	Stax2 API	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Product	Manifest	bundle-symbolicname	stax2-api	Medium
Product	Manifest	Implementation-Title	Stax2 API	High
Product	Manifest	specification-title	Stax2 API	Medium
Product	pom	artifactid	stax2-api	Highest
Product	pom	groupid	org.codehaus.woodstox	Highest
Product	pom	name	Stax2 API	High
Product	pom	organization name	Codehaus	Low
Product	pom	organization url	http://www.codehaus.org/	Low
Product	pom	url	http://woodstox.codehaus.org/StAX2	Medium
Version	file	version	3.1.1	High
Version	Manifest	Bundle-Version	3.1.1	High
Version	Manifest	Implementation-Version	3.1.1	High
Version	pom	version	3.1.1	Highest

Identifiers

pkg:maven/org.codehaus.woodstox/stax2-api@3.1.1 (Confidence:High)

License:

http://www.apache.org/licenses/LICENSE-2.0.html

File Path: /home/grprdist/.m2/repository/io/swagger/swagger-annotations/1.5.0/swagger-annotations-1.5.0.jar
MD5: c16eb2bdd9f90e97849950178c4c543d
SHA1: f7497f7887e65277c0dab1da1148cf211083f3d4
SHA256:298386371cef279ebafd891e78003bb6d0295abdcc7bc3542eea3c543526cc42
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	swagger-annotations	High
Vendor	jar	package name	annotations	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	swagger	Highest
Vendor	Manifest	bundle-symbolicname	io.swagger.annotations	Medium
Vendor	Manifest	mode	development	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-annotations	Low
Vendor	pom	artifactid	swagger-annotations	Highest
Vendor	pom	artifactid	swagger-annotations	Low
Vendor	pom	groupid	io.swagger	Highest
Vendor	pom	name	swagger-annotations	High
Vendor	pom	parent-artifactid	swagger-project	Low
Product	file	name	swagger-annotations	High
Product	jar	package name	annotations	Highest
Product	jar	package name	api	Highest
Product	jar	package name	io	Highest
Product	jar	package name	swagger	Highest
Product	Manifest	Bundle-Name	swagger-annotations	Medium
Product	Manifest	bundle-symbolicname	io.swagger.annotations	Medium
Product	Manifest	mode	development	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-annotations	Low
Product	pom	artifactid	swagger-annotations	Highest
Product	pom	groupid	io.swagger	Highest
Product	pom	name	swagger-annotations	High
Product	pom	parent-artifactid	swagger-project	Medium
Version	file	version	1.5.0	High
Version	Manifest	Bundle-Version	1.5.0	High
Version	Manifest	implementation-version	1.5.0	High
Version	pom	version	1.5.0	Highest

Identifiers

pkg:maven/io.swagger/swagger-annotations@1.5.0 (Confidence:High)

License:

http://www.apache.org/licenses/LICENSE-2.0.html

File Path: /home/grprdist/.m2/repository/io/swagger/swagger-annotations/1.6.3/swagger-annotations-1.6.3.jar
MD5: 942481616f73ad3273893e9c390985aa
SHA1: 7cd78274cad53849ab809a73cec06c7dbb5f374a
SHA256:ceb72bfad2be626cc0eeb53c7e89b727e5e270c25a533cc62a65d3f044bcae4d
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	swagger-annotations	High
Vendor	jar	package name	annotations	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	swagger	Highest
Vendor	Manifest	bundle-symbolicname	io.swagger.annotations	Medium
Vendor	Manifest	mode	development	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-annotations	Low
Vendor	pom	artifactid	swagger-annotations	Highest
Vendor	pom	artifactid	swagger-annotations	Low
Vendor	pom	groupid	io.swagger	Highest
Vendor	pom	name	swagger-annotations	High
Vendor	pom	parent-artifactid	swagger-project	Low
Product	file	name	swagger-annotations	High
Product	jar	package name	annotations	Highest
Product	jar	package name	api	Highest
Product	jar	package name	io	Highest
Product	jar	package name	swagger	Highest
Product	Manifest	Bundle-Name	swagger-annotations	Medium
Product	Manifest	bundle-symbolicname	io.swagger.annotations	Medium
Product	Manifest	mode	development	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-annotations	Low
Product	pom	artifactid	swagger-annotations	Highest
Product	pom	groupid	io.swagger	Highest
Product	pom	name	swagger-annotations	High
Product	pom	parent-artifactid	swagger-project	Medium
Version	file	version	1.6.3	High
Version	Manifest	Bundle-Version	1.6.3	High
Version	Manifest	implementation-version	1.6.3	High
Version	pom	version	1.6.3	Highest

Identifiers

pkg:maven/io.swagger/swagger-annotations@1.6.3 (Confidence:High)

File Path: /home/grprdist/.m2/repository/io/swagger/swagger-core/1.5.0/swagger-core-1.5.0.jar
MD5: abc2015d9e823cb96abfa7e2937b43fb
SHA1: 09d5cfb8188ac316bad3a7b38c46bac0568c60e4
SHA256:aab9520f832a76b5f79464742525d263d779250c070baaa1271327c7d6f66d2e
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	swagger-core	High
Vendor	jar	package name	core	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	swagger	Highest
Vendor	Manifest	mode	development	Low
Vendor	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-core	Low
Vendor	pom	artifactid	swagger-core	Highest
Vendor	pom	artifactid	swagger-core	Low
Vendor	pom	groupid	io.swagger	Highest
Vendor	pom	name	swagger-core	High
Vendor	pom	parent-artifactid	swagger-project	Low
Product	file	name	swagger-core	High
Product	jar	package name	core	Highest
Product	jar	package name	io	Highest
Product	jar	package name	swagger	Highest
Product	Manifest	mode	development	Low
Product	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-core	Low
Product	pom	artifactid	swagger-core	Highest
Product	pom	groupid	io.swagger	Highest
Product	pom	name	swagger-core	High
Product	pom	parent-artifactid	swagger-project	Medium
Version	file	version	1.5.0	High
Version	Manifest	implementation-version	1.5.0	High
Version	pom	version	1.5.0	Highest

Identifiers

pkg:maven/io.swagger/swagger-core@1.5.0 (Confidence:High)

File Path: /home/grprdist/.m2/repository/io/swagger/swagger-jaxrs/1.5.0/swagger-jaxrs-1.5.0.jar
MD5: a09d96c899411ac57a479c6635829600
SHA1: 04a77f3f95bfec3073d9d20660c16f54886dfc9f
SHA256:519bc52cbc7d1aef101f89f96059d89f8a6118b2f808163caf79beea445f67bd
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	swagger-jaxrs	High
Vendor	jar	package name	io	Highest
Vendor	jar	package name	jaxrs	Highest
Vendor	jar	package name	swagger	Highest
Vendor	Manifest	mode	development	Low
Vendor	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-jaxrs	Low
Vendor	pom	artifactid	swagger-jaxrs	Highest
Vendor	pom	artifactid	swagger-jaxrs	Low
Vendor	pom	groupid	io.swagger	Highest
Vendor	pom	name	swagger-jaxrs	High
Vendor	pom	parent-artifactid	swagger-project	Low
Product	file	name	swagger-jaxrs	High
Product	jar	package name	io	Highest
Product	jar	package name	jaxrs	Highest
Product	jar	package name	swagger	Highest
Product	Manifest	mode	development	Low
Product	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-jaxrs	Low
Product	pom	artifactid	swagger-jaxrs	Highest
Product	pom	groupid	io.swagger	Highest
Product	pom	name	swagger-jaxrs	High
Product	pom	parent-artifactid	swagger-project	Medium
Version	file	version	1.5.0	High
Version	Manifest	implementation-version	1.5.0	High
Version	pom	version	1.5.0	Highest

Identifiers

pkg:maven/io.swagger/swagger-jaxrs@1.5.0 (Confidence:High)

License:

http://www.apache.org/licenses/LICENSE-2.0.html

File Path: /home/grprdist/.m2/repository/io/swagger/swagger-models/1.5.0/swagger-models-1.5.0.jar
MD5: 5c3d553535fddea14a4e7e87c5fc59fa
SHA1: d2566bfc270073a559b342089f54086ee64ca5b1
SHA256:70ec229c809e595c1aebf7f5b0c9ace148f5e8afa65c6b93f1fa40a82f7107e5
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	swagger-models	High
Vendor	jar	package name	io	Highest
Vendor	jar	package name	models	Highest
Vendor	jar	package name	swagger	Highest
Vendor	Manifest	bundle-symbolicname	io.swagger.models	Medium
Vendor	Manifest	mode	development	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-models	Low
Vendor	pom	artifactid	swagger-models	Highest
Vendor	pom	artifactid	swagger-models	Low
Vendor	pom	groupid	io.swagger	Highest
Vendor	pom	name	swagger-models	High
Vendor	pom	parent-artifactid	swagger-project	Low
Product	file	name	swagger-models	High
Product	jar	package name	io	Highest
Product	jar	package name	models	Highest
Product	jar	package name	swagger	Highest
Product	Manifest	Bundle-Name	swagger-models	Medium
Product	Manifest	bundle-symbolicname	io.swagger.models	Medium
Product	Manifest	mode	development	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	url	https://github.com/swagger-api/swagger-core/modules/swagger-models	Low
Product	pom	artifactid	swagger-models	Highest
Product	pom	groupid	io.swagger	Highest
Product	pom	name	swagger-models	High
Product	pom	parent-artifactid	swagger-project	Medium
Version	file	version	1.5.0	High
Version	Manifest	Bundle-Version	1.5.0	High
Version	Manifest	implementation-version	1.5.0	High
Version	pom	version	1.5.0	Highest

Identifiers

pkg:maven/io.swagger/swagger-models@1.5.0 (Confidence:High)

Description:

        TXW is a library that allows you to write XML documents.

File Path: /home/grprdist/.m2/repository/org/glassfish/jaxb/txw2/2.3.1/txw2-2.3.1.jar
MD5: 0fed730907ba86376ef392ee7eb42d5f
SHA1: a09d2c48d3285f206fafbffe0e50619284e92126
SHA256:34975dde1c6920f1a39791142235689bc3cd357e24d05edd8ff93b885bd68d60
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	txw2	High
Vendor	jar	package name	sun	Highest
Vendor	jar	package name	txw	Highest
Vendor	jar	package name	txw2	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	git-revision	ad5fa4c697632694cbcfa80177707db908cd98b2	Low
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	Manifest	Implementation-Vendor-Id	com.oracle	Medium
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	pom	artifactid	txw2	Highest
Vendor	pom	artifactid	txw2	Low
Vendor	pom	groupid	org.glassfish.jaxb	Highest
Vendor	pom	name	TXW2 Runtime	High
Vendor	pom	parent-artifactid	jaxb-txw-parent	Low
Vendor	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Product	file	name	txw2	High
Product	jar	package name	sun	Highest
Product	jar	package name	txw	Highest
Product	jar	package name	txw2	Highest
Product	jar	package name	xml	Highest
Product	Manifest	git-revision	ad5fa4c697632694cbcfa80177707db908cd98b2	Low
Product	Manifest	Implementation-Title	TXW Runtime	High
Product	Manifest	specification-title	Java Architecture for XML Binding	Medium
Product	pom	artifactid	txw2	Highest
Product	pom	groupid	org.glassfish.jaxb	Highest
Product	pom	name	TXW2 Runtime	High
Product	pom	parent-artifactid	jaxb-txw-parent	Medium
Product	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Version	file	version	2.3.1	High
Version	Manifest	build-id	2.3.1	Medium
Version	Manifest	Implementation-Version	2.3.1	High
Version	Manifest	major-version	2.3.1	Medium
Version	pom	version	2.3.1	Highest

Identifiers

pkg:maven/org.glassfish.jaxb/txw2@2.3.1 (Confidence:High)

Description:

      The UnboundID LDAP SDK for Java is a fast, comprehensive, and easy-to-use
      Java API for communicating with LDAP directory servers and performing
      related tasks like reading and writing LDIF, encoding and decoding data
      using base64 and ASN.1 BER, and performing secure communication.  This
      package contains the Standard Edition of the LDAP SDK, which is a
      complete, general-purpose library for communicating with LDAPv3 directory
      servers.

License:

GNU General Public License version 2 (GPLv2): http://www.gnu.org/licenses/gpl-2.0.html
GNU Lesser General Public License version 2.1 (LGPLv2.1): http://www.gnu.org/licenses/lgpl-2.1.html
UnboundID LDAP SDK Free Use License: https://docs.ldap.com/ldap-sdk/docs/LICENSE-UnboundID-LDAPSDK.txt

File Path: /home/grprdist/.m2/repository/com/unboundid/unboundid-ldapsdk/4.0.9/unboundid-ldapsdk-4.0.9.jar
MD5: 9c4684b76cc5354f5af4796e0ae81df5
SHA1: b676202ad7b56718266fda979e280fa955792e1c
SHA256:693bc47a6d311217397f7fd78043272d8b090cec4fe1c8834b31fc9a138f8361
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	unboundid-ldapsdk	High
Vendor	jar	package name	ldap	Highest
Vendor	jar	package name	sdk	Highest
Vendor	jar	package name	unboundid	Highest
Vendor	Manifest	build-time	20181110015704Z	Low
Vendor	Manifest	bundle-copyright	Copyright 2008-2018 Ping Identity Corporation	Low
Vendor	Manifest	bundle-docurl	https://github.com/pingidentity/ldapsdk	Low
Vendor	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.7	Low
Vendor	Manifest	bundle-symbolicname	com.unboundid.ldap.sdk	Medium
Vendor	Manifest	implementation-url	https://github.com/pingidentity/ldapsdk	Low
Vendor	Manifest	Implementation-Vendor	Ping Identity	High
Vendor	Manifest	source-path	/directory/tags/ldapsdk/ldapsdk-4.0.9	Low
Vendor	Manifest	source-revision	29290	Low
Vendor	pom	artifactid	unboundid-ldapsdk	Highest
Vendor	pom	artifactid	unboundid-ldapsdk	Low
Vendor	pom	developer email	neilwilson@pingidentity.com	Low
Vendor	pom	developer id	dirmgr	Medium
Vendor	pom	developer name	Neil Wilson	Medium
Vendor	pom	groupid	com.unboundid	Highest
Vendor	pom	name	UnboundID LDAP SDK for Java	High
Vendor	pom	organization name	Ping Identity Corporation	High
Vendor	pom	organization url	pingidentity/ldapsdk	Medium
Vendor	pom	url	pingidentity/ldapsdk	Highest
Product	file	name	unboundid-ldapsdk	High
Product	jar	package name	ldap	Highest
Product	jar	package name	sdk	Highest
Product	jar	package name	unboundid	Highest
Product	Manifest	build-time	20181110015704Z	Low
Product	Manifest	bundle-copyright	Copyright 2008-2018 Ping Identity Corporation	Low
Product	Manifest	bundle-docurl	https://github.com/pingidentity/ldapsdk	Low
Product	Manifest	Bundle-Name	UnboundID LDAP SDK for Java	Medium
Product	Manifest	bundle-requiredexecutionenvironment	JavaSE-1.7	Low
Product	Manifest	bundle-symbolicname	com.unboundid.ldap.sdk	Medium
Product	Manifest	Implementation-Title	UnboundID LDAP SDK for Java	High
Product	Manifest	implementation-url	https://github.com/pingidentity/ldapsdk	Low
Product	Manifest	source-path	/directory/tags/ldapsdk/ldapsdk-4.0.9	Low
Product	Manifest	source-revision	29290	Low
Product	pom	artifactid	unboundid-ldapsdk	Highest
Product	pom	developer email	neilwilson@pingidentity.com	Low
Product	pom	developer id	dirmgr	Low
Product	pom	developer name	Neil Wilson	Low
Product	pom	groupid	com.unboundid	Highest
Product	pom	name	UnboundID LDAP SDK for Java	High
Product	pom	organization name	Ping Identity Corporation	Low
Product	pom	url	pingidentity/ldapsdk	High
Version	file	version	4.0.9	High
Version	Manifest	Bundle-Version	4.0.9	High
Version	Manifest	Implementation-Version	4.0.9	High
Version	pom	version	4.0.9	Highest

Identifiers

pkg:maven/com.unboundid/unboundid-ldapsdk@4.0.9 (Confidence:High)
cpe:2.3:a:pingidentity:ldapsdk:4.0.9:*:*:*:*:*:*:* (Confidence:Highest)

Description:

        Bean Validation API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/javax/validation/validation-api/1.1.0.Final/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
SHA256:f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	validation-api	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	validation	Highest
Vendor	Manifest	bundle-symbolicname	javax.validation.api	Medium
Vendor	pom	artifactid	validation-api	Highest
Vendor	pom	artifactid	validation-api	Low
Vendor	pom	developer email	emmanuel@hibernate.org	Low
Vendor	pom	developer email	gunnar@hibernate.org	Low
Vendor	pom	developer email	hferents@redhat.com	Low
Vendor	pom	developer id	emmanuelbernard	Medium
Vendor	pom	developer id	epbernard	Medium
Vendor	pom	developer id	gunnar.morling	Medium
Vendor	pom	developer id	hardy.ferentschik	Medium
Vendor	pom	developer name	Emmanuel Bernard	Medium
Vendor	pom	developer name	Gunnar Morling	Medium
Vendor	pom	developer name	Hardy Ferentschik	Medium
Vendor	pom	developer org	JBoss, by Red Hat	Medium
Vendor	pom	groupid	javax.validation	Highest
Vendor	pom	name	Bean Validation API	High
Vendor	pom	url	http://beanvalidation.org	Highest
Product	file	name	validation-api	High
Product	jar	package name	javax	Highest
Product	jar	package name	validation	Highest
Product	Manifest	Bundle-Name	Bean Validation API	Medium
Product	Manifest	bundle-symbolicname	javax.validation.api	Medium
Product	pom	artifactid	validation-api	Highest
Product	pom	developer email	emmanuel@hibernate.org	Low
Product	pom	developer email	gunnar@hibernate.org	Low
Product	pom	developer email	hferents@redhat.com	Low
Product	pom	developer id	emmanuelbernard	Low
Product	pom	developer id	epbernard	Low
Product	pom	developer id	gunnar.morling	Low
Product	pom	developer id	hardy.ferentschik	Low
Product	pom	developer name	Emmanuel Bernard	Low
Product	pom	developer name	Gunnar Morling	Low
Product	pom	developer name	Hardy Ferentschik	Low
Product	pom	developer org	JBoss, by Red Hat	Low
Product	pom	groupid	javax.validation	Highest
Product	pom	name	Bean Validation API	High
Product	pom	url	http://beanvalidation.org	Medium
Version	Manifest	Bundle-Version	1.1.0.Final	High
Version	pom	version	1.1.0.Final	Highest

Identifiers

pkg:maven/javax.validation/validation-api@1.1.0.Final (Confidence:High)

Description:

The Woden project is a subproject of the Apache Web Services Project to    develop a Java class library for reading, manipulating, creating and writing WSDL documents,    initially to support WSDL 2.0 but with the longer term aim of supporting past, present and    future versions of WSDL.    There are two main deliverables: an API and an implementation. The Woden API consists of    a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the    W3C WSDL 2.0 specification. The implementation will be a high performance implementation    directly usable in other Apache projects such as Axis2.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/woden/woden-api/1.0M9/woden-api-1.0M9.jar
MD5: a95da428dca81540f6f387874d27e44d
SHA1: bd81f156f5ff87bc9f398d88932d7cd6f2989312
SHA256:c64fba998cca96b30528f074971e6d0a53c602da9dd56867e759cfd10d5094a9
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	woden-api	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	woden	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.woden.woden-api	Medium
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.woden	Medium
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	pom	artifactid	woden-api	Highest
Vendor	pom	artifactid	woden-api	Low
Vendor	pom	groupid	org.apache.woden	Highest
Vendor	pom	name	Woden - API	High
Vendor	pom	parent-artifactid	woden	Low
Product	file	name	woden-api	High
Product	jar	package name	apache	Highest
Product	jar	package name	woden	Highest
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	Woden - API	Medium
Product	Manifest	bundle-symbolicname	org.apache.woden.woden-api	Medium
Product	Manifest	Implementation-Title	Woden - API	High
Product	Manifest	specification-title	Woden - API	Medium
Product	pom	artifactid	woden-api	Highest
Product	pom	groupid	org.apache.woden	Highest
Product	pom	name	Woden - API	High
Product	pom	parent-artifactid	woden	Medium
Version	Manifest	Implementation-Version	1.0M9	High
Version	pom	version	1.0M9	Highest

Identifiers

pkg:maven/org.apache.woden/woden-api@1.0M9 (Confidence:High)

Description:

The Woden project is a subproject of the Apache Web Services Project to    develop a Java class library for reading, manipulating, creating and writing WSDL documents,    initially to support WSDL 2.0 but with the longer term aim of supporting past, present and    future versions of WSDL.    There are two main deliverables: an API and an implementation. The Woden API consists of    a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the    W3C WSDL 2.0 specification. The implementation will be a high performance implementation    directly usable in other Apache projects such as Axis2.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/woden/woden-impl-commons/1.0M9/woden-impl-commons-1.0M9.jar
MD5: 867bba433148f1ce4dcdf1d4aa1ca77a
SHA1: fb97f4ef2a042aa0ce6393d1792ea21a88149c56
SHA256:cdb7ef3585c42bf59fbd5500d45e0092bbcd1e8a1af4f7fb2d4132e88be69237
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	woden-impl-commons	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	woden	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.woden.woden-impl-commons	Medium
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.woden	Medium
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	pom	artifactid	woden-impl-commons	Highest
Vendor	pom	artifactid	woden-impl-commons	Low
Vendor	pom	groupid	org.apache.woden	Highest
Vendor	pom	name	Woden - Commons	High
Vendor	pom	parent-artifactid	woden	Low
Product	file	name	woden-impl-commons	High
Product	jar	package name	apache	Highest
Product	jar	package name	woden	Highest
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	Woden - Commons	Medium
Product	Manifest	bundle-symbolicname	org.apache.woden.woden-impl-commons	Medium
Product	Manifest	Implementation-Title	Woden - Commons	High
Product	Manifest	specification-title	Woden - Commons	Medium
Product	pom	artifactid	woden-impl-commons	Highest
Product	pom	groupid	org.apache.woden	Highest
Product	pom	name	Woden - Commons	High
Product	pom	parent-artifactid	woden	Medium
Version	Manifest	Implementation-Version	1.0M9	High
Version	pom	version	1.0M9	Highest

Identifiers

pkg:maven/org.apache.woden/woden-impl-commons@1.0M9 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.0:m9:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

Description:

The Woden project is a subproject of the Apache Web Services Project to    develop a Java class library for reading, manipulating, creating and writing WSDL documents,    initially to support WSDL 2.0 but with the longer term aim of supporting past, present and    future versions of WSDL.    There are two main deliverables: an API and an implementation. The Woden API consists of    a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the    W3C WSDL 2.0 specification. The implementation will be a high performance implementation    directly usable in other Apache projects such as Axis2.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/woden/woden-impl-dom/1.0M9/woden-impl-dom-1.0M9.jar
MD5: 3175d1b4b9d712e62f64f518312da5e0
SHA1: ac649d2a2c4fdd49149aefc27164e90f8312bde1
SHA256:16f675b7dc2f98ecc5634a4ba3a7e2a8a78342fb48d30016d38f106c9ca6ca3e
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	woden-impl-dom	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	woden	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.woden.woden-impl-dom	Medium
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.woden	Medium
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	pom	artifactid	woden-impl-dom	Highest
Vendor	pom	artifactid	woden-impl-dom	Low
Vendor	pom	groupid	org.apache.woden	Highest
Vendor	pom	name	Woden - DOM	High
Vendor	pom	parent-artifactid	woden	Low
Product	file	name	woden-impl-dom	High
Product	jar	package name	apache	Highest
Product	jar	package name	woden	Highest
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	Woden - DOM	Medium
Product	Manifest	bundle-symbolicname	org.apache.woden.woden-impl-dom	Medium
Product	Manifest	Implementation-Title	Woden - DOM	High
Product	Manifest	specification-title	Woden - DOM	Medium
Product	pom	artifactid	woden-impl-dom	Highest
Product	pom	groupid	org.apache.woden	Highest
Product	pom	name	Woden - DOM	High
Product	pom	parent-artifactid	woden	Medium
Version	Manifest	Implementation-Version	1.0M9	High
Version	pom	version	1.0M9	Highest

Identifiers

pkg:maven/org.apache.woden/woden-impl-dom@1.0M9 (Confidence:High)

Description:

Woodstox is a high-performance XML processor that
implements Stax (JSR-173) and SAX2 APIs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/codehaus/woodstox/woodstox-core-asl/4.1.4/woodstox-core-asl-4.1.4.jar
MD5: c6ad8f9f12dca37f99b6089098c470e9
SHA1: 79b82e7dfd5c24b228ea56456d6adce225259ec4
SHA256:d24cf82fa3f2b30a847036ff4c198dde397e43c4599aef9e93fcbe1e49186bc2
Referenced In Project/Scope:Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	woodstox-core-asl	High
Vendor	jar	package name	stax	Highest
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Vendor	Manifest	bundle-symbolicname	woodstox-core-asl	Medium
Vendor	Manifest	Implementation-Vendor	http://woodstox.codehaus.org	High
Vendor	Manifest	specification-vendor	http://jcp.org/en/jsr/detail?id=173	Low
Vendor	pom	artifactid	woodstox-core-asl	Highest
Vendor	pom	artifactid	woodstox-core-asl	Low
Vendor	pom	groupid	org.codehaus.woodstox	Highest
Vendor	pom	name	Woodstox	High
Vendor	pom	organization name	Codehaus	High
Vendor	pom	organization url	http://www.codehaus.org/	Medium
Vendor	pom	url	http://woodstox.codehaus.org	Highest
Product	file	name	woodstox-core-asl	High
Product	jar	package name	api	Highest
Product	jar	package name	stax	Highest
Product	Manifest	Bundle-Name	Woodstox XML-processor	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Product	Manifest	bundle-symbolicname	woodstox-core-asl	Medium
Product	Manifest	Implementation-Title	Woodstox XML-processor	High
Product	Manifest	specification-title	Stax 1.0 API	Medium
Product	pom	artifactid	woodstox-core-asl	Highest
Product	pom	groupid	org.codehaus.woodstox	Highest
Product	pom	name	Woodstox	High
Product	pom	organization name	Codehaus	Low
Product	pom	organization url	http://www.codehaus.org/	Low
Product	pom	url	http://woodstox.codehaus.org	Medium
Version	file	version	4.1.4	High
Version	Manifest	Bundle-Version	4.1.4	High
Version	Manifest	Implementation-Version	4.1.4	High
Version	pom	version	4.1.4	Highest

Identifiers

pkg:maven/org.codehaus.woodstox/woodstox-core-asl@4.1.4 (Confidence:High)

Description:

Woodstox is a high-performance XML processor that
implements Stax (JSR-173) and SAX2 APIs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/codehaus/woodstox/woodstox-core-asl/4.2.0/woodstox-core-asl-4.2.0.jar
MD5: ac7e73fcf52654c0642afdfccc7d9f57
SHA1: 7a3784c65cfa5c0553f31d000b43346feb1f4ee3
SHA256:5ccb662b21ed218aaf06fc0a46f8b78338bc4992a236b62b471fa3f2671ed0ae
Referenced In Projects/Scopes:

Grouper WS:runtime
Grouper WS Test:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	woodstox-core-asl	High
Vendor	jar	package name	stax	Highest
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Vendor	Manifest	bundle-symbolicname	woodstox-core-asl	Medium
Vendor	Manifest	Implementation-Vendor	http://woodstox.codehaus.org	High
Vendor	Manifest	specification-vendor	http://jcp.org/en/jsr/detail?id=173	Low
Vendor	pom	artifactid	woodstox-core-asl	Highest
Vendor	pom	artifactid	woodstox-core-asl	Low
Vendor	pom	developer email	tatu@fasterxml.com	Low
Vendor	pom	developer id	cowtowncoder	Medium
Vendor	pom	developer name	Tatu Saloranta	Medium
Vendor	pom	groupid	org.codehaus.woodstox	Highest
Vendor	pom	name	Woodstox	High
Vendor	pom	organization name	Codehaus	High
Vendor	pom	organization url	http://www.codehaus.org/	Medium
Vendor	pom	url	http://woodstox.codehaus.org	Highest
Product	file	name	woodstox-core-asl	High
Product	jar	package name	api	Highest
Product	jar	package name	stax	Highest
Product	Manifest	Bundle-Name	Woodstox XML-processor	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.4	Low
Product	Manifest	bundle-symbolicname	woodstox-core-asl	Medium
Product	Manifest	Implementation-Title	Woodstox XML-processor	High
Product	Manifest	specification-title	Stax 1.0 API	Medium
Product	pom	artifactid	woodstox-core-asl	Highest
Product	pom	developer email	tatu@fasterxml.com	Low
Product	pom	developer id	cowtowncoder	Low
Product	pom	developer name	Tatu Saloranta	Low
Product	pom	groupid	org.codehaus.woodstox	Highest
Product	pom	name	Woodstox	High
Product	pom	organization name	Codehaus	Low
Product	pom	organization url	http://www.codehaus.org/	Low
Product	pom	url	http://woodstox.codehaus.org	Medium
Version	file	version	4.2.0	High
Version	Manifest	Bundle-Version	4.2.0	High
Version	Manifest	Implementation-Version	4.2.0	High
Version	pom	version	4.2.0	Highest

Identifiers

pkg:maven/org.codehaus.woodstox/woodstox-core-asl@4.2.0 (Confidence:High)

Description:

Java stub generator for WSDL

License:

CPL: http://www.opensource.org/licenses/cpl1.0.txt

File Path: /home/grprdist/.m2/repository/wsdl4j/wsdl4j/1.6.2/wsdl4j-1.6.2.jar
MD5: 2608a8ea3f07b0c08de8a7d3d0d3fc09
SHA1: dec1669fb6801b7328e01ad72fc9e10b69ea06c1
SHA256:e90120d26f1a163c5843c7a758d0a0c950d1b0970268ad0770d6c1cc50508c43
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	wsdl4j	High
Vendor	jar	package name	ibm	Highest
Vendor	jar	package name	wsdl	Highest
Vendor	Manifest	Implementation-Vendor	IBM	High
Vendor	Manifest	specification-vendor	IBM (Java Community Process)	Low
Vendor	pom	artifactid	wsdl4j	Highest
Vendor	pom	artifactid	wsdl4j	Low
Vendor	pom	groupid	wsdl4j	Highest
Vendor	pom	name	WSDL4J	High
Vendor	pom	url	http://sf.net/projects/wsdl4j	Highest
Product	file	name	wsdl4j	High
Product	jar	package name	wsdl	Highest
Product	Manifest	Implementation-Title	WSDL4J	High
Product	Manifest	specification-title	JWSDL	Medium
Product	pom	artifactid	wsdl4j	Highest
Product	pom	groupid	wsdl4j	Highest
Product	pom	name	WSDL4J	High
Product	pom	url	http://sf.net/projects/wsdl4j	Medium
Version	file	version	1.6.2	High
Version	pom	version	1.6.2	Highest

Identifiers

pkg:maven/wsdl4j/wsdl4j@1.6.2 (Confidence:High)

Description:

        The Apache WSS4J project provides a Java implementation of the primary security standards 
        for Web Services, namely the OASIS Web Services Security (WS-Security) specifications 
        from the OASIS Web Services Security TC.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/ws/security/wss4j/1.6.19/wss4j-1.6.19.jar
MD5: 924bee104f7c4d2d98a51acbf793b8f7
SHA1: 2d4d36b6a423aa14fd0a57a52ec8f25d3d5dc19a
SHA256:5befd9da5d52ca6b63836ffb1a420741a0556baa996567cb3af2d96c7bbfee28
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	wss4j	High
Vendor	hint analyzer	vendor	web services	Medium
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	security	Highest
Vendor	jar	package name	ws	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.ws.security.wss4j	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	wss4j	Highest
Vendor	pom	artifactid	wss4j	Low
Vendor	pom	groupid	org.apache.ws.security	Highest
Vendor	pom	name	Apache WSS4J	High
Vendor	pom	organization name	The Apache Software Foundation	High
Vendor	pom	organization url	http://www.apache.org/	Medium
Vendor	pom	parent-artifactid	apache	Low
Vendor	pom	parent-groupid	org.apache	Medium
Vendor	pom	url	http://ws.apache.org/wss4j/	Highest
Product	file	name	wss4j	High
Product	hint analyzer	product	web services	Medium
Product	jar	package name	apache	Highest
Product	jar	package name	security	Highest
Product	jar	package name	ws	Highest
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache WSS4J	Medium
Product	Manifest	bundle-symbolicname	org.apache.ws.security.wss4j	Medium
Product	Manifest	Implementation-Title	Apache WSS4J	High
Product	Manifest	specification-title	Apache WSS4J	Medium
Product	pom	artifactid	wss4j	Highest
Product	pom	groupid	org.apache.ws.security	Highest
Product	pom	name	Apache WSS4J	High
Product	pom	organization name	The Apache Software Foundation	Low
Product	pom	organization url	http://www.apache.org/	Low
Product	pom	parent-artifactid	apache	Medium
Product	pom	parent-groupid	org.apache	Medium
Product	pom	url	http://ws.apache.org/wss4j/	Medium
Version	file	version	1.6.19	High
Version	Manifest	Bundle-Version	1.6.19	High
Version	Manifest	Implementation-Version	1.6.19	High
Version	pom	parent-version	1.6.19	Low
Version	pom	version	1.6.19	Highest

Identifiers

pkg:maven/org.apache.ws.security/wss4j@1.6.19 (Confidence:High)
cpe:2.3:a:apache:wss4j:1.6.19:*:*:*:*:*:*:* (Confidence:Highest)

Description:

    Xalan-Java is an XSLT processor for transforming XML documents into HTML,
    text, or other XML document types. It implements XSL Transformations (XSLT)
    Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
    the command line, in an applet or a servlet, or as a module in other program.

File Path: /home/grprdist/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar
MD5: d43aad24f2c143b675292ccfef487f9c
SHA1: 75f1d83ce27bab5f29fff034fc74aa9f7266f22a
SHA256:55a2e95144acf1abe44fea91c2948525c9b1f00fcaa1d10e753e92872ffbdd1e
Referenced In Project/Scope:Grouper WS Generated Client:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	xalan	High
Vendor	jar	package name	and	Highest
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	processor	Highest
Vendor	jar	package name	version	Highest
Vendor	jar	package name	xalan	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar	package name	xpath	Highest
Vendor	jar	package name	xslt	Highest
Vendor	manifest: java_cup/runtime/	Implementation-Vendor	Princeton University	Medium
Vendor	manifest: org/apache/bcel/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/apache/regexp/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/apache/xalan/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/apache/xalan/xsltc/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/apache/xml/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/apache/xpath/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	pom	artifactid	xalan	Highest
Vendor	pom	artifactid	xalan	Low
Vendor	pom	groupid	xalan	Highest
Vendor	pom	name	Xalan Java	High
Vendor	pom	parent-artifactid	apache	Low
Vendor	pom	parent-groupid	org.apache	Medium
Vendor	pom	url	http://xml.apache.org/xalan-j/	Highest
Product	file	name	xalan	High
Product	jar	package name	and	Highest
Product	jar	package name	apache	Highest
Product	jar	package name	bcel	Highest
Product	jar	package name	code	Highest
Product	jar	package name	expression	Highest
Product	jar	package name	processor	Highest
Product	jar	package name	regexp	Highest
Product	jar	package name	runtime	Highest
Product	jar	package name	version	Highest
Product	jar	package name	xalan	Highest
Product	jar	package name	xml	Highest
Product	jar	package name	xpath	Highest
Product	jar	package name	xslt	Highest
Product	jar	package name	xsltc	Highest
Product	manifest: java_cup/runtime/	Implementation-Title	runtime	Medium
Product	manifest: java_cup/runtime/	Specification-Title	Runtime component of JCup	Medium
Product	manifest: org/apache/bcel/	Implementation-Title	org.apache.bcel	Medium
Product	manifest: org/apache/bcel/	Specification-Title	Byte Code Engineering Library	Medium
Product	manifest: org/apache/regexp/	Implementation-Title	org.apache.regexp	Medium
Product	manifest: org/apache/regexp/	Specification-Title	Java Regular Expression package	Medium
Product	manifest: org/apache/xalan/	Implementation-Title	org.apache.xalan	Medium
Product	manifest: org/apache/xalan/	Specification-Title	Java API for XML Processing	Medium
Product	manifest: org/apache/xalan/xsltc/	Implementation-Title	org.apache.xalan.xsltc	Medium
Product	manifest: org/apache/xalan/xsltc/	Specification-Title	Java API for XML Processing	Medium
Product	manifest: org/apache/xml/	Implementation-Title	org.apache.xml	Medium
Product	manifest: org/apache/xpath/	Implementation-Title	org.apache.xpath	Medium
Product	pom	artifactid	xalan	Highest
Product	pom	groupid	xalan	Highest
Product	pom	name	Xalan Java	High
Product	pom	parent-artifactid	apache	Medium
Product	pom	parent-groupid	org.apache	Medium
Product	pom	url	http://xml.apache.org/xalan-j/	Medium
Version	file	version	2.7.1	High
Version	manifest: java_cup/runtime/	Implementation-Version	2.7.1	Medium
Version	manifest: org/apache/bcel/	Implementation-Version	2.7.1	Medium
Version	manifest: org/apache/regexp/	Implementation-Version	2.7.1	Medium
Version	manifest: org/apache/xalan/	Implementation-Version	2.7.1	Medium
Version	manifest: org/apache/xalan/xsltc/	Implementation-Version	2.7.1	Medium
Version	manifest: org/apache/xml/	Implementation-Version	2.7.1	Medium
Version	manifest: org/apache/xpath/	Implementation-Version	2.7.1	Medium
Version	pom	parent-version	2.7.1	Low
Version	pom	version	2.7.1	Highest

Identifiers

pkg:maven/xalan/xalan@2.7.1 (Confidence:High)
cpe:2.3:a:apache:xalan-java:2.7.1:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2014-0107

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

BID - 66397
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1581058
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674334
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676093
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677145
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21680703
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21681933
CONFIRM - http://www.ibm.com/support/docview.wss?uid=swg21677967
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
CONFIRM - https://issues.apache.org/jira/browse/XALANJ-2435
CONFIRM - https://www.tenable.com/security/tns-2018-15
DEBIAN - DSA-2886
GENTOO - GLSA-201604-02
MISC - http://www.ocert.org/advisories/ocert-2014-002.html
MISC - https://www.oracle.com/security-alerts/cpuoct2021.html
MISC - https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
MLIST - [tomcat-dev] 20210823 [Bug 65516] New: upgrade to xalan 2.7.2 to address CVE-2014-0107
MLIST - [tomcat-dev] 20210823 [Bug 65516] upgrade to xalan 2.7.2 to address CVE-2014-0107
N/A - N/A
OSSINDEX - [CVE-2014-0107] CWE-264: Permissions, Privileges, and Access Controls
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0107
OSSIndex - https://issues.apache.org/jira/browse/XALANJ-2435
REDHAT - RHSA-2014:0348
REDHAT - RHSA-2014:1351
REDHAT - RHSA-2015:1888
SECTRACK - 1034711
SECTRACK - 1034716
SECUNIA - 57563
SECUNIA - 59036
SECUNIA - 59151
SECUNIA - 59247
SECUNIA - 59290
SECUNIA - 59291
SECUNIA - 59369
SECUNIA - 59515
SECUNIA - 59711
SECUNIA - 60502
XF - apache-xalanjava-cve20140107-sec-bypass(92023)

Vulnerable Software & Versions: (show all)

CVE-2022-34169

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

CWE-681 Incorrect Conversion between Numeric Types

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

Description:

xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier. The External Components portion of xml-commons contains 
    interfaces that are defined by external standards organizations. For DOM, 
    that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
    JAXP it's Sun.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
The SAX License: http://www.saxproject.org/copying.html
The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zip

File Path: /home/grprdist/.m2/repository/xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.jar
MD5: 7eaad6fea5925cca6c36ee8b3e02ac9d
SHA1: 3789d9fada2d3d458c4ba2de349d48780f381ee3
SHA256:a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad
Referenced In Project/Scope:Grouper WS Generated Client:runtime

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	xml-apis	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	dom	Highest
Vendor	jar	package name	sax	Highest
Vendor	jar	package name	version	Highest
Vendor	jar	package name	w3c	Highest
Vendor	jar	package name	xml	Highest
Vendor	manifest: javax/xml/datatype/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/namespace/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/parsers/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/stream/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/transform/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/validation/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: javax/xml/xpath/	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/apache/xmlcommons/Version	Implementation-Vendor	Apache Software Foundation	Medium
Vendor	manifest: org/w3c/dom/	Implementation-Vendor	World Wide Web Consortium	Medium
Vendor	manifest: org/w3c/dom/ls/	Implementation-Vendor	World Wide Web Consortium	Medium
Vendor	manifest: org/xml/sax/	Implementation-Vendor	David Megginson	Medium
Vendor	pom	artifactid	xml-apis	Highest
Vendor	pom	artifactid	xml-apis	Low
Vendor	pom	developer email	commons-dev@xml.apache.org	Low
Vendor	pom	developer id	xml-apis	Medium
Vendor	pom	developer name	Apache Software Foundation	Medium
Vendor	pom	developer org	Apache Software Foundation	Medium
Vendor	pom	developer org URL	http://www.apache.org	Medium
Vendor	pom	groupid	xml-apis	Highest
Vendor	pom	name	XML Commons External Components XML APIs	High
Vendor	pom	url	http://xml.apache.org/commons/components/external/	Highest
Product	file	name	xml-apis	High
Product	jar	package name	apache	Highest
Product	jar	package name	datatype	Highest
Product	jar	package name	document	Highest
Product	jar	package name	dom	Highest
Product	jar	package name	javax	Highest
Product	jar	package name	ls	Highest
Product	jar	package name	namespace	Highest
Product	jar	package name	parsers	Highest
Product	jar	package name	sax	Highest
Product	jar	package name	stax	Highest
Product	jar	package name	stream	Highest
Product	jar	package name	transform	Highest
Product	jar	package name	validation	Highest
Product	jar	package name	version	Highest
Product	jar	package name	w3c	Highest
Product	jar	package name	xml	Highest
Product	jar	package name	xmlcommons	Highest
Product	jar	package name	xpath	Highest
Product	manifest: javax/xml/datatype/	Implementation-Title	javax.xml.datatype	Medium
Product	manifest: javax/xml/datatype/	Specification-Title	Java API for XML Processing (JAXP) 1.4	Medium
Product	manifest: javax/xml/namespace/	Implementation-Title	javax.xml.namespace	Medium
Product	manifest: javax/xml/namespace/	Specification-Title	Java API for XML Processing (JAXP) 1.4	Medium
Product	manifest: javax/xml/parsers/	Implementation-Title	javax.xml.parsers	Medium
Product	manifest: javax/xml/parsers/	Specification-Title	Java API for XML Processing (JAXP) 1.4	Medium
Product	manifest: javax/xml/stream/	Implementation-Title	javax.xml.stream	Medium
Product	manifest: javax/xml/stream/	Specification-Title	Streaming API for XML (StAX) 1.0	Medium
Product	manifest: javax/xml/transform/	Implementation-Title	javax.xml.transform	Medium
Product	manifest: javax/xml/transform/	Specification-Title	Java API for XML Processing (JAXP) 1.4	Medium
Product	manifest: javax/xml/validation/	Implementation-Title	javax.xml.validation	Medium
Product	manifest: javax/xml/validation/	Specification-Title	Java API for XML Processing (JAXP) 1.4	Medium
Product	manifest: javax/xml/xpath/	Implementation-Title	javax.xml.xpath	Medium
Product	manifest: javax/xml/xpath/	Specification-Title	Java API for XML Processing (JAXP) 1.4	Medium
Product	manifest: org/apache/xmlcommons/Version	Implementation-Title	org.apache.xmlcommons.Version	Medium
Product	manifest: org/w3c/dom/	Implementation-Title	org.w3c.dom	Medium
Product	manifest: org/w3c/dom/	Specification-Title	Document Object Model (DOM) Level 3 Core	Medium
Product	manifest: org/w3c/dom/ls/	Implementation-Title	org.w3c.dom.ls	Medium
Product	manifest: org/w3c/dom/ls/	Specification-Title	Document Object Model (DOM) Level 3 Load and Save	Medium
Product	manifest: org/xml/sax/	Implementation-Title	org.xml.sax	Medium
Product	manifest: org/xml/sax/	Specification-Title	Simple API for XML	Medium
Product	pom	artifactid	xml-apis	Highest
Product	pom	developer email	commons-dev@xml.apache.org	Low
Product	pom	developer id	xml-apis	Low
Product	pom	developer name	Apache Software Foundation	Low
Product	pom	developer org	Apache Software Foundation	Low
Product	pom	developer org URL	http://www.apache.org	Low
Product	pom	groupid	xml-apis	Highest
Product	pom	name	XML Commons External Components XML APIs	High
Product	pom	url	http://xml.apache.org/commons/components/external/	Medium
Version	file	version	1.4.01	High
Version	manifest: javax/xml/datatype/	Implementation-Version	1.4.01	Medium
Version	manifest: javax/xml/namespace/	Implementation-Version	1.4.01	Medium
Version	manifest: javax/xml/parsers/	Implementation-Version	1.4.01	Medium
Version	manifest: javax/xml/stream/	Implementation-Version	1.4.01	Medium
Version	manifest: javax/xml/transform/	Implementation-Version	1.4.01	Medium
Version	manifest: javax/xml/validation/	Implementation-Version	1.4.01	Medium
Version	manifest: javax/xml/xpath/	Implementation-Version	1.4.01	Medium
Version	manifest: org/apache/xmlcommons/Version	Implementation-Version	1.4.01	Medium
Version	pom	version	1.4.01	Highest

Identifiers

pkg:maven/xml-apis/xml-apis@1.4.01 (Confidence:High)
cpe:2.3:a:apache:commons_net:1.4.01:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

CWE-20 Improper Input Validation

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* versions up to (excluding) 3.9.0

License:

Public Domain: http://www.xmlpull.org/v1/download/unpacked/LICENSE.txt

File Path: /home/grprdist/.m2/repository/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
MD5: cc57dacc720eca721a50e78934b822d2
SHA1: 2b8e230d2ab644e4ecaa94db7cdedbc40c805dfa
SHA256:34e08ee62116071cbb69c0ed70d15a7a5b208d62798c59f2120bb8929324cb63
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	xmlpull	High
Vendor	jar	package name	v1	Low
Vendor	jar	package name	xmlpull	Highest
Vendor	jar	package name	xmlpull	Low
Vendor	pom	artifactid	xmlpull	Highest
Vendor	pom	artifactid	xmlpull	Low
Vendor	pom	groupid	xmlpull	Highest
Vendor	pom	name	XML Pull Parsing API	High
Vendor	pom	url	http://www.xmlpull.org	Highest
Product	file	name	xmlpull	High
Product	jar	package name	v1	Low
Product	jar	package name	xmlpull	Highest
Product	pom	artifactid	xmlpull	Highest
Product	pom	groupid	xmlpull	Highest
Product	pom	name	XML Pull Parsing API	High
Product	pom	url	http://www.xmlpull.org	Medium
Version	file	version	1.1.3.1	High
Version	pom	version	1.1.3.1	Highest

Identifiers

pkg:maven/xmlpull/xmlpull@1.1.3.1 (Confidence:High)

Description:

        Apache XML Security for Java supports XML-Signature Syntax and Processing,
        W3C Recommendation 12 February 2002, and XML Encryption Syntax and
        Processing, W3C Recommendation 10 December 2002. As of version 1.4,
        the library supports the standard Java API JSR-105: XML Digital Signature APIs.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/santuario/xmlsec/1.5.8/xmlsec-1.5.8.jar
MD5: 56b5b9c7aef3270bc9056f5332a5a325
SHA1: d0b5e51f571069a86c9578ec15d6d7f9da8c0e76
SHA256:f5965da6ba78949bc17724c56de70c4aeb2598663f6abb1ece63854ba21713ba
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	xmlsec	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	encryption	Highest
Vendor	jar	package name	security	Highest
Vendor	jar	package name	signature	Highest
Vendor	jar	package name	xml	Highest
Vendor	Manifest	bundle-docurl	http://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.santuario.xmlsec	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.santuario	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	xmlsec	Highest
Vendor	pom	artifactid	xmlsec	Low
Vendor	pom	groupid	org.apache.santuario	Highest
Vendor	pom	name	Apache XML Security for Java	High
Vendor	pom	organization name	The Apache Software Foundation	High
Vendor	pom	organization url	http://www.apache.org/	Medium
Vendor	pom	parent-artifactid	apache	Low
Vendor	pom	parent-groupid	org.apache	Medium
Vendor	pom	url	http://santuario.apache.org/	Highest
Product	file	name	xmlsec	High
Product	jar	package name	apache	Highest
Product	jar	package name	encryption	Highest
Product	jar	package name	security	Highest
Product	jar	package name	signature	Highest
Product	jar	package name	xml	Highest
Product	Manifest	bundle-docurl	http://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache XML Security for Java	Medium
Product	Manifest	bundle-symbolicname	org.apache.santuario.xmlsec	Medium
Product	Manifest	Implementation-Title	Apache XML Security for Java	High
Product	Manifest	specification-title	Apache XML Security for Java	Medium
Product	pom	artifactid	xmlsec	Highest
Product	pom	groupid	org.apache.santuario	Highest
Product	pom	name	Apache XML Security for Java	High
Product	pom	organization name	The Apache Software Foundation	Low
Product	pom	organization url	http://www.apache.org/	Low
Product	pom	parent-artifactid	apache	Medium
Product	pom	parent-groupid	org.apache	Medium
Product	pom	url	http://santuario.apache.org/	Medium
Version	file	version	1.5.8	High
Version	Manifest	Bundle-Version	1.5.8	High
Version	Manifest	Implementation-Version	1.5.8	High
Version	pom	parent-version	1.5.8	Low
Version	pom	version	1.5.8	Highest

Identifiers

pkg:maven/org.apache.santuario/xmlsec@1.5.8 (Confidence:High)
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.8:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:apache:xml_security_for_java:1.5.8:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2021-40690

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

CWE-200 Information Exposure

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

Description:

XMLTooling-J is a low-level library that may be used to construct libraries that allow developers to work with XML in a Java beans manner.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/opensaml/xmltooling/1.4.4/xmltooling-1.4.4.jar
MD5: 03e3929084aabe1b2a91a191a6932a57
SHA1: 8cf44998d4b9cca5f9eeb47cc95d95cea9f86714
SHA256:b2fb3f2b0c0c62b3aae6d83ccc127b972a0fd64b494fb435fdb4bbbaf329ddbd
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	xmltooling	High
Vendor	jar	package name	j	Highest
Vendor	jar	package name	opensaml	Highest
Vendor	manifest: org/opensaml/xml/	Implementation-Vendor	www.opensaml.org	Medium
Vendor	pom	artifactid	xmltooling	Highest
Vendor	pom	artifactid	xmltooling	Low
Vendor	pom	developer id	cantor	Medium
Vendor	pom	developer id	lajoie	Medium
Vendor	pom	developer id	ndk	Medium
Vendor	pom	developer id	putmanb	Medium
Vendor	pom	developer id	rdw	Medium
Vendor	pom	developer name	Brent Putman	Medium
Vendor	pom	developer name	Chad La Joie	Medium
Vendor	pom	developer name	Nate Klingenstein	Medium
Vendor	pom	developer name	Rod Widdowson	Medium
Vendor	pom	developer name	Scott Cantor	Medium
Vendor	pom	developer org	Georgetown University	Medium
Vendor	pom	developer org	Internet2	Medium
Vendor	pom	developer org	Itumi, LLC	Medium
Vendor	pom	developer org	The Ohio State University	Medium
Vendor	pom	developer org	University of Edinburgh	Medium
Vendor	pom	developer org URL	http://itumi.biz	Medium
Vendor	pom	developer org URL	http://www.ed.ac.uk/	Medium
Vendor	pom	developer org URL	http://www.georgetown.edu/	Medium
Vendor	pom	developer org URL	http://www.internet2.edu/	Medium
Vendor	pom	developer org URL	http://www.ohio-state.edu/	Medium
Vendor	pom	groupid	org.opensaml	Highest
Vendor	pom	name	XMLTooling-J	High
Vendor	pom	organization name	Internet2	High
Vendor	pom	organization url	http://www.internet2.edu/	Medium
Vendor	pom	parent-artifactid	parent-v2	Low
Vendor	pom	parent-groupid	net.shibboleth	Medium
Vendor	pom	url	http://opensaml.org/	Highest
Product	file	name	xmltooling	High
Product	jar	package name	encryption	Highest
Product	jar	package name	j	Highest
Product	jar	package name	opensaml	Highest
Product	jar	package name	signature	Highest
Product	jar	package name	xml	Highest
Product	manifest: org/opensaml/xml/	Implementation-Title	xmltooling	Medium
Product	manifest: org/opensaml/xml/encryption/	Specification-Title	XML Encryption Syntax and Processing	Medium
Product	manifest: org/opensaml/xml/signature/	Specification-Title	XML Signature Syntax and Processing	Medium
Product	pom	artifactid	xmltooling	Highest
Product	pom	developer id	cantor	Low
Product	pom	developer id	lajoie	Low
Product	pom	developer id	ndk	Low
Product	pom	developer id	putmanb	Low
Product	pom	developer id	rdw	Low
Product	pom	developer name	Brent Putman	Low
Product	pom	developer name	Chad La Joie	Low
Product	pom	developer name	Nate Klingenstein	Low
Product	pom	developer name	Rod Widdowson	Low
Product	pom	developer name	Scott Cantor	Low
Product	pom	developer org	Georgetown University	Low
Product	pom	developer org	Internet2	Low
Product	pom	developer org	Itumi, LLC	Low
Product	pom	developer org	The Ohio State University	Low
Product	pom	developer org	University of Edinburgh	Low
Product	pom	developer org URL	http://itumi.biz	Low
Product	pom	developer org URL	http://www.ed.ac.uk/	Low
Product	pom	developer org URL	http://www.georgetown.edu/	Low
Product	pom	developer org URL	http://www.internet2.edu/	Low
Product	pom	developer org URL	http://www.ohio-state.edu/	Low
Product	pom	groupid	org.opensaml	Highest
Product	pom	name	XMLTooling-J	High
Product	pom	organization name	Internet2	Low
Product	pom	organization url	http://www.internet2.edu/	Low
Product	pom	parent-artifactid	parent-v2	Medium
Product	pom	parent-groupid	net.shibboleth	Medium
Product	pom	url	http://opensaml.org/	Medium
Version	file	version	1.4.4	High
Version	manifest: org/opensaml/xml/	Implementation-Version	1.4.4	Medium
Version	pom	parent-version	1.4.4	Low
Version	pom	version	1.4.4	Highest

Identifiers

pkg:maven/org.opensaml/xmltooling@1.4.4 (Confidence:High)
cpe:2.3:a:xmltooling_project:xmltooling:1.4.4:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2015-1796 (OSSINDEX)

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

CWE-254 7PK - Security Features

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

OSSINDEX - [CVE-2015-1796] CWE-254
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1796
OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=1196619
OSSIndex - https://issues.shibboleth.net/jira/browse/JXT-116
OSSIndex - https://shibboleth.net/community/advisories/secadv_20150225.txt
OSSIndex - https://wiki.shibboleth.net/confluence/display/SHIB2/20150225+Security+Advisory+Examples

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:org.opensaml:xmltooling:1.4.4:*:*:*:*:*:*:*

Description:

XStream is a serialization library from Java objects to XML and back.

License:

BSD-3-Clause

File Path: /home/grprdist/.m2/repository/com/thoughtworks/xstream/xstream/1.4.19/xstream-1.4.19.jar
MD5: eb850b8fe0405670938f7e899ed8630f
SHA1: e0e581d812aa92ae12f07234f3398e06af74b112
SHA256:c9ac93527942189ae89fc9120676358f11ea8f713c635a9f2c70063fe6716634
Referenced In Projects/Scopes:

Grouper WS:compile
Grouper WS Test:compile
Grouper WS Generated Client:compile
Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	xstream	High
Vendor	jar	package name	core	Highest
Vendor	jar	package name	thoughtworks	Highest
Vendor	jar	package name	xstream	Highest
Vendor	Manifest	bundle-docurl	http://x-stream.github.io	Low
Vendor	Manifest	bundle-symbolicname	xstream	Medium
Vendor	Manifest	Implementation-Vendor	XStream	High
Vendor	Manifest	Implementation-Vendor-Id	com.thoughtworks.xstream	Medium
Vendor	Manifest	java_1_4_home	/opt/blackdown-jdk-1.4.2.03	Low
Vendor	Manifest	java_1_5_home	/opt/sun-jdk-1.5.0.22	Low
Vendor	Manifest	java_1_6_home	/opt/sun-jdk-1.6.0.45	Low
Vendor	Manifest	java_1_7_home	/opt/oracle-jdk-bin-1.7.0.80	Low
Vendor	Manifest	java_1_8_home	/opt/oracle-jdk-bin-1.8.0.202	Low
Vendor	Manifest	java_9_home	/opt/oracle-jdk-bin-9.0.4	Low
Vendor	Manifest	specification-vendor	XStream	Low
Vendor	Manifest	x-build-os	Linux	Low
Vendor	Manifest	x-build-time	2022-01-29T16:47:16Z	Low
Vendor	Manifest	x-builder	Maven 3.8.3	Low
Vendor	Manifest	x-compile-source	1.4	Low
Vendor	Manifest	x-compile-target	1.4	Low
Vendor	pom	artifactid	xstream	Highest
Vendor	pom	artifactid	xstream	Low
Vendor	pom	groupid	com.thoughtworks.xstream	Highest
Vendor	pom	name	XStream Core	High
Vendor	pom	parent-artifactid	xstream-parent	Low
Product	file	name	xstream	High
Product	jar	package name	core	Highest
Product	jar	package name	io	Highest
Product	jar	package name	thoughtworks	Highest
Product	jar	package name	xml	Highest
Product	jar	package name	xstream	Highest
Product	Manifest	bundle-docurl	http://x-stream.github.io	Low
Product	Manifest	Bundle-Name	XStream Core	Medium
Product	Manifest	bundle-symbolicname	xstream	Medium
Product	Manifest	Implementation-Title	XStream Core	High
Product	Manifest	java_1_4_home	/opt/blackdown-jdk-1.4.2.03	Low
Product	Manifest	java_1_5_home	/opt/sun-jdk-1.5.0.22	Low
Product	Manifest	java_1_6_home	/opt/sun-jdk-1.6.0.45	Low
Product	Manifest	java_1_7_home	/opt/oracle-jdk-bin-1.7.0.80	Low
Product	Manifest	java_1_8_home	/opt/oracle-jdk-bin-1.8.0.202	Low
Product	Manifest	java_9_home	/opt/oracle-jdk-bin-9.0.4	Low
Product	Manifest	specification-title	XStream Core	Medium
Product	Manifest	x-build-os	Linux	Low
Product	Manifest	x-build-time	2022-01-29T16:47:16Z	Low
Product	Manifest	x-builder	Maven 3.8.3	Low
Product	Manifest	x-compile-source	1.4	Low
Product	Manifest	x-compile-target	1.4	Low
Product	pom	artifactid	xstream	Highest
Product	pom	groupid	com.thoughtworks.xstream	Highest
Product	pom	name	XStream Core	High
Product	pom	parent-artifactid	xstream-parent	Medium
Version	file	version	1.4.19	High
Version	Manifest	Bundle-Version	1.4.19	High
Version	Manifest	Implementation-Version	1.4.19	High
Version	pom	version	1.4.19	Highest

Identifiers

pkg:maven/com.thoughtworks.xstream/xstream@1.4.19 (Confidence:High)
cpe:2.3:a:xstream_project:xstream:1.4.19:*:*:*:*:*:*:* (Confidence:Highest)

Published Vulnerabilities

CVE-2022-40151

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

CWE-787 Out-of-bounds Write

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
OSSINDEX - [CVE-2022-40151] CWE-787: Out-of-bounds Write
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40151
OSSIndex - https://github.com/x-stream/xstream/issues/304
OSSIndex - https://github.com/x-stream/xstream/issues/314
OSSIndex - https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm
OSSIndex - https://x-stream.github.io/CVE-2022-40151.html

Vulnerable Software & Versions:

cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* versions up to (including) 1.4.19

CVE-2022-40152

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

CWE-787 Out-of-bounds Write

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions:

cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* versions up to (including) 1.4.19

CVE-2022-41966

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

CWE-502 Deserialization of Untrusted Data, CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), CWE-121 Stack-based Buffer Overflow

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* versions up to (excluding) 1.4.20

Description:

Java Library to find / apply JSON Patches according to RFC 6902

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/com/flipkart/zjsonpatch/zjsonpatch/0.2.4/zjsonpatch-0.2.4.jar
MD5: ecf257dc37a5bb543456846a4fef6794
SHA1: 1211b0196b3e7db5eac3e4cf1bf338beaa18049b
SHA256:96f42ffb5956379f065b9e2cf79afa8e3bb24153eb31e77cfacc496b1f7eb8de
Referenced In Project/Scope:Grouper WS SCIM:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	zjsonpatch	High
Vendor	jar	package name	flipkart	Highest
Vendor	jar	package name	flipkart	Low
Vendor	jar	package name	zjsonpatch	Highest
Vendor	jar	package name	zjsonpatch	Low
Vendor	pom	artifactid	zjsonpatch	Highest
Vendor	pom	artifactid	zjsonpatch	Low
Vendor	pom	developer email	vishwakarma.iiita@gmail.com	Low
Vendor	pom	developer id	vishwakarma	Medium
Vendor	pom	developer name	Gopi Vishwakarma	Medium
Vendor	pom	groupid	com.flipkart.zjsonpatch	Highest
Vendor	pom	name	zjsonpatch	High
Vendor	pom	url	flipkart-incubator/zjsonpatch/	Highest
Product	file	name	zjsonpatch	High
Product	jar	package name	flipkart	Highest
Product	jar	package name	zjsonpatch	Highest
Product	jar	package name	zjsonpatch	Low
Product	pom	artifactid	zjsonpatch	Highest
Product	pom	developer email	vishwakarma.iiita@gmail.com	Low
Product	pom	developer id	vishwakarma	Low
Product	pom	developer name	Gopi Vishwakarma	Low
Product	pom	groupid	com.flipkart.zjsonpatch	Highest
Product	pom	name	zjsonpatch	High
Product	pom	url	flipkart-incubator/zjsonpatch/	High
Version	file	version	0.2.4	High
Version	pom	version	0.2.4	Highest

Identifiers

pkg:maven/com.flipkart.zjsonpatch/zjsonpatch@0.2.4 (Confidence:High)

How to read the report | Suppressing false positives | Getting Help: github issues Sponsor

Project: Grouper WS Parent

edu.internet2.middleware.grouper:grouper-ws-parent:2.6.0-SNAPSHOT

Summary

Dependencies

FastInfoset-1.2.15.jar

Evidence

Identifiers

XmlSchema-1.4.7.jar

Evidence

Identifiers

Published Vulnerabilities

accessors-smart-2.4.8.jar

Evidence

Identifiers

activation-1.1.1.jar

Evidence

Identifiers

animal-sniffer-annotations-1.9.jar

Evidence

Identifiers

annotations-2.0.1.jar

Evidence

Identifiers

ant-1.10.12.jar

Evidence

Related Dependencies

Identifiers

antlr-2.7.7.jar

Evidence

Identifiers

antlr4-runtime-4.7.1.jar

Evidence

Identifiers

aopalliance-repackaged-2.6.1.jar

Evidence

Identifiers

apache-mime4j-core-0.7.2.jar

Evidence

Identifiers

asm-7.1.jar

Evidence

Identifiers

aws-java-sdk-core-1.12.267.jar

Evidence

Related Dependencies

Identifiers

axiom-api-1.2.15.jar

Evidence

Related Dependencies

Identifiers

Published Vulnerabilities

axiom-dom-1.2.14.jar (shaded: org.apache.ws.commons.axiom:axiom-common-impl:1.2.14)

Evidence

Identifiers

Published Vulnerabilities

axiom-dom-1.2.14.jar

Evidence

Identifiers

Published Vulnerabilities

axiom-impl-1.2.15.jar (shaded: org.apache.ws.commons.axiom:core-aspects:1.2.15)

Evidence

Related Dependencies

Identifiers

Published Vulnerabilities

axis2-adb-1.6.1.jar

Evidence

Related Dependencies

Identifiers

Published Vulnerabilities

axis2-kernel-1.6.4.jar

Evidence

Related Dependencies

Identifiers

axis2-mtompolicy-1.6.3.jar

Evidence

Identifiers

backport-util-concurrent-3.1.jar

Evidence

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor