Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 7.1.2
Report Generated On: Wed, 18 Oct 2023 11:52:25 GMT
Dependencies Scanned: 2 (1 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0
...
NVD CVE Checked: 2023-10-18T11:23:27
NVD CVE Modified: 2023-10-18T10:00:01
VersionCheckOn: 2023-10-18T11:23:27

Summary

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
log4j-core-2.17.1.jar	cpe:2.3:a:apache:log4j:2.17.1:::::::*	pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1		0	Highest	50

Dependencies

log4j-core-2.17.1.jar

Description:

The Apache Log4j Implementation

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/grprdist/.m2/repository/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.jar
MD5: 8d2f5c52700336dae846b2c3ecde7a6e
SHA1: 779f60f3844dadc3ef597976fcb1e5127b1f343d
SHA256:c967f223487980b9364e94a7c7f9a8a01fd3ee7c19bdbf0b0f9f8cb8511f3d41
Referenced In Project/Scope:Grouper Installer:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	log4j-core	High
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	core	Highest
Vendor	jar	package name	log4j	Highest
Vendor	jar	package name	logging	Highest
Vendor	jar	package name	org	Highest
Vendor	Manifest	automatic-module-name	org.apache.logging.log4j.core	Medium
Vendor	Manifest	bundle-docurl	https://www.apache.org/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.logging.log4j.core	Medium
Vendor	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-core/	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache.logging.log4j	Medium
Vendor	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Vendor	Manifest	log4jreleasemanager	Matt Sicker	Low
Vendor	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	artifactid	log4j-core	Highest
Vendor	pom	artifactid	log4j-core	Low
Vendor	pom	groupid	org.apache.logging.log4j	Highest
Vendor	pom	name	Apache Log4j Core	High
Vendor	pom	parent-artifactid	log4j	Low
Product	file	name	log4j-core	High
Product	jar	package name	apache	Highest
Product	jar	package name	core	Highest
Product	jar	package name	log4j	Highest
Product	jar	package name	logging	Highest
Product	jar	package name	org	Highest
Product	Manifest	automatic-module-name	org.apache.logging.log4j.core	Medium
Product	Manifest	bundle-docurl	https://www.apache.org/	Low
Product	Manifest	Bundle-Name	Apache Log4j Core	Medium
Product	Manifest	bundle-symbolicname	org.apache.logging.log4j.core	Medium
Product	Manifest	Implementation-Title	Apache Log4j Core	High
Product	Manifest	implementation-url	https://logging.apache.org/log4j/2.x/log4j-core/	Low
Product	Manifest	log4jreleasekey	D7C92B70FA1C814D	Low
Product	Manifest	log4jreleasemanager	Matt Sicker	Low
Product	Manifest	log4jsigningusername	mattsicker@apache.org	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Log4j Core	Medium
Product	pom	artifactid	log4j-core	Highest
Product	pom	groupid	org.apache.logging.log4j	Highest
Product	pom	name	Apache Log4j Core	High
Product	pom	parent-artifactid	log4j	Medium
Version	file	version	2.17.1	High
Version	Manifest	Bundle-Version	2.17.1	High
Version	Manifest	Implementation-Version	2.17.1	High
Version	Manifest	log4jreleaseversion	2.17.1	Medium
Version	pom	version	2.17.1	Highest

Related Dependencies

Identifiers

pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1 (Confidence:High)
cpe:2.3:a:apache:log4j:2.17.1:*:*:*:*:*:*:* (Confidence:Highest)

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor

Project: Grouper Installer

edu.internet2.middleware.grouper:grouper-installer:4.0.0-SNAPSHOT

Summary

Dependencies

log4j-core-2.17.1.jar

Evidence

Related Dependencies

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues Sponsor

Project: Grouper Installer

edu.internet2.middleware.grouper:grouper-installer:4.0.0-SNAPSHOT

Summary

Dependencies

log4j-core-2.17.1.jar

Evidence

Related Dependencies

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor