Hi Mark Thomas, Please find the answer in-line for below query.
Thanks and Regards, S Sathish S -----Original Message----- From: Mark Thomas <[email protected]> Sent: 06 November 2025 19:22 To: Tomcat Users List <[email protected]> Subject: Re: False Positive Vulnerabilities in el-api.jar from Official Apache Tomcat Distribution [You don't often get email from [email protected]. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On 06/11/2025 09:17, S Sathish S wrote: > Hi Team, > > Issue Description: > We are experiencing false positive vulnerability alerts when using el-api.jar > from the official Apache Tomcat distribution > (https://archive.apache.org/dist/tomcat/tomcat-11/v11.0.10/bin/) and Maven > repository (https://repo.maven.apache.org/maven2/org/apache/tomcat/) with > OWASP Dependency . If it is a false positive then that is an issue for the OWASP Dependency Checker. we have raised ticket to OWASP Dependency Checker support team and below are response from them. https://github.com/dependency-check/DependencyCheck/issues/8096 In any case, since tomcat repackage the java.el API as their own jar/bundle with their own bundle version, it changes the heuristics and makes it hard for ODC to know if this is part of Tomcat or not. There's really not much that can be done here with the way ODC heuristics are written right now - you should manage your own false positive suppression if you want to scan Tomcat distributions like this. > However, the identical version of el-api.jar obtained from the javax.el > repository (https://mvnrepository.com/artifact/javax.el/el-api) produces no > vulnerability alerts in the same OWASP Dependency Checker analysis. That is not the official repository for that JAR. You should be using Maven Central. Below two maven repository if it is not official then can you share official repository for this Jar. https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat/11.0.10/ https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat-el-api/11.0.10/ > Request: > Please investigate and resolve the metadata or packaging differences causing > these false positive vulnerability reports in the official Apache Tomcat > el-api.jar distribution. This discrepancy is impacting our security analysis > and compliance processes. You haven't told us what the actual problems and, even if you did, the Tomcat committers are unlikely to spend their limited time on fixing an issue in a third-party tool. OWASP Dependency Checker analysis reporting false positive vulnerability on el-api.jar(version-6.0.0) which is bundled in Apache Tomcat 11.0.10 version , While taking same el-api.jar(version-6.0.0) from javax.el maven repository not seen any vulnerability reported. > Expected Outcome: > Alignment of vulnerability scanning results between official Apache Tomcat > distribution and javax.el repository versions of el-api.jar. You'll have to take that up with the OWASP team. Above response is update. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
