On 07/11/2025 06:28, S Sathish S wrote:
Hi Mark Thomas,
Please find the answer in-line for below query.
There is (still) nothing for the Tomcat team to do here.
And for the record, Tomcat does not repackage the Jakarta Expression
Language API jar, Tomcat maintains its own, TCK compliant, version of
the Expression Language API jar.
Makr
Thanks and Regards,
S Sathish S
-----Original Message-----
From: Mark Thomas <[email protected]>
Sent: 06 November 2025 19:22
To: Tomcat Users List <[email protected]>
Subject: Re: False Positive Vulnerabilities in el-api.jar from Official Apache
Tomcat Distribution
[You don't often get email from [email protected]. Learn why this is important
at https://aka.ms/LearnAboutSenderIdentification ]
On 06/11/2025 09:17, S Sathish S wrote:
Hi Team,
Issue Description:
We are experiencing false positive vulnerability alerts when using el-api.jar
from the official Apache Tomcat distribution
(https://archive.apache.org/dist/tomcat/tomcat-11/v11.0.10/bin/) and Maven
repository (https://repo.maven.apache.org/maven2/org/apache/tomcat/) with OWASP
Dependency .
If it is a false positive then that is an issue for the OWASP Dependency
Checker.
we have raised ticket to OWASP Dependency Checker support team and below are
response from them.
https://github.com/dependency-check/DependencyCheck/issues/8096
In any case, since tomcat repackage the java.el API as their own jar/bundle
with their own bundle version, it changes the heuristics and makes it hard for
ODC to know if this is part of Tomcat or not. There's really not much that can
be done here with the way ODC heuristics are written right now - you should
manage your own false positive suppression if you want to scan Tomcat
distributions like this.
However, the identical version of el-api.jar obtained from the javax.el
repository (https://mvnrepository.com/artifact/javax.el/el-api) produces no
vulnerability alerts in the same OWASP Dependency Checker analysis.
That is not the official repository for that JAR. You should be using Maven
Central.
Below two maven repository if it is not official then can you share official
repository for this Jar.
https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat/11.0.10/
https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat-el-api/11.0.10/
Request:
Please investigate and resolve the metadata or packaging differences causing
these false positive vulnerability reports in the official Apache Tomcat
el-api.jar distribution. This discrepancy is impacting our security analysis
and compliance processes.
You haven't told us what the actual problems and, even if you did, the Tomcat
committers are unlikely to spend their limited time on fixing an issue in a
third-party tool.
OWASP Dependency Checker analysis reporting false positive vulnerability on
el-api.jar(version-6.0.0) which is bundled in Apache Tomcat 11.0.10 version ,
While taking same el-api.jar(version-6.0.0) from javax.el maven repository not
seen any vulnerability reported.
Expected Outcome:
Alignment of vulnerability scanning results between official Apache Tomcat
distribution and javax.el repository versions of el-api.jar.
You'll have to take that up with the OWASP team.
Above response is update.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
