Sathish,
On 11/6/25 4:17 AM, S Sathish S wrote:
Issue Description:
We are experiencing false positive vulnerability alerts when using el-api.jar
from the official Apache Tomcat distribution
(https://archive.apache.org/dist/tomcat/tomcat-11/v11.0.10/bin/) and Maven
repository (https://repo.maven.apache.org/maven2/org/apache/tomcat/) with OWASP
Dependency Checker.
However, the identical version of el-api.jar obtained from the javax.el
repository (https://mvnrepository.com/artifact/javax.el/el-api) produces no
vulnerability alerts in the same OWASP Dependency Checker analysis.
Please provide the detection analysis from OWASP Dependency Checker. I'm
looking for the "identifiers" that OWASP has used to identify your library.
For example, for commons-beanutils:
Identifiers
pkg:maven/commons-beanutils/[email protected] (Confidence:High)
cpe:2.3:a:apache:commons_beanutils:1.11.0:*:*:*:*:*:*:*
(Confidence:Highest)
What does is show for el-api.jar?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
