Hi Chris,
On 7.11.2025 17:43, Christopher Schultz wrote: > Please provide the detection analysis from OWASP Dependency Checker. I'm > looking for the "identifiers" that OWASP has used to identify your library. > > For example, for commons-beanutils: > > Identifiers > > pkg:maven/commons-beanutils/[email protected] (Confidence:High) > cpe:2.3:a:apache:commons_beanutils:1.11.0:*:*:*:*:*:*:* > (Confidence:Highest) > > > What does is show for el-api.jar? *TL;DR:* Sathish is most likely using a repackaged version of `el-api.jar`, not the original Tomcat artifact. I ran OWASP Dependency-Check 12.1.1 against Tomcat 11.0.10 (the same setup as the OP). Dependency-Check identifies el-api.jar with high confidence as: pkg:maven/org.apache.tomcat/[email protected] and no other identifiers. Since Tomcat builds are reproducible, the JAR is easily verifiable by its SHA-1: https://search.maven.org/solrsearch/select?q=1:0cf38ceee2c2f23aa28dd121253f019a4ad1186a When I modify the JAR, Dependency-Check falls back to some CPE identifiers, which of course report all CVEs in Tomcat 11.0.10 *and* 6.0.0: cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache_tomcat:apache_tomcat:11.0.10:*:*:*:*:*:*:* Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
