Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: Struts 2 TestNG Plugin

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence Count
jcommander-1.48.jar com.beust:jcommander:1.48    0 23
bsh-2.0b4.jar cpe:/a:beanshell_project:beanshell:2.0.b4 org.beanshell:bsh:2.0b4  Medium 1 Low 25
testng-6.9.10.jar org.testng:testng:6.9.10    0 28
commons-logging-1.1.3.jar commons-logging:commons-logging:1.1.3    0 36
spring-core-4.1.9.RELEASE.jar cpe:/a:springsource:spring_framework:4.1.9
cpe:/a:vmware:springsource_spring_framework:4.1.9
cpe:/a:pivotal:spring_framework:4.1.9
cpe:/a:pivotal_software:spring_framework:4.1.9
org.springframework:spring-core:4.1.9.RELEASE  Medium 1 Highest 27
freemarker-2.3.26-incubating.jar org.freemarker:freemarker:2.3.26-incubating    0 44
javassist-3.20.0-GA.jar org.javassist:javassist:3.20.0-GA    0 27
ognl-3.1.15.jar cpe:/a:ognl_project:ognl:3.1.15 ognl:ognl:3.1.15    0 Low 22
log4j-api-2.9.1.jar cpe:/a:apache:log4j:2.9.1 org.apache.logging.log4j:log4j-api:2.9.1    0 Low 39
commons-fileupload-1.3.3.jar cpe:/a:apache:commons_fileupload:1.3.3 commons-fileupload:commons-fileupload:1.3.3    0 Low 40
commons-io-2.5.jar commons-io:commons-io:2.5    0 40
commons-lang3-3.6.jar org.apache.commons:commons-lang3:3.6    0 41
struts2-core-2.5.14.1.jar cpe:/a:apache:struts:2.5.14.1 org.apache.struts:struts2-core:2.5.14.1    0 Low 33

Dependencies

jcommander-1.48.jar

Description: A Java framework to parse command line options with annotations.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/com/beust/jcommander/1.48/jcommander-1.48.jar
MD5: 7a84fb4b01f46c904bd549e67e6c48a1
SHA1: bfcb96281ea3b59d626704f74bc6d625ff51cbce
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

bsh-2.0b4.jar

Description: BeanShell

File Path: /home/jenkins/.m2/repository/org/beanshell/bsh/2.0b4/bsh-2.0b4.jar
MD5: a1c60aa83c9c9a6cb2391c1c1b85eb00
SHA1: a05f0a0feefa8d8467ac80e16e7de071489f0d9c
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

  • maven: org.beanshell:bsh:2.0b4    Confidence:Highest
  • cpe: cpe:/a:beanshell_project:beanshell:2.0.b4   Confidence:Low   

CVE-2016-2510  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Handling

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

Vulnerable Software & Versions:

testng-6.9.10.jar

Description: Testing framework for Java

License:

Apache  Version 2.0, January 2004
File Path: /home/jenkins/.m2/repository/org/testng/testng/6.9.10/testng-6.9.10.jar
MD5: 83e26cb672a81f5bbda139436ef4d8d0
SHA1: 6feb3e964aeb7097aff30c372aac3ec0f8d87ede
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

commons-logging-1.1.3.jar

Description: Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-logging/commons-logging/1.1.3/commons-logging-1.1.3.jar
MD5: 92eb5aabc1b47287de53d45c086a435c
SHA1: f6f66e966c70a83ffbdb6f17a0919eaf7c8aca7f
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

spring-core-4.1.9.RELEASE.jar

Description: Spring Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/springframework/spring-core/4.1.9.RELEASE/spring-core-4.1.9.RELEASE.jar
MD5: 2b1b2a3af329e583f041bf6e8a8a9feb
SHA1: 85a6d6031c4193d873144496e865b649a874cc47
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

CVE-2016-5007  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Vulnerable Software & Versions: (show all)

freemarker-2.3.26-incubating.jar

Description:  FreeMarker is a "template engine"; a generic tool to generate text output based on templates.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/freemarker/freemarker/2.3.26-incubating/freemarker-2.3.26-incubating.jar
MD5: cbb030d58da59a3c597b65cec837c37e
SHA1: 713237e013f725b72f4f9ec931a49c14b1805359
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

javassist-3.20.0-GA.jar

Description:  Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java.

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /home/jenkins/.m2/repository/org/javassist/javassist/3.20.0-GA/javassist-3.20.0-GA.jar
MD5: a89dd7907d76e061ec2c07e762a74256
SHA1: a9cbcdfb7e9f86fbc74d3afae65f2248bfbf82a0
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

ognl-3.1.15.jar

Description: OGNL - Object Graph Navigation Library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/ognl/ognl/3.1.15/ognl-3.1.15.jar
MD5: 47a2f86e8dcd313d606cc5581e202fe6
SHA1: 8ea2a66fafbf9d6f0353c6fac562a1ddb1bedf13
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

  • maven: ognl:ognl:3.1.15    Confidence:Highest
  • cpe: cpe:/a:ognl_project:ognl:3.1.15   Confidence:Low   

log4j-api-2.9.1.jar

Description: The Apache Log4j API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/logging/log4j/log4j-api/2.9.1/log4j-api-2.9.1.jar
MD5: 20f0b4e1a16bd2030f0acc2b277cb16f
SHA1: 7a2999229464e7a324aa503c0a52ec0f05efe7bd
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

commons-fileupload-1.3.3.jar

Description:  The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.jar
MD5: dd77e787b7b5dc56f6a1cb658716d55d
SHA1: 04ff14d809195b711fd6bcc87e6777f886730ca1
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

commons-io-2.5.jar

Description:  The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

commons-lang3-3.6.jar

Description:  Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers

struts2-core-2.5.14.1.jar

Description: Apache Struts 2

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/jenkins/.m2/repository/org/apache/struts/struts2-core/2.5.14.1/struts2-core-2.5.14.1.jar
MD5: 4f5b5fda13e20991d13a18c75010d49b
SHA1: ef575752783dc8f22fade1a3b13330274e7d7f23
Referenced In Project/Scope: Struts 2 TestNG Plugin:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the Node Security Platform.