Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: Putting it all together

au.com.lucidtech.maveninactionwithgithubactions:puttingalltogether:0.0.1-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
jackson-core-2.15.0.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.15.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.0 0Low47
jackson-databind-2.15.0.jarcpe:2.3:a:fasterxml:jackson-databind:2.15.0:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.15.0:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.0 0Highest41
jakarta.annotation-api-2.1.1.jarcpe:2.3:a:oracle:projects:2.1.1:*:*:*:*:*:*:*pkg:maven/jakarta.annotation/jakarta.annotation-api@2.1.1 0Low42
jul-to-slf4j-2.0.7.jarpkg:maven/org.slf4j/jul-to-slf4j@2.0.7 035
log4j-api-2.20.0.jarcpe:2.3:a:apache:log4j:2.20.0:*:*:*:*:*:*:*pkg:maven/org.apache.logging.log4j/log4j-api@2.20.0 0Highest37
log4j-to-slf4j-2.20.0.jarpkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.20.0 035
logback-core-1.4.7.jarcpe:2.3:a:qos:logback:1.4.7:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-core@1.4.7 0Highest36
micrometer-commons-1.11.0.jarpkg:maven/io.micrometer/micrometer-commons@1.11.0 065
micrometer-observation-1.11.0.jarpkg:maven/io.micrometer/micrometer-observation@1.11.0 065
slf4j-api-2.0.7.jarpkg:maven/org.slf4j/slf4j-api@2.0.7 031
snakeyaml-1.33.jarcpe:2.3:a:snakeyaml_project:snakeyaml:1.33:*:*:*:*:*:*:*pkg:maven/org.yaml/snakeyaml@1.33CRITICAL1Highest40
spring-boot-3.1.0.jarcpe:2.3:a:vmware:spring_boot:3.1.0:*:*:*:*:*:*:*pkg:maven/org.springframework.boot/spring-boot@3.1.0 0Highest38
spring-boot-starter-web-3.1.0.jarcpe:2.3:a:vmware:spring_boot:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:web_project:web:3.1.0:*:*:*:*:*:*:*		pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0 0Highest36
spring-core-6.0.9.jarcpe:2.3:a:pivotal_software:spring_framework:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:6.0.9:*:*:*:*:*:*:*		pkg:maven/org.springframework/spring-core@6.0.9 0Highest37
spring-web-6.0.9.jarcpe:2.3:a:pivotal_software:spring_framework:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:web_project:web:6.0.9:*:*:*:*:*:*:*		pkg:maven/org.springframework/spring-web@6.0.9 0Highest35
tomcat-embed-core-10.1.8.jarcpe:2.3:a:apache:tomcat:10.1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:10.1.8:*:*:*:*:*:*:*		pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.8 0Highest63
tomcat-embed-el-10.1.8.jarpkg:maven/org.apache.tomcat.embed/tomcat-embed-el@10.1.8 033

Dependencies (vulnerable)

jackson-core-2.15.0.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.15.0/jackson-core-2.15.0.jar
MD5: 884fa0e39483933acc1168184c002bb9
SHA1: 12f334a1dc9c6d2854c43ae314024dde8b3ad572
SHA256:5b483f68fa9dd6aa37da37d1f79dd5c4b9464238f4f0660a242cb6b5c724950c
Referenced In Project/Scope: Putting it all together:compile
jackson-core-2.15.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

jackson-databind-2.15.0.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.15.0/jackson-databind-2.15.0.jar
MD5: 2cfab8609aef4ef886ec2c8f4167bb24
SHA1: 0d41caa3a4e9f85382702a059a65c512f85ac230
SHA256:00c5a5d5ae71ac8e8d5b8da606841e2251c806355939cb5d51c4cdc6b644a0dc
Referenced In Project/Scope: Putting it all together:compile
jackson-databind-2.15.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

jakarta.annotation-api-2.1.1.jar

Description:

Jakarta Annotations API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
File Path: /home/runner/.m2/repository/jakarta/annotation/jakarta.annotation-api/2.1.1/jakarta.annotation-api-2.1.1.jar
MD5: 5dac2f68e8288d0add4dc92cb161711d
SHA1: 48b9bda22b091b1f48b13af03fe36db3be6e1ae3
SHA256:5f65fdaf424eee2b55e1d882ba9bb376be93fb09b37b808be6e22e8851c909fe
Referenced In Project/Scope: Putting it all together:compile
jakarta.annotation-api-2.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

jul-to-slf4j-2.0.7.jar

Description:

JUL to SLF4J bridge

License:

http://www.opensource.org/licenses/mit-license.php
File Path: /home/runner/.m2/repository/org/slf4j/jul-to-slf4j/2.0.7/jul-to-slf4j-2.0.7.jar
MD5: 965fd8c7c67bd57eb63b321d0bedf498
SHA1: a48f44aeaa8a5ddc347007298a28173ac1fbbd8b
SHA256:eaba65483bb38c93e68d557a19e5738962322de1946545dbf40e5e32f6293008
Referenced In Project/Scope: Putting it all together:compile
jul-to-slf4j-2.0.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

log4j-api-2.20.0.jar

Description:

The Apache Log4j API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/logging/log4j/log4j-api/2.20.0/log4j-api-2.20.0.jar
MD5: f9446464667f0139b839b5e9da37f5b9
SHA1: 1fe6082e660daf07c689a89c94dc0f49c26b44bb
SHA256:2f43eea679ea66f14ca0f13fec2a8600ac124f5a5231dcb4df8393eddcb97550
Referenced In Project/Scope: Putting it all together:compile
log4j-api-2.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

log4j-to-slf4j-2.20.0.jar

Description:

The Apache Log4j binding between Log4j 2 API and SLF4J.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/logging/log4j/log4j-to-slf4j/2.20.0/log4j-to-slf4j-2.20.0.jar
MD5: 11a04aba126ad458aee40988935446a5
SHA1: d37f81f8978e2672bc32c82712ab4b3f66624adc
SHA256:88e731d7f455da59dfa08769527f87d6c496053a712637df7b999f6977933a2c
Referenced In Project/Scope: Putting it all together:compile
log4j-to-slf4j-2.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

logback-core-1.4.7.jar

Description:

logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /home/runner/.m2/repository/ch/qos/logback/logback-core/1.4.7/logback-core-1.4.7.jar
MD5: 9ede7e4dd41876089777578092b713e3
SHA1: a2948dae4013d0e9486141b4d638d8951becb767
SHA256:df743fa8c4e166a2a6b6268aa53697bca95aa674bbfa9cce086f98b166b3c22f
Referenced In Project/Scope: Putting it all together:compile
logback-core-1.4.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

micrometer-commons-1.11.0.jar

Description:

Module containing common code

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/io/micrometer/micrometer-commons/1.11.0/micrometer-commons-1.11.0.jar
MD5: e10666ab145271ab9842f2e6a05318b8
SHA1: 5de5da6be4f01128ab3995acdf86f2844137d4e4
SHA256:13396babb92318666dd99ee2a47213d6e22b42f65e9617cb749dafec347e69c3
Referenced In Project/Scope: Putting it all together:compile
micrometer-commons-1.11.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

micrometer-observation-1.11.0.jar

Description:

Module containing Observation related code

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/io/micrometer/micrometer-observation/1.11.0/micrometer-observation-1.11.0.jar
MD5: fe74853009e2334c9eaa380c67c286f5
SHA1: b3d1b34d16e7e8fa9087c5d51ec39bc3005e2733
SHA256:4d933336fbdf87f3281f7c7af30c15ceddfbd2e9f5768c6677e1d383ec2cb841
Referenced In Project/Scope: Putting it all together:compile
micrometer-observation-1.11.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

slf4j-api-2.0.7.jar

Description:

The slf4j API

License:

http://www.opensource.org/licenses/mit-license.php
File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/2.0.7/slf4j-api-2.0.7.jar
MD5: 403dffa46cdd2e3c82da19df4f394a4c
SHA1: 41eb7184ea9d556f23e18b5cb99cad1f8581fc00
SHA256:5d6298b93a1905c32cda6478808ac14c2d4a47e91535e53c41f7feeb85d946f4
Referenced In Project/Scope: Putting it all together:compile
slf4j-api-2.0.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-test@3.1.0

Identifiers

snakeyaml-1.33.jar

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar
MD5: e0164a637c691c8cf01d29f90a709c02
SHA1: 2cd0a87ff7df953f810c344bdf2fe3340b954c69
SHA256:11ff459788f0a2d781f56a4a86d7e69202cebacd0273d5269c4ae9f02f3fd8f0
Referenced In Project/Scope: Putting it all together:compile
snakeyaml-1.33.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

CVE-2022-1471  

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

spring-boot-3.1.0.jar

Description:

Spring Boot

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot/3.1.0/spring-boot-3.1.0.jar
MD5: 3173120483925953046c79c73a7c15a9
SHA1: efa941e9a2162a3dd8c5e4679f46a24af9e5769f
SHA256:461ab8232b341503193e4be4dc42935825d271277054ee1a9c41214aa329812a
Referenced In Project/Scope: Putting it all together:compile
spring-boot-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

spring-boot-starter-web-3.1.0.jar

Description:

Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-starter-web/3.1.0/spring-boot-starter-web-3.1.0.jar
MD5: 730fdfacb52222822d8dba1925437132
SHA1: 36a8666047ea49114e0974bece35e2ef68cf975f
SHA256:fa39805420a740019c72173d81f81936de38646a949a897726e616a2efa59d31
Referenced In Project/Scope: Putting it all together:compile
spring-boot-starter-web-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/au.com.lucidtech.maveninactionwithgithubactions/puttingalltogether@0.0.1-SNAPSHOT

Identifiers

spring-core-6.0.9.jar

Description:

Spring Core

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/spring-core/6.0.9/spring-core-6.0.9.jar
MD5: 4efa3cfffd3e6f6bf25b0c667df9fca1
SHA1: 284ed111fa0b49b29f6fea6ac0afa402b809e427
SHA256:9345035b47f5c981047436dbb4f63c6c6976fba9751a6f2a7b47e63a2da9f29f
Referenced In Project/Scope: Putting it all together:compile
spring-core-6.0.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-test@3.1.0

Identifiers

spring-web-6.0.9.jar

Description:

Spring Web

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/spring-web/6.0.9/spring-web-6.0.9.jar
MD5: 8f6decc9821673e04d6c86ba7e98e1ec
SHA1: 2837dec8a75ecfdad367d6c30ce9cbdfc89caa7a
SHA256:80a8067b767e4ecc30419e520cd690cdc1471157a59e9351c516cc7829df5b1a
Referenced In Project/Scope: Putting it all together:compile
spring-web-6.0.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

tomcat-embed-core-10.1.8.jar

Description:

Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.8/tomcat-embed-core-10.1.8.jar
MD5: 6205f6802e5f49dd8c48342087ab88ba
SHA1: ec4b884806c65c80c86bb3db134f6f6f99e79ed8
SHA256:c47a4de2f31abdea3c4b22986fb21ec8a384bcc85772f374eab652c2852e307f
Referenced In Project/Scope: Putting it all together:compile
tomcat-embed-core-10.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers

tomcat-embed-el-10.1.8.jar

Description:

Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/10.1.8/tomcat-embed-el-10.1.8.jar
MD5: fb287df0e823d7f211a58d31fe9edfd8
SHA1: 6f3a4ae2ae37270eeb6e9bec4e7207facdc9e8fa
SHA256:96066b154994aa6e41a0b44e3c15804dfc5ce941246561f23099ca9640b49dc9
Referenced In Project/Scope: Putting it all together:compile
tomcat-embed-el-10.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.0

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.