Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 6.1.5
Report Generated On: Tue, 8 Mar 2022 15:37:57 GMT
Dependencies Scanned: 133 (133 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 268
...
NVD CVE Checked: 2022-03-08T15:09:44
NVD CVE Modified: 2022-03-08T13:00:01
VersionCheckOn: 2022-02-08T12:05:57

Summary

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	Vulnerability IDs	Package	Confidence	Evidence Count
annotations-17.0.0.jar		pkg:maven/org.jetbrains/annotations@17.0.0		19
apache-mime4j-0.6.jar	cpe:2.3:a:apache:james:0.6:::::::*	pkg:maven/org.apache.james/apache-mime4j@0.6	Highest	44
arc-1.13.7.Final.jar	cpe:2.3:a:arc_project:arc:1.13.7:::::::* cpe:2.3:a:quarkus:quarkus:1.13.7:::::::*	pkg:maven/io.quarkus.arc/arc@1.13.7.Final	Highest	32
automaton-1.11-8.jar		pkg:maven/dk.brics.automaton/automaton@1.11-8		24
bcpkix-jdk15on-1.68.jar		pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.68		60
bcprov-jdk15on-1.68.jar	cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.68:::::::* cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.68:::::::*	pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68	Low	53
btf-1.2.jar		pkg:maven/com.github.fge/btf@1.2		21
checker-qual-2.5.2.jar		pkg:maven/org.checkerframework/checker-qual@2.5.2		24
commons-codec-1.14.jar		pkg:maven/commons-codec/commons-codec@1.14		41
commons-compress-1.21.jar	cpe:2.3:a:apache:commons_compress:1.21:::::::*	pkg:maven/org.apache.commons/commons-compress@1.21	Highest	45
commons-io-2.7.jar	cpe:2.3:a:apache:commons_io:2.7:::::::*	pkg:maven/commons-io/commons-io@2.7	Highest	41
commons-lang3-3.9.jar		pkg:maven/org.apache.commons/commons-lang3@3.9		41
commons-logging-1.2.jar		pkg:maven/commons-logging/commons-logging@1.2		36
error_prone_annotations-2.2.0.jar		pkg:maven/com.google.errorprone/error_prone_annotations@2.2.0		26
failureaccess-1.0.1.jar		pkg:maven/com.google.guava/failureaccess@1.0.1		32
generex-1.0.2.jar		pkg:maven/com.github.mifmif/generex@1.0.2		25
graal-sdk-21.3.1.jar		pkg:maven/org.graalvm.sdk/graal-sdk@21.3.1		16
guava-30.1-jre.jar	cpe:2.3:a:google:guava:30.1:::::::*	pkg:maven/com.google.guava/guava@30.1-jre	Highest	27
httpclient-4.5.13.jar	cpe:2.3:a:apache:httpclient:4.5.13:::::::*	pkg:maven/org.apache.httpcomponents/httpclient@4.5.13	Highest	34
httpcore-4.4.14.jar		pkg:maven/org.apache.httpcomponents/httpcore@4.4.14		34
istack-commons-runtime-3.0.10.jar	cpe:2.3:a:oracle:java_se:3.0.10:::::::*	pkg:maven/com.sun.istack/istack-commons-runtime@3.0.10	Low	39
j2objc-annotations-1.3.jar		pkg:maven/com.google.j2objc/j2objc-annotations@1.3		24
jackson-annotations-2.12.6.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.12.6	Low	42
jackson-core-2.12.6.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-core@2.12.6	Low	49
jackson-coreutils-1.6.jar		pkg:maven/com.github.fge/jackson-coreutils@1.6		23
jackson-databind-2.12.6.jar	cpe:2.3:a:fasterxml:jackson-databind:2.12.6:::::::* cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:::::::*	pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6	Highest	43
jackson-datatype-jdk8-2.12.6.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:::::::*	pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.12.6	Low	41
jackson-datatype-jsr310-2.12.6.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:::::::*	pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.12.6	Low	41
jackson-jaxrs-base-2.12.6.jar		pkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base@2.12.6		43
jackson-jaxrs-json-provider-2.12.6.jar		pkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider@2.12.6		43
jackson-module-jaxb-annotations-2.12.6.jar		pkg:maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations@2.12.6		45
jackson-module-parameter-names-2.12.6.jar	cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:::::::*	pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.12.6	Low	39
jakarta.activation-1.2.1.jar		pkg:maven/com.sun.activation/jakarta.activation@1.2.1		37
jakarta.activation-api-1.2.1.jar		pkg:maven/jakarta.activation/jakarta.activation-api@1.2.1		32
jakarta.annotation-api-1.3.5.jar		pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5		32
jakarta.el-api-3.0.3.jar	cpe:2.3:a:eclipse:jakarta_expression_language:3.0.3:::::::*	pkg:maven/jakarta.el/jakarta.el-api@3.0.3	Low	34
jakarta.enterprise.cdi-api-2.0.2.jar		pkg:maven/jakarta.enterprise/jakarta.enterprise.cdi-api@2.0.2		31
jakarta.inject-api-1.0.jar		pkg:maven/jakarta.inject/jakarta.inject-api@1.0		22
jakarta.interceptor-api-1.2.5.jar	cpe:2.3:a:oracle:java_se:1.2.5:::::::*	pkg:maven/jakarta.interceptor/jakarta.interceptor-api@1.2.5	Low	37
jakarta.mail-1.6.5.jar	cpe:2.3:a:oracle:java_se:1.6.5:::::::*	pkg:maven/com.sun.mail/jakarta.mail@1.6.5	Low	48
jakarta.transaction-api-1.3.3.jar	cpe:2.3:a:oracle:projects:1.3.3:::::::*	pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3	Low	39
jakarta.validation-api-2.0.2.jar		pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2		29
java-semver-0.9.0.jar		pkg:maven/com.github.zafarkhaja/java-semver@0.9.0		24
javax.servlet-api-3.0.1.jar	cpe:2.3:a:oracle:java_se:3.0.1:::::::*	pkg:maven/javax.servlet/javax.servlet-api@3.0.1	Low	39
jaxb-runtime-2.3.3-b02.jar	cpe:2.3:a:oracle:java_se:2.3.3.b02:::::::*	pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.3-b02	Low	44
jaxp-api-1.4.jar		pkg:maven/javax.xml.parsers/jaxp-api@1.4		21
jaxp-ri-1.4.jar		pkg:maven/com.sun.org.apache/jaxp-ri@1.4		20
jboss-jaxb-api_2.3_spec-2.0.0.Final.jar		pkg:maven/org.jboss.spec.javax.xml.bind/jboss-jaxb-api_2.3_spec@2.0.0.Final		51
jboss-jaxrs-api_2.1_spec-2.0.1.Final.jar		pkg:maven/org.jboss.spec.javax.ws.rs/jboss-jaxrs-api_2.1_spec@2.0.1.Final		49
jboss-logging-3.4.1.Final.jar		pkg:maven/org.jboss.logging/jboss-logging@3.4.1.Final		45
jboss-logging-annotations-2.2.0.Final.jar		pkg:maven/org.jboss.logging/jboss-logging-annotations@2.2.0.Final		34
jboss-logmanager-embedded-1.0.9.jar		pkg:maven/org.jboss.logmanager/jboss-logmanager-embedded@1.0.9		38
jboss-threads-3.2.0.Final.jar		pkg:maven/org.jboss.threads/jboss-threads@3.2.0.Final		37
jcabi-log-0.14.jar		pkg:maven/com.jcabi/jcabi-log@0.14		25
jcabi-manifests-1.1.jar		pkg:maven/com.jcabi/jcabi-manifests@1.1		25
jcip-annotations-1.0-1.jar		pkg:maven/com.github.stephenc.jcip/jcip-annotations@1.0-1		21
json-patch-1.9.jar	cpe:2.3:a:json-patch_project:json-patch:1.9:::::::*	pkg:maven/com.github.fge/json-patch@1.9	Highest	21
jsr305-3.0.2.jar		pkg:maven/com.google.code.findbugs/jsr305@3.0.2		17
keycloak-admin-client-15.1.1.jar	cpe:2.3:a:keycloak:keycloak:15.1.1:::::::* cpe:2.3:a:redhat:keycloak:15.1.1:::::::*	pkg:maven/org.keycloak/keycloak-admin-client@15.1.1	Highest	36
keycloak-common-15.1.1.jar	cpe:2.3:a:keycloak:keycloak:15.1.1:::::::* cpe:2.3:a:redhat:keycloak:15.1.1:::::::*	pkg:maven/org.keycloak/keycloak-common@15.1.1	Highest	41
keycloak-core-15.1.1.jar	cpe:2.3:a:keycloak:keycloak:15.1.1:::::::* cpe:2.3:a:redhat:keycloak:15.1.1:::::::*	pkg:maven/org.keycloak/keycloak-core@15.1.1	Highest	39
kubernetes-client-5.3.2.jar	cpe:2.3:a:kubernetes:java:5.3.2:::::::*	pkg:maven/io.fabric8/kubernetes-client@5.3.2	Low	22
kubernetes-model-admissionregistration-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-admissionregistration@5.3.1	Low	31
kubernetes-model-apiextensions-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-apiextensions@5.3.1	Low	33
kubernetes-model-apps-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-apps@5.3.1	Low	31
kubernetes-model-autoscaling-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-autoscaling@5.3.1	Low	31
kubernetes-model-batch-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-batch@5.3.1	Low	31
kubernetes-model-certificates-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-certificates@5.3.1	Low	31
kubernetes-model-common-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-common@5.3.1	Low	33
kubernetes-model-coordination-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-coordination@5.3.1	Low	31
kubernetes-model-core-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-core@5.3.1	Low	31
kubernetes-model-discovery-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::* cpe:2.3:a:redhat:discovery:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-discovery@5.3.1	Low	31
kubernetes-model-events-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-events@5.3.1	Low	31
kubernetes-model-extensions-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-extensions@5.3.1	Low	31
kubernetes-model-metrics-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-metrics@5.3.1	Low	31
kubernetes-model-networking-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-networking@5.3.1	Low	31
kubernetes-model-node-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-node@5.3.1	Low	31
kubernetes-model-policy-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-policy@5.3.1	Low	31
kubernetes-model-rbac-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-rbac@5.3.1	Low	31
kubernetes-model-scheduling-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-scheduling@5.3.1	Low	31
kubernetes-model-storageclass-5.3.1.jar	cpe:2.3:a:storage_project:storage:5.3.1:::::::*	pkg:maven/io.fabric8/kubernetes-model-storageclass@5.3.1	High	31
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar		pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava		15
logging-interceptor-3.12.1.jar	cpe:2.3:a:squareup:okhttp:3.12.1:::::::* cpe:2.3:a:squareup:okhttp3:3.12.1:::::::*	pkg:maven/com.squareup.okhttp3/logging-interceptor@3.12.1	Highest	21
microprofile-config-api-1.4.jar		pkg:maven/org.eclipse.microprofile.config/microprofile-config-api@1.4		28
microprofile-context-propagation-api-1.0.1.jar		pkg:maven/org.eclipse.microprofile.context-propagation/microprofile-context-propagation-api@1.0.1		27
msg-simple-1.1.jar		pkg:maven/com.github.fge/msg-simple@1.1		21
mysql-connector-java-8.0.28.jar	cpe:2.3:a:mysql:mysql:8.0.28:::::::* cpe:2.3:a:oracle:mysql_connector\/j:8.0.28:::::::*	pkg:maven/mysql/mysql-connector-java@8.0.28	Highest	43
ojdbc8-19.3.0.0.jar	cpe:2.3:a:oracle:jdbc:19.3.0.0:::::::*	pkg:maven/com.oracle.ojdbc/ojdbc8@19.3.0.0	Highest	26
okhttp-3.12.1.jar	cpe:2.3:a:squareup:okhttp:3.12.1:::::::* cpe:2.3:a:squareup:okhttp3:3.12.1:::::::*	pkg:maven/com.squareup.okhttp3/okhttp@3.12.1	Highest	19
okio-1.15.0.jar		pkg:maven/com.squareup.okio/okio@1.15.0		19
ons-19.3.0.0.jar	cpe:2.3:a:oracle:oracle_database:19.3.0.0:::::::*	pkg:maven/com.oracle.ojdbc/ons@19.3.0.0	Low	22
openshift-client-5.3.2.jar	cpe:2.3:a:kubernetes:java:5.3.2:::::::*	pkg:maven/io.fabric8/openshift-client@5.3.2	Low	22
openshift-model-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/openshift-model@5.3.1	Low	31
openshift-model-console-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/openshift-model-console@5.3.1	Low	31
openshift-model-monitoring-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/openshift-model-monitoring@5.3.1	Low	31
openshift-model-operator-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/openshift-model-operator@5.3.1	Low	31
openshift-model-operatorhub-5.3.1.jar	cpe:2.3:a:kubernetes:java:5.3.1:::::::*	pkg:maven/io.fabric8/openshift-model-operatorhub@5.3.1	Low	31
oraclepki-19.3.0.0.jar	cpe:2.3:a:oracle:oracle_database:19.3.0.0:::::::*	pkg:maven/com.oracle.ojdbc/oraclepki@19.3.0.0	Low	21
osdt_cert-19.3.0.0.jar	cpe:2.3:a:oracle:oracle_database:19.3.0.0:::::::*	pkg:maven/com.oracle.ojdbc/osdt_cert@19.3.0.0	Low	25
osdt_core-19.3.0.0.jar	cpe:2.3:a:oracle:oracle_database:19.3.0.0:::::::*	pkg:maven/com.oracle.ojdbc/osdt_core@19.3.0.0	Low	26
postgresql-42.2.25.jar	cpe:2.3:a:postgresql:postgresql:42.2.25:::::::* cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.2.25:::::::*	pkg:maven/org.postgresql/postgresql@42.2.25	Highest	45
protobuf-java-3.16.1.jar	cpe:2.3:a:google:protobuf-java:3.16.1:::::::*	pkg:maven/com.google.protobuf/protobuf-java@3.16.1	Highest	29
quarkus-arc-1.13.7.Final.jar	cpe:2.3:a:arc_project:arc:1.13.7:::::::* cpe:2.3:a:quarkus:quarkus:1.13.7:::::::*	pkg:maven/io.quarkus/quarkus-arc@1.13.7.Final	Highest	34
quarkus-bootstrap-runner-1.13.7.Final.jar	cpe:2.3:a:quarkus:quarkus:1.13.7:::::::*	pkg:maven/io.quarkus/quarkus-bootstrap-runner@1.13.7.Final	Highest	34
quarkus-core-1.13.7.Final.jar	cpe:2.3:a:quarkus:quarkus:1.13.7:::::::*	pkg:maven/io.quarkus/quarkus-core@1.13.7.Final	Highest	32
quarkus-development-mode-spi-1.13.7.Final.jar	cpe:2.3:a:quarkus:quarkus:1.13.7:::::::*	pkg:maven/io.quarkus/quarkus-development-mode-spi@1.13.7.Final	Highest	32
quarkus-ide-launcher-1.13.7.Final.jar	cpe:2.3:a:quarkus:quarkus:1.13.7:::::::*	pkg:maven/io.quarkus/quarkus-ide-launcher@1.13.7.Final	Highest	32
quarkus-jackson-1.13.7.Final.jar	cpe:2.3:a:quarkus:quarkus:1.13.7:::::::*	pkg:maven/io.quarkus/quarkus-jackson@1.13.7.Final	Highest	34
quarkus-kubernetes-client-1.13.7.Final.jar	cpe:2.3:a:quarkus:quarkus:1.13.7:::::::* cpe:2.3:a:redhat:kubernetes-client:1.13.7:::::::*	pkg:maven/io.quarkus/quarkus-kubernetes-client@1.13.7.Final	Highest	34
quarkus-kubernetes-client-internal-1.13.7.Final.jar	cpe:2.3:a:quarkus:quarkus:1.13.7:::::::* cpe:2.3:a:redhat:kubernetes-client:1.13.7:::::::*	pkg:maven/io.quarkus/quarkus-kubernetes-client-internal@1.13.7.Final	Highest	34
reactive-streams-1.0.3.jar		pkg:maven/org.reactivestreams/reactive-streams@1.0.3		25
resteasy-client-3.15.1.Final.jar	cpe:2.3:a:redhat:resteasy:3.15.1:::::::*	pkg:maven/org.jboss.resteasy/resteasy-client@3.15.1.Final	Highest	36
resteasy-jackson2-provider-3.15.1.Final.jar	cpe:2.3:a:redhat:resteasy:3.15.1:::::::*	pkg:maven/org.jboss.resteasy/resteasy-jackson2-provider@3.15.1.Final	Highest	32
resteasy-jaxb-provider-3.15.1.Final.jar	cpe:2.3:a:redhat:resteasy:3.15.1:::::::*	pkg:maven/org.jboss.resteasy/resteasy-jaxb-provider@3.15.1.Final	Highest	32
resteasy-jaxrs-3.15.1.Final.jar	cpe:2.3:a:redhat:resteasy:3.15.1:::::::*	pkg:maven/org.jboss.resteasy/resteasy-jaxrs@3.15.1.Final	Highest	34
resteasy-multipart-provider-3.15.1.Final.jar	cpe:2.3:a:redhat:resteasy:3.15.1:::::::*	pkg:maven/org.jboss.resteasy/resteasy-multipart-provider@3.15.1.Final	Highest	32
simplefan-19.3.0.0.jar	cpe:2.3:a:oracle:oracle_database:19.3.0.0:::::::*	pkg:maven/com.oracle.ojdbc/simplefan@19.3.0.0	Low	20
slf4j-api-1.7.16.jar		pkg:maven/org.slf4j/slf4j-api@1.7.16		27
slf4j-jboss-logmanager-1.1.0.Final.jar		pkg:maven/org.jboss.slf4j/slf4j-jboss-logmanager@1.1.0.Final		32
smallrye-common-annotation-1.5.0.jar		pkg:maven/io.smallrye.common/smallrye-common-annotation@1.5.0		22
smallrye-common-classloader-1.5.0.jar		pkg:maven/io.smallrye.common/smallrye-common-classloader@1.5.0		24
smallrye-common-constraint-1.5.0.jar		pkg:maven/io.smallrye.common/smallrye-common-constraint@1.5.0		22
smallrye-common-expression-1.5.0.jar		pkg:maven/io.smallrye.common/smallrye-common-expression@1.5.0		22
smallrye-common-function-1.5.0.jar		pkg:maven/io.smallrye.common/smallrye-common-function@1.5.0		22
smallrye-common-io-1.5.0.jar		pkg:maven/io.smallrye.common/smallrye-common-io@1.5.0		22
smallrye-config-1.13.1.jar		pkg:maven/io.smallrye.config/smallrye-config@1.13.1		20
smallrye-config-common-1.13.1.jar		pkg:maven/io.smallrye.config/smallrye-config-common@1.13.1		22
smallrye-config-source-yaml-1.13.1.jar		pkg:maven/io.smallrye.config/smallrye-config-source-yaml@1.13.1		22
snakeyaml-1.27.jar	cpe:2.3:a:snakeyaml_project:snakeyaml:1.27:::::::*	pkg:maven/org.yaml/snakeyaml@1.27	Highest	28
txw2-2.3.3-b02.jar		pkg:maven/org.glassfish.jaxb/txw2@2.3.3-b02		33
ucp-19.3.0.0.jar	cpe:2.3:a:oracle:oracle_database:19.3.0.0:::::::*	pkg:maven/com.oracle.ojdbc/ucp@19.3.0.0	Low	22
wildfly-common-1.5.4.Final-format-001.jar		pkg:maven/org.wildfly.common/wildfly-common@1.5.4.Final-format-001		35
zjsonpatch-0.3.0.jar	cpe:2.3:a:oracle:java_se:0.3.0:::::::*	pkg:maven/io.fabric8/zjsonpatch@0.3.0	Low	37

Dependencies

annotations-17.0.0.jar

Description:

A set of annotations used for code inspection support and code documentation.

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/jetbrains/annotations/17.0.0/annotations-17.0.0.jar
MD5: 7b06437ed47fa7b4a8ec8909f4fb9022
SHA1: 8ceead41f4e71821919dbdb7a9847608f1a938cb
SHA256:195fb0da046d55bb042e91543484cf1da68b02bb7afbfe031f229e45ac84b3f2
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	automatic-module-name	org.jetbrains.annotations	Medium
Vendor	jar	package name	annotations	Highest
Vendor	jar	package name	jetbrains	Highest
Vendor	pom	groupid	jetbrains	Highest
Vendor	pom	artifactid	annotations	Low
Vendor	pom	name	JetBrains Java Annotations	High
Vendor	file	name	annotations	High
Vendor	pom	groupid	org.jetbrains	Highest
Vendor	pom	url	JetBrains/java-annotations	Highest
Product	pom	url	JetBrains/java-annotations	High
Product	pom	artifactid	annotations	Highest
Product	Manifest	automatic-module-name	org.jetbrains.annotations	Medium
Product	jar	package name	annotations	Highest
Product	jar	package name	jetbrains	Highest
Product	pom	groupid	jetbrains	Highest
Product	pom	name	JetBrains Java Annotations	High
Product	file	name	annotations	High
Version	file	version	17.0.0	High
Version	pom	version	17.0.0	Highest

Identifiers

pkg:maven/org.jetbrains/annotations@17.0.0 (Confidence:High)

apache-mime4j-0.6.jar

Description:

Java stream based MIME message parser

License:

http://www.apache.org/licenses/LICENSE-2.0.html

File Path: /home/jenkins/.mvnrepository/org/apache/james/apache-mime4j/0.6/apache-mime4j-0.6.jar
MD5: e90fb1ab3f8145ad00def6359da22faf
SHA1: 945007627e8d12275d755081a9e609c018e1210d
SHA256:fd7dde90195ba1aea3cfacb95b3022b2499adf676d1bc896d0fa5c257b596c6c
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	mime4j	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.james.apache-mime4j	Medium
Vendor	Manifest	url	http://james.apache.org/mime4j	Low
Vendor	jar	package name	apache	Highest
Vendor	pom	groupid	org.apache.james	Highest
Vendor	jar	package name	message	Highest
Vendor	pom	url	http://james.apache.org/mime4j	Highest
Vendor	pom	parent-groupid	org.apache.james	Medium
Vendor	jar	package name	parser	Highest
Vendor	file	name	apache-mime4j	High
Vendor	pom	name	Apache JAMES Mime4j	High
Vendor	pom	artifactid	apache-mime4j	Low
Vendor	pom	parent-artifactid	james-project	Low
Vendor	jar	package name	james	Highest
Vendor	Manifest	originally-created-by	1.6.0_10 (Sun Microsystems Inc.)	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	pom	groupid	apache.james	Highest
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	bundle-docurl	http://www.apache.org	Low
Product	pom	artifactid	apache-mime4j	Highest
Product	jar	package name	mime4j	Highest
Product	Manifest	bundle-symbolicname	org.apache.james.apache-mime4j	Medium
Product	Manifest	url	http://james.apache.org/mime4j	Low
Product	jar	package name	apache	Highest
Product	jar	package name	message	Highest
Product	jar	package name	parser	Highest
Product	pom	parent-groupid	org.apache.james	Medium
Product	Manifest	Implementation-Title	Apache Mime4j	High
Product	file	name	apache-mime4j	High
Product	pom	parent-artifactid	james-project	Medium
Product	pom	name	Apache JAMES Mime4j	High
Product	Manifest	Bundle-Name	Apache JAMES Mime4j	Medium
Product	jar	package name	james	Highest
Product	Manifest	originally-created-by	1.6.0_10 (Sun Microsystems Inc.)	Low
Product	Manifest	specification-title	Apache Mime4j	Medium
Product	pom	url	http://james.apache.org/mime4j	Medium
Product	pom	groupid	apache.james	Highest
Product	Manifest	bundle-docurl	http://www.apache.org	Low
Version	pom	version	0.6	Highest
Version	pom	parent-version	0.6	Low
Version	file	version	0.6	High
Version	Manifest	Bundle-Version	0.6	High
Version	Manifest	Implementation-Version	0.6	High

Identifiers

pkg:maven/org.apache.james/apache-mime4j@0.6 (Confidence:High)
cpe:2.3:a:apache:james:0.6:*:*:*:*:*:*:* (Confidence:Highest)

arc-1.13.7.Final.jar

File Path: /home/jenkins/.mvnrepository/io/quarkus/arc/arc/1.13.7.Final/arc-1.13.7.Final.jar
MD5: 7fb241ef8cd6c9b51d5317c694e013f0
SHA1: e40d0d14b2d9e8825bd6429c69e150f5b05b549d
SHA256:9ae5d30d3257efd1cafa2a59ebad62434a65dcc2c2e1e1053663d4e4e30e18a0
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	pom	groupid	io.quarkus.arc	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	parent-artifactid	arc-parent	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	name	ArC - Runtime	High
Vendor	file	name	arc	High
Vendor	jar	package name	io	Highest
Vendor	jar	package name	arc	Highest
Vendor	pom	artifactid	arc	Low
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	Manifest	os-name	Linux	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/arc-parent/arc	Low
Product	jar	package name	quarkus	Highest
Product	Manifest	specification-title	ArC - Runtime	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	groupid	io.quarkus.arc	Highest
Product	Manifest	os-arch	amd64	Low
Product	pom	name	ArC - Runtime	High
Product	file	name	arc	High
Product	jar	package name	arc	Highest
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	arc-parent	Medium
Product	Manifest	Implementation-Title	ArC - Runtime	High
Product	pom	artifactid	arc	Highest
Product	Manifest	os-name	Linux	Medium
Product	Manifest	implementation-url	http://www.jboss.org/arc-parent/arc	Low
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Identifiers

pkg:maven/io.quarkus.arc/arc@1.13.7.Final (Confidence:High)
cpe:2.3:a:arc_project:arc:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:quarkus:quarkus:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)

automaton-1.11-8.jar

Description:

A DFA/NFA (finite-state automata) implementation with
		Unicode alphabet (UTF16) and support for the standard regular
		expression operations (concatenation, union, Kleene star) and a number
		of non-standard ones (intersection, complement, etc.)

License:

BSD: http://www.opensource.org/licenses/bsd-license.php

File Path: /home/jenkins/.mvnrepository/dk/brics/automaton/automaton/1.11-8/automaton-1.11-8.jar
MD5: 3467dcbbba2fe68a4e07a5826988e034
SHA1: 6ebfa65eb431ff4b715a23be7a750cbc4cc96d0f
SHA256:a24475f6ccfe1cc7a4fe9e34e05ce687b0ce0c6e8cb781e0eced3b186482c61e
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	http://www.brics.dk/automaton/	Highest
Vendor	file	name	automaton	High
Vendor	jar	package name	dk	Low
Vendor	jar	package name	state	Highest
Vendor	jar	package name	brics	Low
Vendor	jar	package name	automaton	Highest
Vendor	pom	name	Automaton	High
Vendor	pom	groupid	dk.brics.automaton	Highest
Vendor	jar	package name	brics	Highest
Vendor	pom	artifactid	automaton	Low
Vendor	jar	package name	automaton	Low
Vendor	jar	package name	dk	Highest
Product	jar	package name	automaton	Highest
Product	pom	artifactid	automaton	Highest
Product	pom	name	Automaton	High
Product	file	name	automaton	High
Product	pom	groupid	dk.brics.automaton	Highest
Product	jar	package name	brics	Highest
Product	pom	url	http://www.brics.dk/automaton/	Medium
Product	jar	package name	state	Highest
Product	jar	package name	automaton	Low
Product	jar	package name	brics	Low
Product	jar	package name	dk	Highest
Version	pom	version	1.11-8	Highest

Identifiers

pkg:maven/dk.brics.automaton/automaton@1.11-8 (Confidence:High)

bcpkix-jdk15on-1.68.jar

Description:

The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html

File Path: /home/jenkins/.mvnrepository/org/bouncycastle/bcpkix-jdk15on/1.68/bcpkix-jdk15on-1.68.jar
MD5: 37e058210e056a04d4521d8185fb0051
SHA1: 81da950604ff0b2652348cbd2b48fde46ced9867
SHA256:fb8d0f8f673ad6e16c604732093d7aa31b26ff4e0bd9cae1d7f99984c06b8a0f
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	eac	Highest
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	pom	groupid	bouncycastle	Highest
Vendor	jar	package name	pkcs	Highest
Vendor	jar	package name	tsp	Highest
Vendor	Manifest	automatic-module-name	org.bouncycastle.pkix	Medium
Vendor	Manifest	bundle-symbolicname	bcpkix	Medium
Vendor	Manifest	application-name	Bouncy Castle PKIX API	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	pom	artifactid	bcpkix-jdk15on	Low
Vendor	Manifest	multi-release	true	Low
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	Manifest	trusted-library	true	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcpkix	Medium
Vendor	jar	package name	crmf	Highest
Vendor	pom	name	Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs	High
Vendor	jar	package name	cms	Highest
Vendor	file	name	bcpkix-jdk15on	High
Vendor	jar	package name	bouncycastle	Highest
Vendor	Manifest	originally-created-by	25.275-b01 (Private Build)	Low
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	pom	url	http://www.bouncycastle.org/java.html	Highest
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	jar	package name	pkix	Highest
Vendor	Manifest	permissions	all-permissions	Low
Vendor	jar	package name	cmp	Highest
Vendor	jar	package name	ocsp	Highest
Product	jar	package name	eac	Highest
Product	pom	groupid	bouncycastle	Highest
Product	jar	package name	pkcs	Highest
Product	jar	package name	tsp	Highest
Product	Manifest	automatic-module-name	org.bouncycastle.pkix	Medium
Product	Manifest	bundle-symbolicname	bcpkix	Medium
Product	Manifest	application-name	Bouncy Castle PKIX API	Medium
Product	pom	url	http://www.bouncycastle.org/java.html	Medium
Product	pom	artifactid	bcpkix-jdk15on	Highest
Product	Manifest	codebase	*	Low
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	multi-release	true	Low
Product	Manifest	trusted-library	true	Low
Product	Manifest	Bundle-Name	bcpkix	Medium
Product	Manifest	extension-name	org.bouncycastle.bcpkix	Medium
Product	jar	package name	crmf	Highest
Product	pom	name	Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs	High
Product	jar	package name	cms	Highest
Product	file	name	bcpkix-jdk15on	High
Product	jar	package name	bouncycastle	Highest
Product	Manifest	originally-created-by	25.275-b01 (Private Build)	Low
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	jar	package name	pkix	Highest
Product	Manifest	permissions	all-permissions	Low
Product	jar	package name	cmp	Highest
Product	jar	package name	ocsp	Highest
Version	pom	version	1.68	Highest
Version	Manifest	Bundle-Version	1.68	High
Version	file	version	1.68	High

Identifiers

pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.68 (Confidence:High)

bcprov-jdk15on-1.68.jar

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html

File Path: /home/jenkins/.mvnrepository/org/bouncycastle/bcprov-jdk15on/1.68/bcprov-jdk15on-1.68.jar
MD5: f34043ac8be2793843364b4406a15543
SHA1: 46a080368d38b428d237a59458f9bc915222894d
SHA256:f732a46c8de7e2232f2007c682a21d1f4cc8a8a0149b6b7bd6aa1afdc65a0f8d
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	BouncyCastle.org	Low
Vendor	pom	name	Bouncy Castle Provider	High
Vendor	jar	package name	provider	Highest
Vendor	Manifest	Implementation-Vendor	BouncyCastle.org	High
Vendor	pom	groupid	bouncycastle	Highest
Vendor	Manifest	bundle-symbolicname	bcprov	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.bouncycastle	Medium
Vendor	Manifest	automatic-module-name	org.bouncycastle.provider	Medium
Vendor	Manifest	codebase	*	Low
Vendor	Manifest	application-library-allowable-codebase	*	Low
Vendor	Manifest	multi-release	true	Low
Vendor	pom	groupid	org.bouncycastle	Highest
Vendor	Manifest	trusted-library	true	Low
Vendor	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Vendor	jar	package name	org	Highest
Vendor	jar	package name	bouncycastle	Highest
Vendor	Manifest	originally-created-by	25.275-b01 (Private Build)	Low
Vendor	Manifest	application-name	Bouncy Castle Provider	Medium
Vendor	Manifest	caller-allowable-codebase	*	Low
Vendor	pom	url	http://www.bouncycastle.org/java.html	Highest
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	file	name	bcprov-jdk15on	High
Vendor	jar	package name	jce	Highest
Vendor	pom	artifactid	bcprov-jdk15on	Low
Vendor	Manifest	permissions	all-permissions	Low
Vendor	jar	package name	crypto	Highest
Product	pom	artifactid	bcprov-jdk15on	Highest
Product	pom	name	Bouncy Castle Provider	High
Product	jar	package name	provider	Highest
Product	pom	groupid	bouncycastle	Highest
Product	Manifest	bundle-symbolicname	bcprov	Medium
Product	Manifest	Bundle-Name	bcprov	Medium
Product	pom	url	http://www.bouncycastle.org/java.html	Medium
Product	hint analyzer	product	legion-of-the-bouncy-castle-java-crytography-api	High
Product	Manifest	automatic-module-name	org.bouncycastle.provider	Medium
Product	Manifest	codebase	*	Low
Product	Manifest	application-library-allowable-codebase	*	Low
Product	Manifest	multi-release	true	Low
Product	Manifest	trusted-library	true	Low
Product	Manifest	extension-name	org.bouncycastle.bcprovider	Medium
Product	jar	package name	org	Highest
Product	jar	package name	bouncycastle	Highest
Product	Manifest	originally-created-by	25.275-b01 (Private Build)	Low
Product	Manifest	application-name	Bouncy Castle Provider	Medium
Product	Manifest	caller-allowable-codebase	*	Low
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	file	name	bcprov-jdk15on	High
Product	jar	package name	jce	Highest
Product	Manifest	permissions	all-permissions	Low
Product	jar	package name	crypto	Highest
Version	pom	version	1.68	Highest
Version	Manifest	Bundle-Version	1.68	High
Version	file	version	1.68	High

Identifiers

pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68 (Confidence:High)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.68:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.68:*:*:*:*:*:*:* (Confidence:Low)

btf-1.2.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0

File Path: /home/jenkins/.mvnrepository/com/github/fge/btf/1.2/btf-1.2.jar
MD5: 5c91cd1157e0bb99e77a33b6f42a457c
SHA1: 9e66651022eb86301b348d57e6f59459effc343b
SHA256:38a380577a186718cb97ee8af58d4f40f7fbfdc23ff68b5f4b3c2c68a1d5c05d
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	bundle-symbolicname	com.github.fge.btf	Medium
Vendor	pom	name	null	High
Vendor	pom	groupid	com.github.fge	Highest
Vendor	jar	package name	github	Highest
Vendor	jar	package name	fge	Highest
Vendor	pom	artifactid	btf	Low
Vendor	pom	url	fge/btf	Highest
Vendor	file	name	btf	High
Vendor	pom	groupid	github.fge	Highest
Product	pom	artifactid	btf	Highest
Product	Manifest	bundle-symbolicname	com.github.fge.btf	Medium
Product	pom	name	null	High
Product	Manifest	Bundle-Name	btf	Medium
Product	jar	package name	github	Highest
Product	jar	package name	fge	Highest
Product	file	name	btf	High
Product	pom	url	fge/btf	High
Product	pom	groupid	github.fge	Highest
Version	pom	version	1.2	Highest
Version	Manifest	Bundle-Version	1.2	High
Version	file	version	1.2	High

Identifiers

pkg:maven/com.github.fge/btf@1.2 (Confidence:High)

checker-qual-2.5.2.jar

Description:

        Checker Qual is the set of annotations (qualifiers) and supporting classes
        used by the Checker Framework to type check Java source code.  Please
        see artifact:
        org.checkerframework:checker

License:

The MIT License: http://opensource.org/licenses/MIT

File Path: /home/jenkins/.mvnrepository/org/checkerframework/checker-qual/2.5.2/checker-qual-2.5.2.jar
MD5: 04acc78b24bbd365423da357da003cf0
SHA1: cea74543d5904a30861a61b4643a5f2bb372efc4
SHA256:64b02691c8b9d4e7700f8ee2e742dce7ea2c6e81e662b7522c9ee3bf568c040a
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	checker-qual	High
Vendor	pom	name	Checker Qual	High
Vendor	jar	package name	checkerframework	Highest
Vendor	jar	package name	checker	Highest
Vendor	pom	groupid	checkerframework	Highest
Vendor	jar	package name	framework	Highest
Vendor	pom	url	https://checkerframework.org	Highest
Vendor	pom	groupid	org.checkerframework	Highest
Vendor	Manifest	implementation-url	https://checkerframework.org	Low
Vendor	pom	artifactid	checker-qual	Low
Vendor	jar	package name	qual	Highest
Product	pom	url	https://checkerframework.org	Medium
Product	pom	artifactid	checker-qual	Highest
Product	file	name	checker-qual	High
Product	pom	name	Checker Qual	High
Product	jar	package name	checkerframework	Highest
Product	jar	package name	checker	Highest
Product	pom	groupid	checkerframework	Highest
Product	jar	package name	framework	Highest
Product	Manifest	implementation-url	https://checkerframework.org	Low
Product	jar	package name	qual	Highest
Version	file	version	2.5.2	High
Version	pom	version	2.5.2	Highest
Version	Manifest	Implementation-Version	2.5.2	High

Identifiers

pkg:maven/org.checkerframework/checker-qual@2.5.2 (Confidence:High)

commons-codec-1.14.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/commons-codec/commons-codec/1.14/commons-codec-1.14.jar
MD5: e9158e0983096d3df09236f7b53125aa
SHA1: 3cb1181b2141a7e752f5bdc998b7ef1849f726cf
SHA256:a128e4f93fabe5381ded64cf2873019e06030b718eb43ceeae0b0e5d17ad33e9
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	commons-codec	High
Vendor	Manifest	automatic-module-name	org.apache.commons.codec	Medium
Vendor	pom	artifactid	commons-codec	Low
Vendor	jar	package name	apache	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	jar	package name	commons	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	jar	package name	codec	Highest
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-codec/	Low
Vendor	jar	package name	encoder	Highest
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	https://commons.apache.org/proper/commons-codec/	Highest
Vendor	pom	name	Apache Commons Codec	High
Vendor	pom	groupid	commons-codec	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-codec	Medium
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Product	file	name	commons-codec	High
Product	Manifest	automatic-module-name	org.apache.commons.codec	Medium
Product	jar	package name	apache	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	parent-artifactid	commons-parent	Medium
Product	jar	package name	commons	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	specification-title	Apache Commons Codec	Medium
Product	jar	package name	codec	Highest
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-codec/	Low
Product	pom	artifactid	commons-codec	Highest
Product	jar	package name	encoder	Highest
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	name	Apache Commons Codec	High
Product	pom	groupid	commons-codec	Highest
Product	Manifest	Bundle-Name	Apache Commons Codec	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-codec	Medium
Product	Manifest	Implementation-Title	Apache Commons Codec	High
Product	pom	url	https://commons.apache.org/proper/commons-codec/	Medium
Version	pom	version	1.14	Highest
Version	Manifest	Implementation-Version	1.14	High
Version	file	version	1.14	High
Version	pom	parent-version	1.14	Low

Identifiers

pkg:maven/commons-codec/commons-codec@1.14 (Confidence:High)

commons-compress-1.21.jar

Description:

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/apache/commons/commons-compress/1.21/commons-compress-1.21.jar
MD5: 2a713d10331bc4e13459a3dc0463f16f
SHA1: 4ec95b60d4e86b5c95a0e919cb172a0af98011ef
SHA256:6aecfd5459728a595601cfa07258d131972ffc39b492eb48bdd596577a2f244a
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	https://commons.apache.org/proper/commons-compress/	Highest
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-compress/	Low
Vendor	Manifest	implementation-build	UNKNOWN@r60e3d9f6bef1e431f8738e881c051d706f81e6cf; 2021-07-09 16:56:00+0000	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	file	name	commons-compress	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	groupid	apache.commons	Highest
Vendor	jar	package name	compress	Highest
Vendor	pom	artifactid	commons-compress	Low
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-compress	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	automatic-module-name	org.apache.commons.compress	Medium
Vendor	Manifest	extension-name	org.apache.commons.compress	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	name	Apache Commons Compress	High
Product	pom	artifactid	commons-compress	Highest
Product	Manifest	Bundle-Name	Apache Commons Compress	Medium
Product	Manifest	specification-title	Apache Commons Compress	Medium
Product	pom	url	https://commons.apache.org/proper/commons-compress/	Medium
Product	jar	package name	apache	Highest
Product	pom	parent-artifactid	commons-parent	Medium
Product	jar	package name	commons	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-compress/	Low
Product	Manifest	implementation-build	UNKNOWN@r60e3d9f6bef1e431f8738e881c051d706f81e6cf; 2021-07-09 16:56:00+0000	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	Implementation-Title	Apache Commons Compress	High
Product	file	name	commons-compress	High
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	groupid	apache.commons	Highest
Product	jar	package name	compress	Highest
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-compress	Medium
Product	Manifest	automatic-module-name	org.apache.commons.compress	Medium
Product	Manifest	extension-name	org.apache.commons.compress	Medium
Product	pom	name	Apache Commons Compress	High
Version	Manifest	Implementation-Version	1.21	High
Version	file	version	1.21	High
Version	pom	parent-version	1.21	Low
Version	pom	version	1.21	Highest

Identifiers

pkg:maven/org.apache.commons/commons-compress@1.21 (Confidence:High)
cpe:2.3:a:apache:commons_compress:1.21:*:*:*:*:*:*:* (Confidence:Highest)

commons-io-2.7.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/commons-io/commons-io/2.7/commons-io-2.7.jar
MD5: 87709c85b69a685ddba69c65fe6dd6f9
SHA1: 3f2bd4ba11c4162733c13cc90ca7c7ea09967102
SHA256:4547858fff38bbf15262d520685b184a3dce96897bc1844871f055b96e8f6e95
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	automatic-module-name	org.apache.commons.io	Medium
Vendor	pom	name	Apache Commons IO	High
Vendor	pom	url	https://commons.apache.org/proper/commons-io/	Highest
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	groupid	commons-io	Highest
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.commons-io	Medium
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	jar	package name	file	Highest
Vendor	pom	artifactid	commons-io	Low
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	file	name	commons-io	High
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-io/	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Product	Manifest	Bundle-Name	Apache Commons IO	Medium
Product	Manifest	automatic-module-name	org.apache.commons.io	Medium
Product	pom	name	Apache Commons IO	High
Product	jar	package name	apache	Highest
Product	pom	url	https://commons.apache.org/proper/commons-io/	Medium
Product	pom	parent-artifactid	commons-parent	Medium
Product	jar	package name	commons	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	specification-title	Apache Commons IO	Medium
Product	pom	groupid	commons-io	Highest
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	commons-io	Highest
Product	Manifest	Implementation-Title	Apache Commons IO	High
Product	Manifest	bundle-symbolicname	org.apache.commons.commons-io	Medium
Product	jar	package name	file	Highest
Product	pom	parent-groupid	org.apache.commons	Medium
Product	file	name	commons-io	High
Product	Manifest	bundle-docurl	https://commons.apache.org/proper/commons-io/	Low
Version	pom	version	2.7	Highest
Version	pom	parent-version	2.7	Low
Version	Manifest	Implementation-Version	2.7	High
Version	file	version	2.7	High

Identifiers

pkg:maven/commons-io/commons-io@2.7 (Confidence:High)
cpe:2.3:a:apache:commons_io:2.7:*:*:*:*:*:*:* (Confidence:Highest)

commons-lang3-3.9.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/apache/commons/commons-lang3/3.9/commons-lang3-3.9.jar
MD5: fa752c3cb5474b05e14bf2ed7e242020
SHA1: 0122c7cee69b53ed4a7681c03d4ee4c0e2765da5
SHA256:de2e1dcdcf3ef917a8ce858661a06726a9a944f28e33ad7f9e08bea44dc3c230
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	http://commons.apache.org/proper/commons-lang/	Highest
Vendor	Manifest	Implementation-Vendor-Id	org.apache.commons	Medium
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	commons	Highest
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-lang/	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	name	Apache Commons Lang	High
Vendor	jar	package name	lang3	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	groupid	apache.commons	Highest
Vendor	Manifest	implementation-url	http://commons.apache.org/proper/commons-lang/	Low
Vendor	file	name	commons-lang3	High
Vendor	pom	artifactid	commons-lang3	Low
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Product	pom	url	http://commons.apache.org/proper/commons-lang/	Medium
Product	jar	package name	apache	Highest
Product	pom	parent-artifactid	commons-parent	Medium
Product	jar	package name	commons	Highest
Product	Manifest	automatic-module-name	org.apache.commons.lang3	Medium
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-lang/	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Apache Commons Lang	Medium
Product	pom	artifactid	commons-lang3	Highest
Product	pom	name	Apache Commons Lang	High
Product	jar	package name	lang3	Highest
Product	Manifest	Bundle-Name	Apache Commons Lang	Medium
Product	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Product	pom	parent-groupid	org.apache.commons	Medium
Product	pom	groupid	apache.commons	Highest
Product	Manifest	implementation-url	http://commons.apache.org/proper/commons-lang/	Low
Product	file	name	commons-lang3	High
Product	Manifest	Implementation-Title	Apache Commons Lang	High
Version	Manifest	Implementation-Version	3.9	High
Version	pom	version	3.9	Highest
Version	pom	parent-version	3.9	Low
Version	file	version	3.9	High

Identifiers

pkg:maven/org.apache.commons/commons-lang3@3.9 (Confidence:High)

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Vendor	jar	package name	apache	Highest
Vendor	pom	artifactid	commons-logging	Low
Vendor	jar	package name	commons	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Vendor	jar	package name	logging	Highest
Vendor	pom	name	Apache Commons Logging	High
Vendor	pom	groupid	commons-logging	Highest
Vendor	file	name	commons-logging	High
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/proper/commons-logging/	Highest
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Product	Manifest	implementation-build	tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200	Low
Product	Manifest	Bundle-Name	Apache Commons Logging	Medium
Product	Manifest	specification-title	Apache Commons Logging	Medium
Product	jar	package name	apache	Highest
Product	pom	parent-artifactid	commons-parent	Medium
Product	jar	package name	commons	Highest
Product	Manifest	bundle-symbolicname	org.apache.commons.logging	Medium
Product	jar	package name	logging	Highest
Product	pom	url	http://commons.apache.org/proper/commons-logging/	Medium
Product	pom	artifactid	commons-logging	Highest
Product	pom	name	Apache Commons Logging	High
Product	pom	groupid	commons-logging	Highest
Product	Manifest	Implementation-Title	Apache Commons Logging	High
Product	file	name	commons-logging	High
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-logging/	Low
Product	pom	parent-groupid	org.apache.commons	Medium
Version	pom	version	1.2	Highest
Version	Manifest	Implementation-Version	1.2	High
Version	pom	parent-version	1.2	Low
Version	file	version	1.2	High

Identifiers

pkg:maven/commons-logging/commons-logging@1.2 (Confidence:High)

error_prone_annotations-2.2.0.jar

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/google/errorprone/error_prone_annotations/2.2.0/error_prone_annotations-2.2.0.jar
MD5: 416757b9e6ba0563368ab59e668b3225
SHA1: 88e3c593e9b3586e1c6177f89267da6fc6986f0c
SHA256:6ebd22ca1b9d8ec06d41de8d64e0596981d9607b42035f9ed374f9de271a481a
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	errorprone	Low
Vendor	jar	package name	google	Low
Vendor	pom	name	error-prone annotations	High
Vendor	pom	artifactid	error_prone_annotations	Low
Vendor	file	name	error_prone_annotations	High
Vendor	pom	groupid	google.errorprone	Highest
Vendor	pom	parent-artifactid	error_prone_parent	Low
Vendor	jar	package name	annotations	Highest
Vendor	pom	parent-groupid	com.google.errorprone	Medium
Vendor	jar	package name	annotations	Low
Vendor	jar	package name	errorprone	Highest
Vendor	pom	groupid	com.google.errorprone	Highest
Vendor	jar	package name	google	Highest
Product	pom	groupid	google.errorprone	Highest
Product	jar	package name	errorprone	Low
Product	jar	package name	annotations	Highest
Product	pom	artifactid	error_prone_annotations	Highest
Product	pom	name	error-prone annotations	High
Product	pom	parent-artifactid	error_prone_parent	Medium
Product	pom	parent-groupid	com.google.errorprone	Medium
Product	jar	package name	annotations	Low
Product	jar	package name	errorprone	Highest
Product	jar	package name	google	Highest
Product	file	name	error_prone_annotations	High
Version	pom	version	2.2.0	Highest
Version	file	version	2.2.0	High

Identifiers

pkg:maven/com.google.errorprone/error_prone_annotations@2.2.0 (Confidence:High)

failureaccess-1.0.1.jar

Description:

    Contains
    com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
    InternalFutures. Most users will never need to use this artifact. Its
    classes is conceptually a part of Guava, but they're in this separate
    artifact so that Android libraries can use them without pulling in all of
    Guava (just as they can use ListenableFuture by depending on the
    listenablefuture artifact).

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar
MD5: 091883993ef5bfa91da01dcc8fc52236
SHA1: 1dcf1de382a0bf95a3d8b0849546c88bac1292c9
SHA256:a171ee4c734dd2da837e4b16be9df4661afab72a41adaf31eb84dfdaf936ca26
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	common	Highest
Vendor	jar	package name	util	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	jar	package name	concurrent	Highest
Vendor	Manifest	bundle-symbolicname	com.google.guava.failureaccess	Medium
Vendor	file	name	failureaccess	High
Vendor	Manifest	bundle-docurl	https://github.com/google/guava/	Low
Vendor	pom	groupid	google.guava	Highest
Vendor	pom	artifactid	failureaccess	Low
Vendor	pom	parent-artifactid	guava-parent	Low
Vendor	pom	groupid	com.google.guava	Highest
Vendor	pom	name	Guava InternalFutureFailureAccess and InternalFutures	High
Vendor	jar	package name	google	Highest
Vendor	pom	parent-groupid	com.google.guava	Medium
Product	jar	package name	common	Highest
Product	jar	package name	util	Highest
Product	pom	artifactid	failureaccess	Highest
Product	jar	package name	concurrent	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	parent-artifactid	guava-parent	Medium
Product	Manifest	bundle-symbolicname	com.google.guava.failureaccess	Medium
Product	file	name	failureaccess	High
Product	Manifest	bundle-docurl	https://github.com/google/guava/	Low
Product	pom	groupid	google.guava	Highest
Product	pom	name	Guava InternalFutureFailureAccess and InternalFutures	High
Product	Manifest	Bundle-Name	Guava InternalFutureFailureAccess and InternalFutures	Medium
Product	jar	package name	google	Highest
Product	pom	parent-groupid	com.google.guava	Medium
Version	pom	version	1.0.1	Highest
Version	pom	parent-version	1.0.1	Low
Version	file	version	1.0.1	High
Version	Manifest	Bundle-Version	1.0.1	High

Identifiers

pkg:maven/com.google.guava/failureaccess@1.0.1 (Confidence:High)

generex-1.0.2.jar

Description:

Generex A Java Library for regex to Strings generation

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/github/mifmif/generex/1.0.2/generex-1.0.2.jar
MD5: a832db42f9e1c4f76930f547f6f80998
SHA1: b378f873b4e8d7616c3d920e2132cb1c87679600
SHA256:8f8ce233c335e08e113a3f9579de1046fb19927e82468b1bbebcd6cba8760b81
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	Generex	High
Vendor	file	name	generex	High
Vendor	Manifest	implementation-url	https://github.com/mifmif/Generex/tree/master	Low
Vendor	jar	package name	generex	Highest
Vendor	pom	artifactid	generex	Low
Vendor	pom	url	mifmif/Generex/tree/master	Highest
Vendor	pom	groupid	com.github.mifmif	Highest
Vendor	jar	package name	mifmif	Highest
Vendor	Manifest	Implementation-Vendor-Id	com.github.mifmif	Medium
Vendor	pom	groupid	github.mifmif	Highest
Vendor	jar	package name	regex	Highest
Product	pom	name	Generex	High
Product	file	name	generex	High
Product	Manifest	implementation-url	https://github.com/mifmif/Generex/tree/master	Low
Product	Manifest	Implementation-Title	Generex	High
Product	pom	url	mifmif/Generex/tree/master	High
Product	jar	package name	generex	Highest
Product	jar	package name	mifmif	Highest
Product	pom	groupid	github.mifmif	Highest
Product	jar	package name	regex	Highest
Product	Manifest	specification-title	Generex	Medium
Product	pom	artifactid	generex	Highest
Version	pom	version	1.0.2	Highest
Version	file	version	1.0.2	High
Version	Manifest	Implementation-Version	1.0.2	High

Identifiers

pkg:maven/com.github.mifmif/generex@1.0.2 (Confidence:High)

graal-sdk-21.3.1.jar

Description:

GraalVM is an ecosystem for compiling and running applications written in multiple languages.
GraalVM removes the isolation between programming languages and enables interoperability in a shared runtime.

License:

Universal Permissive License, Version 1.0: http://opensource.org/licenses/UPL

File Path: /home/jenkins/.mvnrepository/org/graalvm/sdk/graal-sdk/21.3.1/graal-sdk-21.3.1.jar
MD5: 95c0cb1f8cb5cc97b04ed2c805d72193
SHA1: d448085d3616ad00b769f8931990978ab61919f1
SHA256:47b406b346e3acca57f0880d9b0b69ddbe60cb4b36c11a2907f2bafbdc9aa6f4
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	oracle/graal	Highest
Vendor	jar	package name	graalvm	Highest
Vendor	pom	groupid	graalvm.sdk	Highest
Vendor	file	name	graal-sdk	High
Vendor	pom	groupid	org.graalvm.sdk	Highest
Vendor	pom	artifactid	graal-sdk	Low
Vendor	pom	name	Graal Sdk	High
Vendor	jar	package name	graalvm	Low
Product	pom	url	oracle/graal	High
Product	jar	package name	graalvm	Highest
Product	pom	groupid	graalvm.sdk	Highest
Product	file	name	graal-sdk	High
Product	pom	artifactid	graal-sdk	Highest
Product	pom	name	Graal Sdk	High
Version	pom	version	21.3.1	Highest
Version	file	version	21.3.1	High

Identifiers

pkg:maven/org.graalvm.sdk/graal-sdk@21.3.1 (Confidence:High)

guava-30.1-jre.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, Google's collections, I/O classes, and
    much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar
MD5: 2f8966f27f06101a08083bfa9f9277e7
SHA1: 00d0c3ce2311c9e36e73228da25a6e99b2ab826f
SHA256:e6dd072f9d3fe02a4600688380bd422bdac184caf6fe2418cfdd0934f09432aa
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	common	Highest
Vendor	Manifest	automatic-module-name	com.google.common	Medium
Vendor	file	name	guava	High
Vendor	Manifest	bundle-docurl	https://github.com/google/guava/	Low
Vendor	pom	groupid	google.guava	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	guava	Low
Vendor	pom	parent-artifactid	guava-parent	Low
Vendor	pom	groupid	com.google.guava	Highest
Vendor	pom	name	Guava: Google Core Libraries for Java	High
Vendor	jar	package name	google	Highest
Vendor	Manifest	bundle-symbolicname	com.google.guava	Medium
Vendor	pom	parent-groupid	com.google.guava	Medium
Product	jar	package name	common	Highest
Product	pom	artifactid	guava	Highest
Product	pom	parent-artifactid	guava-parent	Medium
Product	Manifest	automatic-module-name	com.google.common	Medium
Product	Manifest	Bundle-Name	Guava: Google Core Libraries for Java	Medium
Product	file	name	guava	High
Product	Manifest	bundle-docurl	https://github.com/google/guava/	Low
Product	pom	groupid	google.guava	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	name	Guava: Google Core Libraries for Java	High
Product	jar	package name	google	Highest
Product	Manifest	bundle-symbolicname	com.google.guava	Medium
Product	pom	parent-groupid	com.google.guava	Medium
Version	pom	version	30.1-jre	Highest

Identifiers

pkg:maven/com.google.guava/guava@30.1-jre (Confidence:High)
cpe:2.3:a:google:guava:30.1:*:*:*:*:*:*:* (Confidence:Highest)

httpclient-4.5.13.jar

Description:

   Apache HttpComponents Client

File Path: /home/jenkins/.mvnrepository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar
MD5: 40d6b9075fbd28fa10292a45a0db9457
SHA1: e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada
SHA256:6fe9026a566c6a5001608cf3fc32196641f6c1e5e1986d1037ccdbd5f31ef743
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	httpclient	Low
Vendor	jar	package name	client	Highest
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Vendor	pom	name	Apache HttpClient	High
Vendor	file	name	httpclient	High
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Vendor	jar	package name	apache	Highest
Vendor	jar	package name	httpclient	Highest
Vendor	Manifest	Implementation-Vendor-Id	org.apache.httpcomponents	Medium
Vendor	pom	parent-groupid	org.apache.httpcomponents	Medium
Vendor	pom	url	http://hc.apache.org/httpcomponents-client	Highest
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-artifactid	httpcomponents-client	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	groupid	apache.httpcomponents	Highest
Product	jar	package name	client	Highest
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpclient	Medium
Product	Manifest	specification-title	Apache HttpClient	Medium
Product	pom	name	Apache HttpClient	High
Product	file	name	httpclient	High
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-client	Low
Product	jar	package name	apache	Highest
Product	jar	package name	httpclient	Highest
Product	pom	url	http://hc.apache.org/httpcomponents-client	Medium
Product	pom	parent-groupid	org.apache.httpcomponents	Medium
Product	pom	parent-artifactid	httpcomponents-client	Medium
Product	Manifest	Implementation-Title	Apache HttpClient	High
Product	jar	package name	http	Highest
Product	pom	artifactid	httpclient	Highest
Product	pom	groupid	apache.httpcomponents	Highest
Version	Manifest	Implementation-Version	4.5.13	High
Version	file	version	4.5.13	High
Version	pom	version	4.5.13	Highest

Identifiers

pkg:maven/org.apache.httpcomponents/httpclient@4.5.13 (Confidence:High)
cpe:2.3:a:apache:httpclient:4.5.13:*:*:*:*:*:*:* (Confidence:Highest)

httpcore-4.4.14.jar

Description:

   Apache HttpComponents Core (blocking I/O)

File Path: /home/jenkins/.mvnrepository/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar
MD5: 2b3991eda121042765a5ee299556c200
SHA1: 9dd1a631c082d92ecd4bd8fd4cf55026c720a8c1
SHA256:f956209e450cb1d0c51776dfbd23e53e9dd8db9a1298ed62b70bf0944ba63b28
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Vendor	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Vendor	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Vendor	jar	package name	apache	Highest
Vendor	pom	parent-artifactid	httpcomponents-core	Low
Vendor	pom	name	Apache HttpCore	High
Vendor	pom	parent-groupid	org.apache.httpcomponents	Medium
Vendor	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Vendor	pom	groupid	org.apache.httpcomponents	Highest
Vendor	file	name	httpcore	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	url	http://hc.apache.org/httpcomponents-core-ga	Highest
Vendor	pom	artifactid	httpcore	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	groupid	apache.httpcomponents	Highest
Product	Manifest	url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	Manifest	automatic-module-name	org.apache.httpcomponents.httpcore	Medium
Product	pom	artifactid	httpcore	Highest
Product	Manifest	implementation-url	http://hc.apache.org/httpcomponents-core-ga	Low
Product	jar	package name	apache	Highest
Product	pom	name	Apache HttpCore	High
Product	Manifest	specification-title	HttpComponents Apache HttpCore	Medium
Product	pom	url	http://hc.apache.org/httpcomponents-core-ga	Medium
Product	pom	parent-groupid	org.apache.httpcomponents	Medium
Product	pom	parent-artifactid	httpcomponents-core	Medium
Product	jar	package name	http	Highest
Product	Manifest	implementation-build	${scmBranch}@r${buildNumber}; 2020-11-26 19:07:01+0000	Low
Product	file	name	httpcore	High
Product	Manifest	Implementation-Title	HttpComponents Apache HttpCore	High
Product	pom	groupid	apache.httpcomponents	Highest
Version	Manifest	Implementation-Version	4.4.14	High
Version	pom	version	4.4.14	Highest
Version	file	version	4.4.14	High

Identifiers

pkg:maven/org.apache.httpcomponents/httpcore@4.4.14 (Confidence:High)

istack-commons-runtime-3.0.10.jar

Description:

istack common utility code

License:

http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/jenkins/.mvnrepository/com/sun/istack/istack-commons-runtime/3.0.10/istack-commons-runtime-3.0.10.jar
MD5: 05660669c45f5bb65cece45bf01d92bc
SHA1: be8418d9a1c91d8569045e82e8ad73cadbaa1f0d
SHA256:85239e7fff2463b7d8a9c3962f78ee3e2c6db9455c724f29281e2c5f663e22be
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	istack	Highest
Vendor	Manifest	multi-release	true	Low
Vendor	pom	name	istack common utility code runtime	High
Vendor	Manifest	Implementation-Vendor	Eclipse Foundation	High
Vendor	pom	groupid	com.sun.istack	Highest
Vendor	jar	package name	sun	Highest
Vendor	pom	parent-artifactid	istack-commons	Low
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	Manifest	implementation-build-id	3.0.10 - 3.0.10-RELEASE-0b1ac0c, 2019-10-15T09:41:41+0000	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	Implementation-Vendor-Id	com.sun.istack	Medium
Vendor	Manifest	bundle-symbolicname	com.sun.istack.commons-runtime	Medium
Vendor	jar	package name	com	Highest
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	jar (hint)	package name	oracle	Highest
Vendor	pom	parent-groupid	com.sun.istack	Medium
Vendor	file	name	istack-commons-runtime	High
Vendor	pom	groupid	sun.istack	Highest
Vendor	pom	artifactid	istack-commons-runtime	Low
Product	pom	artifactid	istack-commons-runtime	Highest
Product	pom	parent-artifactid	istack-commons	Medium
Product	jar	package name	istack	Highest
Product	Manifest	multi-release	true	Low
Product	pom	name	istack common utility code runtime	High
Product	jar	package name	sun	Highest
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	Manifest	implementation-build-id	3.0.10 - 3.0.10-RELEASE-0b1ac0c, 2019-10-15T09:41:41+0000	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-symbolicname	com.sun.istack.commons-runtime	Medium
Product	jar	package name	com	Highest
Product	Manifest	build-jdk-spec	11	Low
Product	pom	parent-groupid	com.sun.istack	Medium
Product	file	name	istack-commons-runtime	High
Product	pom	groupid	sun.istack	Highest
Product	Manifest	Bundle-Name	istack common utility code runtime	Medium
Version	Manifest	Bundle-Version	3.0.10	High
Version	Manifest	implementation-build-id	3.0.10	Low
Version	pom	version	3.0.10	Highest
Version	file	version	3.0.10	High

Identifiers

pkg:maven/com.sun.istack/istack-commons-runtime@3.0.10 (Confidence:High)
cpe:2.3:a:oracle:java_se:3.0.10:*:*:*:*:*:*:* (Confidence:Low)

j2objc-annotations-1.3.jar

Description:

    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar
MD5: 5fa4ec4ec0c5aa70af8a7d4922df1931
SHA1: ba035118bc8bac37d7eff77700720999acd9986d
SHA256:21af30c92267bd6122c0e0b4d20cccb6641a37eaf956c6540ec471d584e64a7b
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	google/j2objc/	Highest
Vendor	jar	package name	j2objc	Low
Vendor	jar	package name	google	Low
Vendor	pom	artifactid	j2objc-annotations	Low
Vendor	file	name	j2objc-annotations	High
Vendor	jar	package name	j2objc	Highest
Vendor	pom	name	J2ObjC Annotations	High
Vendor	pom	groupid	com.google.j2objc	Highest
Vendor	jar	package name	annotations	Highest
Vendor	pom	groupid	google.j2objc	Highest
Vendor	jar	package name	annotations	Low
Vendor	jar	package name	google	Highest
Product	pom	artifactid	j2objc-annotations	Highest
Product	jar	package name	annotations	Highest
Product	pom	groupid	google.j2objc	Highest
Product	jar	package name	j2objc	Low
Product	file	name	j2objc-annotations	High
Product	jar	package name	annotations	Low
Product	jar	package name	j2objc	Highest
Product	pom	name	J2ObjC Annotations	High
Product	jar	package name	google	Highest
Product	pom	url	google/j2objc/	High
Version	file	version	1.3	High
Version	pom	version	1.3	Highest

Identifiers

pkg:maven/com.google.j2objc/j2objc-annotations@1.3 (Confidence:High)

jackson-annotations-2.12.6.jar

Description:

Core annotations used for value types, used by Jackson data binding package.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/fasterxml/jackson/core/jackson-annotations/2.12.6/jackson-annotations-2.12.6.jar
MD5: 9c936122eb418ee985b195d183623618
SHA1: 9487231edd6b0b1f14692c9cba9e0462809215d1
SHA256:ddf46e401a7d9ea3b481c263fa192285d13c50982a5882b22f806639b9645ee4
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	Manifest	bundle-docurl	http://github.com/FasterXML/jackson	Low
Vendor	pom	groupid	fasterxml.jackson.core	Highest
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	pom	name	Jackson-annotations	High
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	artifactid	jackson-annotations	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	pom	parent-artifactid	jackson-parent	Low
Vendor	jar	package name	fasterxml	Highest
Vendor	file	name	jackson-annotations	High
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Vendor	pom	url	http://github.com/FasterXML/jackson	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	implementation-build-date	2021-12-15 02:15:32+0000	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	artifactid	jackson-annotations	Highest
Product	Manifest	bundle-docurl	http://github.com/FasterXML/jackson	Low
Product	Manifest	Bundle-Name	Jackson-annotations	Medium
Product	pom	groupid	fasterxml.jackson.core	Highest
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	pom	name	Jackson-annotations	High
Product	hint analyzer	product	modules	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	url	http://github.com/FasterXML/jackson	Medium
Product	Manifest	Implementation-Title	Jackson-annotations	High
Product	hint analyzer	product	java8	Highest
Product	jar	package name	fasterxml	Highest
Product	file	name	jackson-annotations	High
Product	pom	parent-artifactid	jackson-parent	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Product	Manifest	specification-title	Jackson-annotations	Medium
Product	jar	package name	jackson	Highest
Product	Manifest	implementation-build-date	2021-12-15 02:15:32+0000	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Version	pom	version	2.12.6	Highest
Version	pom	parent-version	2.12.6	Low
Version	Manifest	Bundle-Version	2.12.6	High
Version	file	version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.12.6 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:*:*:*:*:*:*:* (Confidence:Low)

jackson-core-2.12.6.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/fasterxml/jackson/core/jackson-core/2.12.6/jackson-core-2.12.6.jar
MD5: 3976126e023f2969b4267963fe841f43
SHA1: 5bf206c0b5982cfcd868b3d9349dc5190db8bab5
SHA256:0026cff293bdba389fbbbc67a20fdd5f73e091554ab46671efa654c25c807ee6
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	pom	parent-artifactid	jackson-base	Low
Vendor	pom	groupid	fasterxml.jackson.core	Highest
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	file	name	jackson-core	High
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-core	Low
Vendor	Manifest	implementation-build-date	2021-12-15 02:20:29+0000	Low
Vendor	jar	package name	json	Highest
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-core	Low
Vendor	jar	package name	fasterxml	Highest
Vendor	pom	url	FasterXML/jackson-core	Highest
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	Jackson-core	High
Vendor	jar	package name	core	Highest
Vendor	jar	package name	base	Highest
Vendor	jar	package name	jackson	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	Implementation-Title	Jackson-core	High
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	hint analyzer	product	modules	Highest
Product	hint analyzer	product	java8	Highest
Product	jar	package name	filter	Highest
Product	pom	parent-artifactid	jackson-base	Medium
Product	pom	name	Jackson-core	High
Product	jar	package name	core	Highest
Product	Manifest	Bundle-Name	Jackson-core	Medium
Product	jar	package name	base	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	groupid	fasterxml.jackson.core	Highest
Product	Manifest	specification-title	Jackson-core	Medium
Product	file	name	jackson-core	High
Product	Manifest	build-jdk-spec	1.8	Low
Product	jar	package name	json	Highest
Product	Manifest	implementation-build-date	2021-12-15 02:20:29+0000	Low
Product	pom	url	FasterXML/jackson-core	High
Product	jar	package name	version	Highest
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-core	Low
Product	jar	package name	fasterxml	Highest
Product	pom	artifactid	jackson-core	Highest
Version	pom	version	2.12.6	Highest
Version	Manifest	Bundle-Version	2.12.6	High
Version	file	version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-core@2.12.6 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:*:*:*:*:*:*:* (Confidence:Low)

jackson-coreutils-1.6.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0

File Path: /home/jenkins/.mvnrepository/com/github/fge/jackson-coreutils/1.6/jackson-coreutils-1.6.jar
MD5: 26a6b351813e2895cba18e0ee4abe5b7
SHA1: 9e6af56eb7cc2a65700b289abc7ee2bd170fd231
SHA256:d84b416924fb061a26c48a5c90e98cf4d4e718179eb1df702aa8f1021163eed6
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jackson-coreutils	High
Vendor	pom	artifactid	jackson-coreutils	Low
Vendor	pom	name	null	High
Vendor	pom	groupid	com.github.fge	Highest
Vendor	jar	package name	github	Highest
Vendor	jar	package name	fge	Highest
Vendor	Manifest	bundle-symbolicname	com.github.fge.jackson-coreutils	Medium
Vendor	pom	url	fge/jackson-coreutils	Highest
Vendor	pom	groupid	github.fge	Highest
Vendor	jar	package name	jackson	Highest
Product	file	name	jackson-coreutils	High
Product	Manifest	Bundle-Name	jackson-coreutils	Medium
Product	pom	name	null	High
Product	jar	package name	github	Highest
Product	jar	package name	fge	Highest
Product	pom	url	fge/jackson-coreutils	High
Product	Manifest	bundle-symbolicname	com.github.fge.jackson-coreutils	Medium
Product	pom	artifactid	jackson-coreutils	Highest
Product	pom	groupid	github.fge	Highest
Product	jar	package name	jackson	Highest
Version	file	version	1.6	High
Version	pom	version	1.6	Highest
Version	Manifest	Bundle-Version	1.6	High

Identifiers

pkg:maven/com.github.fge/jackson-coreutils@1.6 (Confidence:High)

jackson-databind-2.12.6.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/fasterxml/jackson/core/jackson-databind/2.12.6/jackson-databind-2.12.6.jar
MD5: a618e883f32dd2ea37e06195971e7f32
SHA1: fac216b606c1086e36acea6e572ee61572ad1670
SHA256:372541e41666f9946c6417bd32df76869b2ca688c9585f6ddfe549c0fc51e7a6
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	pom	parent-artifactid	jackson-base	Low
Vendor	Manifest	bundle-docurl	http://github.com/FasterXML/jackson	Low
Vendor	Manifest	implementation-build-date	2021-12-15 02:32:55+0000	Low
Vendor	pom	groupid	fasterxml.jackson.core	Highest
Vendor	jar	package name	databind	Highest
Vendor	pom	parent-groupid	com.fasterxml.jackson	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	artifactid	jackson-databind	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Vendor	jar	package name	fasterxml	Highest
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	file	name	jackson-databind	High
Vendor	pom	name	jackson-databind	High
Vendor	pom	url	http://github.com/FasterXML/jackson	Highest
Vendor	jar	package name	jackson	Highest
Product	Manifest	bundle-docurl	http://github.com/FasterXML/jackson	Low
Product	Manifest	implementation-build-date	2021-12-15 02:32:55+0000	Low
Product	pom	groupid	fasterxml.jackson.core	Highest
Product	jar	package name	databind	Highest
Product	pom	parent-groupid	com.fasterxml.jackson	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	hint analyzer	product	modules	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	specification-title	jackson-databind	Medium
Product	pom	url	http://github.com/FasterXML/jackson	Medium
Product	hint analyzer	product	java8	Highest
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Product	jar	package name	fasterxml	Highest
Product	file	name	jackson-databind	High
Product	Manifest	Implementation-Title	jackson-databind	High
Product	pom	parent-artifactid	jackson-base	Medium
Product	pom	name	jackson-databind	High
Product	pom	artifactid	jackson-databind	Highest
Product	jar	package name	jackson	Highest
Product	Manifest	Bundle-Name	jackson-databind	Medium
Version	pom	version	2.12.6	Highest
Version	Manifest	Bundle-Version	2.12.6	High
Version	file	version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High

Identifiers

pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-databind:2.12.6:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:*:*:*:*:*:*:* (Confidence:Low)

jackson-datatype-jdk8-2.12.6.jar

Description:

Add-on module for Jackson (http://jackson.codehaus.org) to support
JDK 8 data types.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.12.6/jackson-datatype-jdk8-2.12.6.jar
MD5: 2af8967df4fbe28274051430886f5cba
SHA1: ccbbe6e72e3665e7ad9d0eee4613e1d8a09b81ae
SHA256:3602428cafcef7819ac1fc718fe5b2ab933944f9f781874cbd44a50273bbcee2
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	com.fasterxml.jackson.datatype	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	parent-artifactid	jackson-modules-java8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jdk8	Low
Vendor	jar	package name	jdk8	Highest
Vendor	pom	name	Jackson datatype: jdk8	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.datatype	Medium
Vendor	pom	groupid	fasterxml.jackson.datatype	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	file	name	jackson-datatype-jdk8	High
Vendor	pom	parent-groupid	com.fasterxml.jackson.module	Medium
Vendor	pom	artifactid	jackson-datatype-jdk8	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.datatype.jackson-datatype-jdk8	Medium
Vendor	jar	package name	datatype	Highest
Vendor	Manifest	implementation-build-date	2021-12-15 04:34:13+0000	Low
Vendor	jar	package name	jackson	Highest
Product	Manifest	Implementation-Title	Jackson datatype: jdk8	High
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	parent-artifactid	jackson-modules-java8	Medium
Product	pom	artifactid	jackson-datatype-jdk8	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jdk8	Low
Product	jar	package name	jdk8	Highest
Product	Manifest	Bundle-Name	Jackson datatype: jdk8	Medium
Product	pom	name	Jackson datatype: jdk8	High
Product	pom	groupid	fasterxml.jackson.datatype	Highest
Product	jar	package name	fasterxml	Highest
Product	Manifest	specification-title	Jackson datatype: jdk8	Medium
Product	file	name	jackson-datatype-jdk8	High
Product	pom	parent-groupid	com.fasterxml.jackson.module	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.datatype.jackson-datatype-jdk8	Medium
Product	jar	package name	datatype	Highest
Product	Manifest	implementation-build-date	2021-12-15 04:34:13+0000	Low
Product	jar	package name	jackson	Highest
Version	pom	version	2.12.6	Highest
Version	Manifest	Bundle-Version	2.12.6	High
Version	file	version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High

Identifiers

pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.12.6 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:*:*:*:*:*:*:* (Confidence:Low)

jackson-datatype-jsr310-2.12.6.jar

Description:

Add-on module to support JSR-310 (Java 8 Date & Time API) data types.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.12.6/jackson-datatype-jsr310-2.12.6.jar
MD5: 0dcce05f281b2f8bc0e7d422eebb8f7c
SHA1: 0f7d0d854f24c4254885c275a09fb885ef578b48
SHA256:b4539d431f019239699691820dfea70a65cf8e882120a72b3a7713ed1dc66fcb
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	com.fasterxml.jackson.datatype	Highest
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.datatype.jackson-datatype-jsr310	Medium
Vendor	jar	package name	jsr310	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	parent-artifactid	jackson-modules-java8	Low
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.datatype	Medium
Vendor	pom	groupid	fasterxml.jackson.datatype	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	pom	parent-groupid	com.fasterxml.jackson.module	Medium
Vendor	pom	name	Jackson datatype: JSR310	High
Vendor	file	name	jackson-datatype-jsr310	High
Vendor	jar	package name	datatype	Highest
Vendor	Manifest	implementation-build-date	2021-12-15 04:34:13+0000	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310	Low
Vendor	pom	artifactid	jackson-datatype-jsr310	Low
Vendor	jar	package name	jackson	Highest
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.datatype.jackson-datatype-jsr310	Medium
Product	pom	artifactid	jackson-datatype-jsr310	Highest
Product	jar	package name	jsr310	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	parent-artifactid	jackson-modules-java8	Medium
Product	Manifest	Implementation-Title	Jackson datatype: JSR310	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	groupid	fasterxml.jackson.datatype	Highest
Product	jar	package name	fasterxml	Highest
Product	Manifest	specification-title	Jackson datatype: JSR310	Medium
Product	pom	parent-groupid	com.fasterxml.jackson.module	Medium
Product	pom	name	Jackson datatype: JSR310	High
Product	Manifest	Bundle-Name	Jackson datatype: JSR310	Medium
Product	file	name	jackson-datatype-jsr310	High
Product	jar	package name	datatype	Highest
Product	Manifest	implementation-build-date	2021-12-15 04:34:13+0000	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310	Low
Product	jar	package name	jackson	Highest
Version	pom	version	2.12.6	Highest
Version	Manifest	Bundle-Version	2.12.6	High
Version	file	version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High

Identifiers

pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.12.6 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:*:*:*:*:*:*:* (Confidence:Low)

jackson-jaxrs-base-2.12.6.jar

Description:

Pile of code that is shared by all Jackson-based JAX-RS
providers.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.12.6/jackson-jaxrs-base-2.12.6.jar
MD5: 7c2397f9a62f10725644246698db5fe3
SHA1: 80379595faf4aa8a5ee1bc761e19b6467164de33
SHA256:863bb1cacbcf819d68207b8b5492c1c8d8ef09a0f2aeafeaa191e423ef0899d6
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	com.fasterxml.jackson.jaxrs	Highest
Vendor	pom	groupid	fasterxml.jackson.jaxrs	Highest
Vendor	Manifest	multi-release	true	Low
Vendor	pom	artifactid	jackson-jaxrs-base	Low
Vendor	Manifest	bundle-docurl	http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-base	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	name	Jackson-JAXRS-base	High
Vendor	pom	parent-groupid	com.fasterxml.jackson.jaxrs	Medium
Vendor	Manifest	implementation-build-date	2021-12-15 05:04:22+0000	Low
Vendor	pom	parent-artifactid	jackson-jaxrs-providers	Low
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	jar	package name	fasterxml	Highest
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.jaxrs.jackson-jaxrs-base	Medium
Vendor	jar	package name	jaxrs	Highest
Vendor	file	name	jackson-jaxrs-base	High
Vendor	jar	package name	base	Highest
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.jaxrs	Medium
Vendor	jar	package name	jackson	Highest
Product	pom	groupid	fasterxml.jackson.jaxrs	Highest
Product	Manifest	multi-release	true	Low
Product	Manifest	bundle-docurl	http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-base	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	name	Jackson-JAXRS-base	High
Product	pom	parent-groupid	com.fasterxml.jackson.jaxrs	Medium
Product	Manifest	implementation-build-date	2021-12-15 05:04:22+0000	Low
Product	Manifest	specification-title	Jackson-JAXRS-base	Medium
Product	pom	parent-artifactid	jackson-jaxrs-providers	Medium
Product	jar	package name	fasterxml	Highest
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.jaxrs.jackson-jaxrs-base	Medium
Product	jar	package name	jaxrs	Highest
Product	Manifest	Bundle-Name	Jackson-JAXRS-base	Medium
Product	file	name	jackson-jaxrs-base	High
Product	pom	artifactid	jackson-jaxrs-base	Highest
Product	jar	package name	base	Highest
Product	Manifest	Implementation-Title	Jackson-JAXRS-base	High
Product	jar	package name	jackson	Highest
Version	pom	version	2.12.6	Highest
Version	Manifest	Bundle-Version	2.12.6	High
Version	file	version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High

Identifiers

pkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base@2.12.6 (Confidence:High)

jackson-jaxrs-json-provider-2.12.6.jar

Description:

Functionality to handle JSON input/output for JAX-RS implementations (like Jersey and RESTeasy) using standard Jackson data binding.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.12.6/jackson-jaxrs-json-provider-2.12.6.jar
MD5: 227ef7468da608c96c4ff3292b1a2365
SHA1: 23debd9ac6b5530f3cce89d07a62a1acb0ec06a2
SHA256:fe21918ed612b975d8bc1759a07af517bf5372b7fce541d02c5b42a62dbb640f
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	com.fasterxml.jackson.jaxrs	Highest
Vendor	pom	groupid	fasterxml.jackson.jaxrs	Highest
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	bundle-docurl	http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-json-provider	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson.jaxrs	Medium
Vendor	pom	artifactid	jackson-jaxrs-json-provider	Low
Vendor	Manifest	implementation-build-date	2021-12-15 05:04:22+0000	Low
Vendor	pom	parent-artifactid	jackson-jaxrs-providers	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider	Medium
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	jar	package name	json	Highest
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	jar	package name	fasterxml	Highest
Vendor	jar	package name	jaxrs	Highest
Vendor	file	name	jackson-jaxrs-json-provider	High
Vendor	pom	name	Jackson-JAXRS-JSON	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.jaxrs	Medium
Vendor	jar	package name	jackson	Highest
Product	pom	groupid	fasterxml.jackson.jaxrs	Highest
Product	Manifest	multi-release	true	Low
Product	Manifest	bundle-docurl	http://github.com/FasterXML/jackson-jaxrs-providers/jackson-jaxrs-json-provider	Low
Product	Manifest	Bundle-Name	Jackson-JAXRS-JSON	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	parent-groupid	com.fasterxml.jackson.jaxrs	Medium
Product	Manifest	implementation-build-date	2021-12-15 05:04:22+0000	Low
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider	Medium
Product	jar	package name	json	Highest
Product	Manifest	Implementation-Title	Jackson-JAXRS-JSON	High
Product	pom	parent-artifactid	jackson-jaxrs-providers	Medium
Product	jar	package name	fasterxml	Highest
Product	jar	package name	jaxrs	Highest
Product	file	name	jackson-jaxrs-json-provider	High
Product	pom	name	Jackson-JAXRS-JSON	High
Product	pom	artifactid	jackson-jaxrs-json-provider	Highest
Product	Manifest	specification-title	Jackson-JAXRS-JSON	Medium
Product	jar	package name	jackson	Highest
Version	pom	version	2.12.6	Highest
Version	Manifest	Bundle-Version	2.12.6	High
Version	file	version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High

Identifiers

pkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider@2.12.6 (Confidence:High)

jackson-module-jaxb-annotations-2.12.6.jar

Description:

Support for using JAXB annotations as an alternative to "native" Jackson annotations, for configuring
data-binding.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/fasterxml/jackson/module/jackson-module-jaxb-annotations/2.12.6/jackson-module-jaxb-annotations-2.12.6.jar
MD5: 471323308a1743b1d3c9c848aadeb466
SHA1: a0bea2c6f98eb0dc24208b54a53da80ea459c156
SHA256:4489a762f28d607d7d5456e5bd08735c94a9e6e535d17f18ccd5f9656e0c2a66
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.module	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	jar	package name	jaxb	Highest
Vendor	pom	url	FasterXML/jackson-modules-base	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-base	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	artifactid	jackson-module-jaxb-annotations	Low
Vendor	Manifest	implementation-build-date	2021-12-15 04:27:44+0000	Low
Vendor	jar	package name	module	Highest
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	pom	groupid	com.fasterxml.jackson.module	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	file	name	jackson-module-jaxb-annotations	High
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.module.jackson-module-jaxb-annotations	Medium
Vendor	pom	parent-artifactid	jackson-modules-base	Low
Vendor	pom	name	Jackson module: JAXB Annotations	High
Vendor	pom	parent-groupid	com.fasterxml.jackson.module	Medium
Vendor	pom	groupid	fasterxml.jackson.module	Highest
Vendor	jar	package name	jackson	Highest
Product	Manifest	multi-release	true	Low
Product	pom	artifactid	jackson-module-jaxb-annotations	Highest
Product	jar	package name	jaxb	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-base	Low
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	implementation-build-date	2021-12-15 04:27:44+0000	Low
Product	jar	package name	module	Highest
Product	Manifest	Bundle-Name	Jackson module: JAXB Annotations	Medium
Product	pom	url	FasterXML/jackson-modules-base	High
Product	Manifest	Implementation-Title	Jackson module: JAXB Annotations	High
Product	jar	package name	fasterxml	Highest
Product	file	name	jackson-module-jaxb-annotations	High
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.module.jackson-module-jaxb-annotations	Medium
Product	pom	parent-artifactid	jackson-modules-base	Medium
Product	pom	name	Jackson module: JAXB Annotations	High
Product	pom	parent-groupid	com.fasterxml.jackson.module	Medium
Product	pom	groupid	fasterxml.jackson.module	Highest
Product	Manifest	specification-title	Jackson module: JAXB Annotations	Medium
Product	jar	package name	jackson	Highest
Version	pom	version	2.12.6	Highest
Version	Manifest	Bundle-Version	2.12.6	High
Version	file	version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High

Identifiers

pkg:maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations@2.12.6 (Confidence:High)

jackson-module-parameter-names-2.12.6.jar

Description:

Add-on module for Jackson (http://jackson.codehaus.org) to support
introspection of method/constructor parameter names, without having to add explicit property name annotation.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/fasterxml/jackson/module/jackson-module-parameter-names/2.12.6/jackson-module-parameter-names-2.12.6.jar
MD5: 64d9623e71a4d62b7184701d90d310d1
SHA1: 6149920352cfbdde97e6a3d35437260a72907761
SHA256:bcd0e6411465100f2b90c9d7c940d191ef037079662fe82d8aba995511206d42
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.module	Medium
Vendor	pom	name	Jackson-module-parameter-names	High
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-java8/jackson-module-parameter-names	Low
Vendor	jar	package name	module	Highest
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.module.jackson-module-parameter-names	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	parent-artifactid	jackson-modules-java8	Low
Vendor	pom	groupid	com.fasterxml.jackson.module	Highest
Vendor	jar	package name	fasterxml	Highest
Vendor	file	name	jackson-module-parameter-names	High
Vendor	pom	artifactid	jackson-module-parameter-names	Low
Vendor	pom	parent-groupid	com.fasterxml.jackson.module	Medium
Vendor	Manifest	implementation-build-date	2021-12-15 04:34:13+0000	Low
Vendor	pom	groupid	fasterxml.jackson.module	Highest
Vendor	jar	package name	jackson	Highest
Product	pom	name	Jackson-module-parameter-names	High
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	parent-artifactid	jackson-modules-java8	Medium
Product	jar	package name	module	Highest
Product	Manifest	bundle-docurl	https://github.com/FasterXML/jackson-modules-java8/jackson-module-parameter-names	Low
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.module.jackson-module-parameter-names	Medium
Product	Manifest	specification-title	Jackson-module-parameter-names	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	fasterxml	Highest
Product	file	name	jackson-module-parameter-names	High
Product	pom	parent-groupid	com.fasterxml.jackson.module	Medium
Product	pom	artifactid	jackson-module-parameter-names	Highest
Product	Manifest	Bundle-Name	Jackson-module-parameter-names	Medium
Product	Manifest	implementation-build-date	2021-12-15 04:34:13+0000	Low
Product	Manifest	Implementation-Title	Jackson-module-parameter-names	High
Product	pom	groupid	fasterxml.jackson.module	Highest
Product	jar	package name	jackson	Highest
Version	pom	version	2.12.6	Highest
Version	Manifest	Bundle-Version	2.12.6	High
Version	file	version	2.12.6	High
Version	Manifest	Implementation-Version	2.12.6	High

Identifiers

pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.12.6 (Confidence:High)
cpe:2.3:a:fasterxml:jackson-modules-java8:2.12.6:*:*:*:*:*:*:* (Confidence:Low)

jakarta.activation-1.2.1.jar

Description:

JavaBeans Activation Framework

License:

http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/jenkins/.mvnrepository/com/sun/activation/jakarta.activation/1.2.1/jakarta.activation-1.2.1.jar
MD5: dc519b1f09bbaf9274ea5da358a00110
SHA1: 8013606426a73d8ba6b568370877251e91a38b89
SHA256:d84d4ba8b55cdb7fdcbb885e6939386367433f56f5ab8cfdc302a7c3587fa92b
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.activation	High
Vendor	jar	package name	activation	Highest
Vendor	Manifest	bundle-symbolicname	com.sun.activation.jakarta.activation	Medium
Vendor	Manifest	Implementation-Vendor	Eclipse Foundation	High
Vendor	jar	package name	sun	Highest
Vendor	Manifest	extension-name	jakarta.activation	Medium
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	pom	artifactid	jakarta.activation	Low
Vendor	Manifest	automatic-module-name	jakarta.activation	Medium
Vendor	pom	parent-groupid	com.sun.activation	Medium
Vendor	pom	groupid	com.sun.activation	Highest
Vendor	pom	name	JavaBeans Activation Framework	High
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	specification-vendor	Eclipse Foundation	Low
Vendor	pom	groupid	sun.activation	Highest
Vendor	pom	parent-artifactid	all	Low
Product	file	name	jakarta.activation	High
Product	jar	package name	activation	Highest
Product	Manifest	bundle-symbolicname	com.sun.activation.jakarta.activation	Medium
Product	jar	package name	javax	Highest
Product	jar	package name	sun	Highest
Product	Manifest	extension-name	jakarta.activation	Medium
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	Manifest	specification-title	JavaBeans(TM) Activation Framework Specification	Medium
Product	Manifest	Bundle-Name	JavaBeans Activation Framework	Medium
Product	Manifest	automatic-module-name	jakarta.activation	Medium
Product	pom	artifactid	jakarta.activation	Highest
Product	pom	parent-groupid	com.sun.activation	Medium
Product	Manifest	Implementation-Title	javax.activation	High
Product	pom	name	JavaBeans Activation Framework	High
Product	pom	groupid	sun.activation	Highest
Product	pom	parent-artifactid	all	Medium
Version	Manifest	Implementation-Version	1.2.1	High
Version	pom	version	1.2.1	Highest
Version	Manifest	Bundle-Version	1.2.1	High
Version	file	version	1.2.1	High

Identifiers

pkg:maven/com.sun.activation/jakarta.activation@1.2.1 (Confidence:High)

jakarta.activation-api-1.2.1.jar

Description:

JavaBeans Activation Framework API jar

License:

http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/jenkins/.mvnrepository/jakarta/activation/jakarta.activation-api/1.2.1/jakarta.activation-api-1.2.1.jar
MD5: 9b647398add993324d3d9e5effa6005a
SHA1: 562a587face36ec7eff2db7f2fc95425c6602bc1
SHA256:8b0a0f52fa8b05c5431921a063ed866efaa41dadf2e3a7ee3e1961f2b0d9645b
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	activation	Highest
Vendor	Manifest	Implementation-Vendor	Eclipse Foundation	High
Vendor	pom	name	JavaBeans Activation Framework API jar	High
Vendor	Manifest	extension-name	jakarta.activation	Medium
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	pom	artifactid	jakarta.activation-api	Low
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	Manifest	automatic-module-name	jakarta.activation	Medium
Vendor	Manifest	bundle-symbolicname	jakarta.activation-api	Medium
Vendor	pom	parent-groupid	com.sun.activation	Medium
Vendor	file	name	jakarta.activation-api	High
Vendor	Manifest	specification-vendor	Eclipse Foundation	Low
Vendor	pom	groupid	jakarta.activation	Highest
Vendor	pom	parent-artifactid	all	Low
Product	pom	artifactid	jakarta.activation-api	Highest
Product	jar	package name	activation	Highest
Product	Manifest	Bundle-Name	JavaBeans Activation Framework API jar	Medium
Product	Manifest	specification-title	jakarta.activation.jakarta.activation-api	Medium
Product	pom	name	JavaBeans Activation Framework API jar	High
Product	Manifest	extension-name	jakarta.activation	Medium
Product	Manifest	Implementation-Title	jakarta.activation.jakarta.activation-api	High
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	Manifest	automatic-module-name	jakarta.activation	Medium
Product	Manifest	bundle-symbolicname	jakarta.activation-api	Medium
Product	pom	parent-groupid	com.sun.activation	Medium
Product	file	name	jakarta.activation-api	High
Product	pom	groupid	jakarta.activation	Highest
Product	pom	parent-artifactid	all	Medium
Version	Manifest	Implementation-Version	1.2.1	High
Version	pom	version	1.2.1	Highest
Version	Manifest	Bundle-Version	1.2.1	High
Version	file	version	1.2.1	High

Identifiers

pkg:maven/jakarta.activation/jakarta.activation-api@1.2.1 (Confidence:High)

jakarta.annotation-api-1.3.5.jar

Description:

Jakarta Annotations API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html

File Path: /home/jenkins/.mvnrepository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
MD5: 8b165cf58df5f8c2a222f637c0a07c97
SHA1: 59eb84ee0d616332ff44aba065f3888cf002cd2d
SHA256:85fb03fc054cdf4efca8efd9b6712bbb418e1ab98241c4539c8585bbc23e1b8a
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.annotation-api	High
Vendor	Manifest	bundle-symbolicname	jakarta.annotation-api	Medium
Vendor	Manifest	extension-name	jakarta.annotation	Medium
Vendor	pom	artifactid	jakarta.annotation-api	Low
Vendor	pom	url	https://projects.eclipse.org/projects/ee4j.ca	Highest
Vendor	pom	groupid	jakarta.annotation	Highest
Vendor	Manifest	Implementation-Vendor	Eclipse Foundation	High
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	pom	name	Jakarta Annotations API	High
Vendor	Manifest	Implementation-Vendor-Id	org.glassfish	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	automatic-module-name	java.annotation	Medium
Vendor	pom	parent-artifactid	ca-parent	Low
Vendor	jar	package name	annotation	Highest
Vendor	Manifest	specification-vendor	Eclipse Foundation	Low
Product	file	name	jakarta.annotation-api	High
Product	Manifest	bundle-symbolicname	jakarta.annotation-api	Medium
Product	Manifest	extension-name	jakarta.annotation	Medium
Product	pom	groupid	jakarta.annotation	Highest
Product	Manifest	Bundle-Name	Jakarta Annotations API	Medium
Product	pom	url	https://projects.eclipse.org/projects/ee4j.ca	Medium
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	pom	name	Jakarta Annotations API	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	automatic-module-name	java.annotation	Medium
Product	pom	parent-artifactid	ca-parent	Medium
Product	jar	package name	annotation	Highest
Product	pom	artifactid	jakarta.annotation-api	Highest
Version	file	version	1.3.5	High
Version	Manifest	Implementation-Version	1.3.5	High
Version	pom	version	1.3.5	Highest
Version	Manifest	Bundle-Version	1.3.5	High

Identifiers

pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5 (Confidence:High)

jakarta.el-api-3.0.3.jar

Description:

        Jakarta Expression Language defines an expression language for Java applications

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html

File Path: /home/jenkins/.mvnrepository/jakarta/el/jakarta.el-api/3.0.3/jakarta.el-api-3.0.3.jar
MD5: 528ed6138395d22fb54912b2b889e88e
SHA1: f311ab94bb1d4380690a53d737226a6b879dd4f1
SHA256:47ae0a91fb6dd32fdaa5d9bda63df043ac8148e00c297ccce8ab9c56b95cf261
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.el-api	High
Vendor	pom	name	Jakarta Expression Language 3.0 API	High
Vendor	pom	artifactid	jakarta.el-api	Low
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	expression	Highest
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	pom	parent-groupid	org.eclipse.ee4j	Medium
Vendor	pom	groupid	jakarta.el	Highest
Vendor	Manifest	extension-name	javax.el	Medium
Vendor	pom	url	https://projects.eclipse.org/projects/ee4j.el	Highest
Vendor	Manifest	bundle-symbolicname	javax.el-api	Medium
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	parent-artifactid	project	Low
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	jar	package name	el	Highest
Product	file	name	jakarta.el-api	High
Product	pom	name	Jakarta Expression Language 3.0 API	High
Product	Manifest	Bundle-Name	Jakarta Expression Language 3.0 API	Medium
Product	jar	package name	javax	Highest
Product	jar	package name	expression	Highest
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	pom	parent-groupid	org.eclipse.ee4j	Medium
Product	pom	artifactid	jakarta.el-api	Highest
Product	pom	groupid	jakarta.el	Highest
Product	Manifest	extension-name	javax.el	Medium
Product	Manifest	bundle-symbolicname	javax.el-api	Medium
Product	pom	url	https://projects.eclipse.org/projects/ee4j.el	Medium
Product	pom	parent-artifactid	project	Medium
Product	jar	package name	el	Highest
Version	Manifest	Bundle-Version	3.0.3	High
Version	pom	parent-version	3.0.3	Low
Version	file	version	3.0.3	High
Version	pom	version	3.0.3	Highest
Version	Manifest	Implementation-Version	3.0.3	High

Identifiers

pkg:maven/jakarta.el/jakarta.el-api@3.0.3 (Confidence:High)
cpe:2.3:a:eclipse:jakarta_expression_language:3.0.3:*:*:*:*:*:*:* (Confidence:Low)

jakarta.enterprise.cdi-api-2.0.2.jar

Description:

APIs for Jakarta CDI (Contexts and Dependency Injection)

License:

Apache License 2.0: https://repository.jboss.org/licenses/apache-2.0.txt

File Path: /home/jenkins/.mvnrepository/jakarta/enterprise/jakarta.enterprise.cdi-api/2.0.2/jakarta.enterprise.cdi-api-2.0.2.jar
MD5: ff8956b6aa6e32e6f9064597d9c9f1bd
SHA1: 58f497f362cd19c2f8842d75c491d270f0600e7f
SHA256:e71bbe0e4cacfce5b7d609021344d883531aa3e19321db17390f849fdb04a509
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	enterprise	Highest
Vendor	Manifest	bundle-docurl	https://jakarta.ee	Low
Vendor	pom	parent-groupid	org.eclipse.ee4j	Medium
Vendor	pom	organization url	https://jakarta.ee	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	name	Jakarta CDI	High
Vendor	pom	organization name	Eclipse Foundation	High
Vendor	Manifest	bundle-symbolicname	jakarta.enterprise.cdi-api	Medium
Vendor	pom	groupid	jakarta.enterprise	Highest
Vendor	pom	parent-artifactid	project	Low
Vendor	pom	url	http://cdi-spec.org	Highest
Vendor	file	name	jakarta.enterprise.cdi-api	High
Vendor	pom	artifactid	jakarta.enterprise.cdi-api	Low
Product	jar	package name	enterprise	Highest
Product	Manifest	bundle-docurl	https://jakarta.ee	Low
Product	pom	artifactid	jakarta.enterprise.cdi-api	Highest
Product	pom	parent-groupid	org.eclipse.ee4j	Medium
Product	pom	organization url	https://jakarta.ee	Low
Product	pom	url	http://cdi-spec.org	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	name	Jakarta CDI	High
Product	Manifest	bundle-symbolicname	jakarta.enterprise.cdi-api	Medium
Product	Manifest	Bundle-Name	Jakarta CDI	Medium
Product	pom	parent-artifactid	project	Medium
Product	pom	groupid	jakarta.enterprise	Highest
Product	file	name	jakarta.enterprise.cdi-api	High
Product	pom	organization name	Eclipse Foundation	Low
Version	file	version	2.0.2	High
Version	pom	parent-version	2.0.2	Low
Version	Manifest	Bundle-Version	2.0.2	High
Version	pom	version	2.0.2	Highest

Identifiers

pkg:maven/jakarta.enterprise/jakarta.enterprise.cdi-api@2.0.2 (Confidence:High)

jakarta.inject-api-1.0.jar

Description:

Jakarta Dependency Injection

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/jakarta/inject/jakarta.inject-api/1.0/jakarta.inject-api-1.0.jar
MD5: 2e07624f1dc24ee8f6cdd69b0aa99ba9
SHA1: 93164437046e06b4876e069b8e7a321a02f10a2d
SHA256:3655ffdcdc058816632666a8bcbcf4bfd09751c6a77dedf70619f37294abb01f
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	javax	Low
Vendor	jar	package name	inject	Highest
Vendor	pom	groupid	jakarta.inject	Highest
Vendor	pom	name	Jakarta Dependency Injection	High
Vendor	jar	package name	inject	Low
Vendor	pom	parent-artifactid	project	Low
Vendor	pom	url	eclipse-ee4j/injection-api	Highest
Vendor	pom	parent-groupid	org.eclipse.ee4j	Medium
Vendor	file	name	jakarta.inject-api	High
Vendor	pom	artifactid	jakarta.inject-api	Low
Product	jar	package name	inject	Highest
Product	pom	groupid	jakarta.inject	Highest
Product	pom	name	Jakarta Dependency Injection	High
Product	pom	artifactid	jakarta.inject-api	Highest
Product	pom	parent-artifactid	project	Medium
Product	jar	package name	inject	Low
Product	pom	parent-groupid	org.eclipse.ee4j	Medium
Product	file	name	jakarta.inject-api	High
Product	pom	url	eclipse-ee4j/injection-api	High
Version	pom	version	1.0	Highest
Version	file	version	1.0	High
Version	pom	parent-version	1.0	Low

Identifiers

pkg:maven/jakarta.inject/jakarta.inject-api@1.0 (Confidence:High)

jakarta.interceptor-api-1.2.5.jar

Description:

        Jakarta Interceptors defines a means of interposing on business method invocations
        and specific events—such as lifecycle events and timeout events—that occur on instances
        of Jakarta EE components and other managed classes.

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html

File Path: /home/jenkins/.mvnrepository/jakarta/interceptor/jakarta.interceptor-api/1.2.5/jakarta.interceptor-api-1.2.5.jar
MD5: 69ab3deaef95f1a6522e7e828694ab14
SHA1: 20cbde692c555692ca835fb6ecb4a8c95acbe6e0
SHA256:210c4f0a5a8f387457d58afa3982b9abdd28f0a891e6289b329a6d8cf2210299
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.interceptor-api	High
Vendor	Manifest	extension-name	javax.interceptor	Medium
Vendor	Manifest	Implementation-Vendor	Eclipse Foundation	High
Vendor	jar	package name	javax	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	pom	artifactid	jakarta.interceptor-api	Low
Vendor	pom	parent-groupid	org.eclipse.ee4j	Medium
Vendor	Manifest	bundle-symbolicname	jakarta.interceptor-api	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.glassfish	Medium
Vendor	pom	groupid	jakarta.interceptor	Highest
Vendor	pom	url	eclipse-ee4j/interceptor-api	Highest
Vendor	jar	package name	interceptor	Highest
Vendor	jar	package name	interceptors	Highest
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	parent-artifactid	project	Low
Vendor	pom	name	Jakarta Interceptors	High
Product	file	name	jakarta.interceptor-api	High
Product	Manifest	extension-name	javax.interceptor	Medium
Product	jar	package name	javax	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	url	eclipse-ee4j/interceptor-api	High
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	pom	parent-groupid	org.eclipse.ee4j	Medium
Product	Manifest	bundle-symbolicname	jakarta.interceptor-api	Medium
Product	pom	groupid	jakarta.interceptor	Highest
Product	pom	artifactid	jakarta.interceptor-api	Highest
Product	pom	parent-artifactid	project	Medium
Product	jar	package name	interceptors	Highest
Product	jar	package name	interceptor	Highest
Product	Manifest	Bundle-Name	Jakarta Interceptors	Medium
Product	pom	name	Jakarta Interceptors	High
Version	pom	version	1.2.5	Highest
Version	pom	parent-version	1.2.5	Low
Version	Manifest	Bundle-Version	1.2.5	High
Version	file	version	1.2.5	High
Version	Manifest	Implementation-Version	1.2.5	High

Identifiers

pkg:maven/jakarta.interceptor/jakarta.interceptor-api@1.2.5 (Confidence:High)
cpe:2.3:a:oracle:java_se:1.2.5:*:*:*:*:*:*:* (Confidence:Low)

jakarta.mail-1.6.5.jar

Description:

Jakarta Mail API

License:

http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html, http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/jenkins/.mvnrepository/com/sun/mail/jakarta.mail/1.6.5/jakarta.mail-1.6.5.jar
MD5: 214c580ee5913b9c69926cec66919f64
SHA1: d08124137cf42397d00b71b5985fd1dc248ac07f
SHA256:f4b500a1dd9ffd03ed7d8b2062fa5fd10d5beca4c42611672764bf4365751b53
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	com.sun.mail	Highest
Vendor	jar	package name	sun	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	jar	package name	provider	Highest
Vendor	Manifest	extension-name	jakarta.mail	Medium
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest (hint)	specification-vendor	sun	Low
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	pom	parent-groupid	com.sun.mail	Medium
Vendor	Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml	Medium
Vendor	Manifest	automatic-module-name	jakarta.mail	Medium
Vendor	pom	artifactid	jakarta.mail	Low
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	file	name	jakarta.mail	High
Vendor	pom	groupid	sun.mail	Highest
Vendor	Manifest	specification-vendor	Oracle	Low
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	jar (hint)	package name	oracle	Highest
Vendor	pom	name	Jakarta Mail API	High
Vendor	Manifest	bundle-symbolicname	com.sun.mail.jakarta.mail	Medium
Vendor	jar	package name	mail	Highest
Vendor	Manifest	bundle-docurl	http://www.oracle.com	Low
Vendor	pom	parent-artifactid	all	Low
Product	Manifest	Bundle-Name	Jakarta Mail API	Medium
Product	Manifest	specification-title	Jakarta Mail API Design Specification	Medium
Product	jar	package name	javax	Highest
Product	jar	package name	sun	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	jar	package name	provider	Highest
Product	Manifest	extension-name	jakarta.mail	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	parent-groupid	com.sun.mail	Medium
Product	Manifest	probe-provider-xml-file-names	META-INF/gfprobe-provider.xml	Medium
Product	Manifest	automatic-module-name	jakarta.mail	Medium
Product	jar	package name	version	Highest
Product	file	name	jakarta.mail	High
Product	Manifest	Implementation-Title	javax.mail	High
Product	pom	groupid	sun.mail	Highest
Product	pom	artifactid	jakarta.mail	Highest
Product	pom	name	Jakarta Mail API	High
Product	Manifest	bundle-symbolicname	com.sun.mail.jakarta.mail	Medium
Product	jar	package name	mail	Highest
Product	Manifest	bundle-docurl	http://www.oracle.com	Low
Product	pom	parent-artifactid	all	Medium
Version	Manifest	Bundle-Version	1.6.5	High
Version	Manifest	Implementation-Version	1.6.5	High
Version	pom	version	1.6.5	Highest
Version	file	version	1.6.5	High

Identifiers

pkg:maven/com.sun.mail/jakarta.mail@1.6.5 (Confidence:High)
cpe:2.3:a:oracle:java_se:1.6.5:*:*:*:*:*:*:* (Confidence:Low)

jakarta.transaction-api-1.3.3.jar

Description:

Jakarta Transactions

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html

File Path: /home/jenkins/.mvnrepository/jakarta/transaction/jakarta.transaction-api/1.3.3/jakarta.transaction-api-1.3.3.jar
MD5: cc45726045cc9a0728f803f9db4c90c4
SHA1: c4179d48720a1e87202115fbed6089bdc4195405
SHA256:0b02a194dd04ee2e192dc9da9579e10955dd6e8ac707adfc91d92f119b0e67ab
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	javax	Highest
Vendor	pom	organization url	eclipse-ee4j	Medium
Vendor	pom	groupid	jakarta.transaction	Highest
Vendor	Manifest	extension-name	javax.transaction	Medium
Vendor	jar	package name	transaction	Highest
Vendor	Manifest	bundle-docurl	https://github.com/eclipse-ee4j	Low
Vendor	pom	parent-groupid	org.eclipse.ee4j	Medium
Vendor	Manifest	automatic-module-name	java.transaction	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.glassfish	Medium
Vendor	pom	name	${extension.name} API	High
Vendor	Manifest	bundle-symbolicname	jakarta.transaction-api	Medium
Vendor	file	name	jakarta.transaction-api	High
Vendor	pom	artifactid	jakarta.transaction-api	Low
Vendor	pom	organization name	EE4J Community	High
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	parent-artifactid	project	Low
Vendor	pom	url	https://projects.eclipse.org/projects/ee4j.jta	Highest
Vendor	Manifest	Implementation-Vendor	EE4J Community	High
Product	jar	package name	javax	Highest
Product	pom	url	eclipse-ee4j	High
Product	pom	groupid	jakarta.transaction	Highest
Product	Manifest	extension-name	javax.transaction	Medium
Product	jar	package name	transaction	Highest
Product	Manifest	bundle-docurl	https://github.com/eclipse-ee4j	Low
Product	pom	parent-groupid	org.eclipse.ee4j	Medium
Product	Manifest	automatic-module-name	java.transaction	Medium
Product	pom	name	${extension.name} API	High
Product	Manifest	bundle-symbolicname	jakarta.transaction-api	Medium
Product	file	name	jakarta.transaction-api	High
Product	Manifest	Bundle-Name	javax.transaction API	Medium
Product	pom	parent-artifactid	project	Medium
Product	pom	url	https://projects.eclipse.org/projects/ee4j.jta	Medium
Product	pom	organization name	EE4J Community	Low
Product	pom	artifactid	jakarta.transaction-api	Highest
Version	file	version	1.3.3	High
Version	pom	version	1.3.3	Highest
Version	Manifest	Implementation-Version	1.3.3	High
Version	Manifest	Bundle-Version	1.3.3	High
Version	pom	parent-version	1.3.3	Low

Identifiers

pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3 (Confidence:High)
cpe:2.3:a:oracle:projects:1.3.3:*:*:*:*:*:*:* (Confidence:Low)

jakarta.validation-api-2.0.2.jar

Description:

        Jakarta Bean Validation API

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/jakarta/validation/jakarta.validation-api/2.0.2/jakarta.validation-api-2.0.2.jar
MD5: 77501d529c1928c9bac2500cc9f93fb0
SHA1: 5eacc6522521f7eacb081f95cee1e231648461e7
SHA256:b42d42428f3d922c892a909fa043287d577c0c5b165ad9b7d568cebf87fc9ea4
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	bundle-symbolicname	jakarta.validation.jakarta.validation-api	Medium
Vendor	pom	artifactid	jakarta.validation-api	Low
Vendor	Manifest	automatic-module-name	java.validation	Medium
Vendor	file	name	jakarta.validation-api	High
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	pom	parent-groupid	org.eclipse.ee4j	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	name	Jakarta Bean Validation API	High
Vendor	pom	groupid	jakarta.validation	Highest
Vendor	jar	package name	validation	Highest
Vendor	pom	url	https://beanvalidation.org	Highest
Vendor	pom	parent-artifactid	project	Low
Product	Manifest	Bundle-Name	Jakarta Bean Validation API	Medium
Product	Manifest	bundle-symbolicname	jakarta.validation.jakarta.validation-api	Medium
Product	Manifest	automatic-module-name	java.validation	Medium
Product	file	name	jakarta.validation-api	High
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	pom	parent-groupid	org.eclipse.ee4j	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	name	Jakarta Bean Validation API	High
Product	jar	package name	validation	Highest
Product	pom	groupid	jakarta.validation	Highest
Product	pom	parent-artifactid	project	Medium
Product	pom	url	https://beanvalidation.org	Medium
Product	pom	artifactid	jakarta.validation-api	Highest
Version	file	version	2.0.2	High
Version	pom	parent-version	2.0.2	Low
Version	Manifest	Bundle-Version	2.0.2	High
Version	pom	version	2.0.2	Highest

Identifiers

pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2 (Confidence:High)

java-semver-0.9.0.jar

Description:

Java implementation of the SemVer Specification

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php

File Path: /home/jenkins/.mvnrepository/com/github/zafarkhaja/java-semver/0.9.0/java-semver-0.9.0.jar
MD5: 9417096ff6a9db74db273abbda0f334e
SHA1: 59a83ca73c72a5e25b3f0b1bb305230a11000329
SHA256:2218c73b40f9af98b570d084420c1b4a81332297bd7fc27ddd552e903be8e93c
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	zafarkhaja	Highest
Vendor	jar	package name	semver	Highest
Vendor	pom	name	Java SemVer	High
Vendor	jar	package name	github	Highest
Vendor	pom	groupid	com.github.zafarkhaja	Highest
Vendor	jar	package name	github	Low
Vendor	pom	url	zafarkhaja/jsemver	Highest
Vendor	pom	artifactid	java-semver	Low
Vendor	file	name	java-semver	High
Vendor	jar	package name	zafarkhaja	Low
Vendor	pom	groupid	github.zafarkhaja	Highest
Vendor	jar	package name	semver	Low
Product	jar	package name	zafarkhaja	Highest
Product	file	name	java-semver	High
Product	jar	package name	semver	Highest
Product	pom	artifactid	java-semver	Highest
Product	pom	name	Java SemVer	High
Product	jar	package name	github	Highest
Product	pom	url	zafarkhaja/jsemver	High
Product	jar	package name	zafarkhaja	Low
Product	pom	groupid	github.zafarkhaja	Highest
Product	jar	package name	semver	Low
Version	pom	version	0.9.0	Highest
Version	file	version	0.9.0	High

Identifiers

pkg:maven/com.github.zafarkhaja/java-semver@0.9.0 (Confidence:High)

javax.servlet-api-3.0.1.jar

Description:

Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html

File Path: /home/jenkins/.mvnrepository/javax/servlet/javax.servlet-api/3.0.1/javax.servlet-api-3.0.1.jar
MD5: 3ef236ac4c24850cd54abff60be25f35
SHA1: 6bf0ebb7efd993e222fc1112377b5e92a13b38dd
SHA256:377d8bde87ac6bc7f83f27df8e02456d5870bb78c832dac656ceacc28b016e56
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	organization name	GlassFish Community	High
Vendor	pom	artifactid	javax.servlet-api	Low
Vendor	jar	package name	javax	Highest
Vendor	pom	name	Java Servlet API	High
Vendor	pom	url	http://servlet-spec.java.net	Highest
Vendor	pom	groupid	javax.servlet	Highest
Vendor	Manifest	bundle-docurl	https://glassfish.dev.java.net	Low
Vendor	Manifest (hint)	specification-vendor	sun	Low
Vendor	jar	package name	servlet	Highest
Vendor	Manifest	Implementation-Vendor	GlassFish Community	High
Vendor	Manifest	Implementation-Vendor-Id	org.glassfish	Medium
Vendor	pom	parent-groupid	net.java	Medium
Vendor	Manifest	specification-vendor	Oracle	Low
Vendor	Manifest	extension-name	javax.servlet	Medium
Vendor	pom	parent-artifactid	jvnet-parent	Low
Vendor	pom	organization url	https://glassfish.dev.java.net	Medium
Vendor	file	name	javax.servlet-api	High
Vendor	Manifest	bundle-symbolicname	javax.servlet-api	Medium
Product	Manifest	Bundle-Name	Java Servlet API	Medium
Product	pom	url	http://servlet-spec.java.net	Medium
Product	jar	package name	javax	Highest
Product	pom	name	Java Servlet API	High
Product	pom	artifactid	javax.servlet-api	Highest
Product	Manifest	bundle-docurl	https://glassfish.dev.java.net	Low
Product	pom	groupid	javax.servlet	Highest
Product	jar	package name	servlet	Highest
Product	pom	parent-groupid	net.java	Medium
Product	pom	organization name	GlassFish Community	Low
Product	Manifest	specification-title	Java(TM) Servlet API Design Specification	Medium
Product	Manifest	extension-name	javax.servlet	Medium
Product	file	name	javax.servlet-api	High
Product	Manifest	bundle-symbolicname	javax.servlet-api	Medium
Product	pom	parent-artifactid	jvnet-parent	Medium
Product	pom	organization url	https://glassfish.dev.java.net	Low
Version	Manifest	Bundle-Version	3.0.1	High
Version	pom	parent-version	3.0.1	Low
Version	pom	version	3.0.1	Highest
Version	Manifest	Implementation-Version	3.0.1	High
Version	file	version	3.0.1	High

Identifiers

pkg:maven/javax.servlet/javax.servlet-api@3.0.1 (Confidence:High)
cpe:2.3:a:oracle:java_se:3.0.1:*:*:*:*:*:*:* (Confidence:Low)

jaxb-runtime-2.3.3-b02.jar

Description:

JAXB (JSR 222) Reference Implementation

License:

http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/jenkins/.mvnrepository/org/glassfish/jaxb/jaxb-runtime/2.3.3-b02/jaxb-runtime-2.3.3-b02.jar
MD5: c69f091f7cc9b0ff7bdd7ce3e9e57cd4
SHA1: 45d805cdfa1cff8c8ff707f855434a330b1bbf9d
SHA256:a66c28a3f74a6ee1b4a91cb83cc83206b68831bf00a7f146742fee0cf37ff969
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	pom	groupid	org.glassfish.jaxb	Highest
Vendor	Manifest	bundle-symbolicname	org.glassfish.jaxb.runtime	Medium
Vendor	pom	name	JAXB Runtime	High
Vendor	pom	artifactid	jaxb-runtime	Low
Vendor	Manifest	Implementation-Vendor	Eclipse Foundation	High
Vendor	pom	groupid	glassfish.jaxb	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar	package name	sun	Highest
Vendor	file	name	jaxb-runtime	High
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	com	Highest
Vendor	pom	parent-artifactid	jaxb-runtime-parent	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	Manifest	Implementation-Vendor-Id	org.glassfish.jaxb	Medium
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	git-revision	31fcc6e	Low
Vendor	jar	package name	bind	Highest
Vendor	Manifest	implementation-build-id	2.3.3-b02 - 2.3.3-b02-RI-RELEASE-31fcc6e, 2019-12-02T12:53:05+0000	Low
Product	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Product	Manifest	multi-release	true	Low
Product	Manifest	bundle-symbolicname	org.glassfish.jaxb.runtime	Medium
Product	pom	name	JAXB Runtime	High
Product	jar	package name	xml	Highest
Product	pom	groupid	glassfish.jaxb	Highest
Product	Manifest	Bundle-Name	JAXB Runtime	Medium
Product	jar	package name	sun	Highest
Product	file	name	jaxb-runtime	High
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	pom	artifactid	jaxb-runtime	Highest
Product	pom	parent-artifactid	jaxb-runtime-parent	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	com	Highest
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	Implementation-Title	Jakarta XML Binding Implementation	High
Product	Manifest	specification-title	Jakarta XML Binding	Medium
Product	Manifest	git-revision	31fcc6e	Low
Product	jar	package name	bind	Highest
Product	Manifest	implementation-build-id	2.3.3-b02 - 2.3.3-b02-RI-RELEASE-31fcc6e, 2019-12-02T12:53:05+0000	Low
Version	Manifest	build-id	2.3.3-b02	Medium
Version	pom	version	2.3.3-b02	Highest
Version	Manifest	Implementation-Version	2.3.3-b02	High

Identifiers

pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.3-b02 (Confidence:High)
cpe:2.3:a:oracle:java_se:2.3.3.b02:*:*:*:*:*:*:* (Confidence:Low)

jaxp-api-1.4.jar

File Path: /home/jenkins/.mvnrepository/javax/xml/parsers/jaxp-api/1.4/jaxp-api-1.4.jar
MD5: 0750e02841d6410dea4b2566b3168234
SHA1: de89f04bd13f5b24ce02b505a976d549335e4ecc
SHA256:9a45fed764520cd61adb7e47b2c4057f3398f51fca2351b53df1dea1d29a00f0
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	jaxp-api	Low
Vendor	file	name	jaxp-api	High
Vendor	Manifest	specification-vendor	Sun Microsystems, Inc.	Low
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	xml	Highest
Vendor	Manifest	implementation-url	http://java.sun.com/xml/jaxp	Low
Vendor	Manifest	Implementation-Vendor	Sun Microsystems, Inc.	High
Vendor	jar	package name	parsers	Highest
Vendor	pom	groupid	javax.xml.parsers	Highest
Product	file	name	jaxp-api	High
Product	jar	package name	xml	Highest
Product	jar	package name	javax	Highest
Product	Manifest	Implementation-Title	JSR 206 Java(TM) API for XML Processing 1.4	High
Product	Manifest	implementation-url	http://java.sun.com/xml/jaxp	Low
Product	pom	artifactid	jaxp-api	Highest
Product	jar	package name	parsers	Highest
Product	Manifest	specification-title	JSR 206 Java(TM) API for XML Processing 1.4	Medium
Product	pom	groupid	javax.xml.parsers	Highest
Version	file	version	1.4	High
Version	pom	version	1.4	Highest

Identifiers

pkg:maven/javax.xml.parsers/jaxp-api@1.4 (Confidence:High)

jaxp-ri-1.4.jar

File Path: /home/jenkins/.mvnrepository/com/sun/org/apache/jaxp-ri/1.4/jaxp-ri-1.4.jar
MD5: 01b055250b26cf524695526ef9c5a668
SHA1: 30525b6b3083c9fc2cdb35ab9f874a796203a942
SHA256:1815fc4d6f3af68f8342d76de57e268ef53adb27c10a2acd443e7c5def5d881e
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	Sun Microsystems Inc.	Low
Vendor	jar	package name	apache	Highest
Vendor	pom	groupid	sun.org.apache	Highest
Vendor	jar	package name	sun	Highest
Vendor	jar (hint)	package name	oracle	Highest
Vendor	file	name	jaxp-ri	High
Vendor	jar	package name	org	Highest
Vendor	pom	groupid	com.sun.org.apache	Highest
Vendor	pom	artifactid	jaxp-ri	Low
Product	Manifest	specification-title	Java API for XML Processing	Medium
Product	jar	package name	xml	Highest
Product	jar	package name	apache	Highest
Product	pom	groupid	sun.org.apache	Highest
Product	jar	package name	sun	Highest
Product	file	name	jaxp-ri	High
Product	jar	package name	org	Highest
Product	pom	artifactid	jaxp-ri	Highest
Version	file	version	1.4	High
Version	Manifest	specification-version	1.4	High
Version	pom	version	1.4	Highest

Identifiers

pkg:maven/com.sun.org.apache/jaxp-ri@1.4 (Confidence:High)

jboss-jaxb-api_2.3_spec-2.0.0.Final.jar

Description:

Jakarta XML Binding API 2.3 Design Specification

License:

http://www.eclipse.org/org/documents/edl-v10.php

File Path: /home/jenkins/.mvnrepository/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec/2.0.0.Final/jboss-jaxb-api_2.3_spec-2.0.0.Final.jar
MD5: 3f3c17761bb0bc98b82b3cfb9311660b
SHA1: 1d2b5404a556a4aeddde8a9676cec8ee01b4e0a0
SHA256:f73f5832acef810d4d72da3b04378b6a70b72e955fdb0315591f0115c3ee701b
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.spec.javax.xml.bind	Medium
Vendor	Manifest	originally-created-by	1.8.0_152 (Oracle Corporation)	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar	package name	jaxb	Highest
Vendor	Manifest	extension-name	jakarta.xml.bind	Medium
Vendor	pom	parent-groupid	org.jboss.spec.javax.xml.bind	Medium
Vendor	Manifest	bundle-symbolicname	org.jboss.spec.javax.xml.bind.jboss-jaxb-api_2.3_spec	Medium
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	Manifest	implementation-url	https://github.com/eclipse-ee4j/jaxb-api/jboss-jaxb-api_2.3_spec	Low
Vendor	pom	groupid	org.jboss.spec.javax.xml.bind	Highest
Vendor	file	name	jboss-jaxb-api_2.3_spec-2.0.0.Final	High
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	jar	package name	bind	Highest
Vendor	Manifest	os-name	Linux	Medium
Vendor	Manifest	implementation-build-id	UNKNOWN-646c629bd4653190d875ca5f0424f5383f75bce3, 1568202678119	Low
Vendor	pom	parent-artifactid	jboss-jaxb-api_2.3_spec-parent	Low
Vendor	Manifest	multi-release	true	Low
Vendor	pom	name	Jakarta XML Binding API	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	groupid	jboss.spec.javax.xml.bind	Highest
Vendor	Manifest	automatic-module-name	java.xml.bind	Medium
Vendor	pom	artifactid	jboss-jaxb-api_2.3_spec	Low
Product	Manifest	Bundle-Name	Jakarta XML Binding API	Medium
Product	Manifest	originally-created-by	1.8.0_152 (Oracle Corporation)	Low
Product	Manifest	multi-release	true	Low
Product	pom	name	Jakarta XML Binding API	High
Product	jar	package name	javax	Highest
Product	jar	package name	xml	Highest
Product	jar	package name	jaxb	Highest
Product	Manifest	extension-name	jakarta.xml.bind	Medium
Product	Manifest	os-arch	amd64	Low
Product	pom	parent-groupid	org.jboss.spec.javax.xml.bind	Medium
Product	Manifest	bundle-symbolicname	org.jboss.spec.javax.xml.bind.jboss-jaxb-api_2.3_spec	Medium
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	Manifest	Implementation-Title	Jakarta XML Binding API	High
Product	pom	groupid	jboss.spec.javax.xml.bind	Highest
Product	pom	parent-artifactid	jboss-jaxb-api_2.3_spec-parent	Medium
Product	Manifest	implementation-url	https://github.com/eclipse-ee4j/jaxb-api/jboss-jaxb-api_2.3_spec	Low
Product	pom	artifactid	jboss-jaxb-api_2.3_spec	Highest
Product	Manifest	automatic-module-name	java.xml.bind	Medium
Product	file	name	jboss-jaxb-api_2.3_spec-2.0.0.Final	High
Product	Manifest	specification-title	Jakarta XML Binding API	Medium
Product	jar	package name	bind	Highest
Product	Manifest	os-name	Linux	Medium
Product	Manifest	implementation-build-id	UNKNOWN-646c629bd4653190d875ca5f0424f5383f75bce3, 1568202678119	Low
Version	Manifest	Bundle-Version	2.0.0.Final	High
Version	pom	version	2.0.0.Final	Highest

Identifiers

pkg:maven/org.jboss.spec.javax.xml.bind/jboss-jaxb-api_2.3_spec@2.0.0.Final (Confidence:High)

jboss-jaxrs-api_2.1_spec-2.0.1.Final.jar

Description:

Jakarta API for RESTful Web Services

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html

File Path: /home/jenkins/.mvnrepository/org/jboss/spec/javax/ws/rs/jboss-jaxrs-api_2.1_spec/2.0.1.Final/jboss-jaxrs-api_2.1_spec-2.0.1.Final.jar
MD5: 35b4d1b6b5f70f01c108c6b2349e4635
SHA1: 75cdeb26ccf87bc6f9d0f31b5ec4d80aa15b662c
SHA256:3518db0a3980aacfdae916f0eb081d0fcefaa2076d2ba603edc779a601d2d1a4
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	bundle-symbolicname	org.jboss.spec.javax.ws.rs.jboss-jaxrs-api_2.1_spec	Medium
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	rs	Highest
Vendor	hint analyzer	vendor	web services	Medium
Vendor	Manifest	extension-name	javax.ws.rs	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/jboss-jaxrs-api_2.1_spec	Low
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.spec.javax.ws.rs	Medium
Vendor	Manifest	automatic-module-name	java.ws.rs	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	file	name	jboss-jaxrs-api_2.1_spec-2.0.1.Final	High
Vendor	pom	name	jboss-jakarta-jaxrs-api_spec	High
Vendor	pom	groupid	org.jboss.spec.javax.ws.rs	Highest
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	parent-artifactid	jboss-parent	Low
Vendor	pom	groupid	jboss.spec.javax.ws.rs	Highest
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	artifactid	jboss-jaxrs-api_2.1_spec	Low
Vendor	jar	package name	ws	Highest
Product	Manifest	bundle-symbolicname	org.jboss.spec.javax.ws.rs.jboss-jaxrs-api_2.1_spec	Medium
Product	pom	parent-artifactid	jboss-parent	Medium
Product	pom	artifactid	jboss-jaxrs-api_2.1_spec	Highest
Product	jar	package name	javax	Highest
Product	pom	groupid	jboss.spec.javax.ws.rs	Highest
Product	jar	package name	rs	Highest
Product	Manifest	extension-name	javax.ws.rs	Medium
Product	Manifest	os-arch	amd64	Low
Product	pom	parent-groupid	org.jboss	Medium
Product	Manifest	implementation-url	http://www.jboss.org/jboss-jaxrs-api_2.1_spec	Low
Product	hint analyzer	product	web services	Medium
Product	Manifest	automatic-module-name	java.ws.rs	Medium
Product	Manifest	specification-title	jboss-jakarta-jaxrs-api_spec	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	file	name	jboss-jaxrs-api_2.1_spec-2.0.1.Final	High
Product	pom	name	jboss-jakarta-jaxrs-api_spec	High
Product	Manifest	Bundle-Name	jboss-jakarta-jaxrs-api_spec	Medium
Product	Manifest	Implementation-Title	jboss-jakarta-jaxrs-api_spec	High
Product	jar	package name	ws	Highest
Product	Manifest	os-name	Linux	Medium
Version	Manifest	Implementation-Version	2.0.1.Final	High
Version	pom	version	2.0.1.Final	Highest
Version	Manifest	Bundle-Version	2.0.1.Final	High
Version	pom	parent-version	2.0.1.Final	Low

Identifiers

pkg:maven/org.jboss.spec.javax.ws.rs/jboss-jaxrs-api_2.1_spec@2.0.1.Final (Confidence:High)

jboss-logging-3.4.1.Final.jar

Description:

The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/jboss/logging/jboss-logging/3.4.1.Final/jboss-logging-3.4.1.Final.jar
MD5: 52ee373b84e39570c78c0815006375bc
SHA1: 40fd4d696c55793e996d1ff3c475833f836c2498
SHA256:8efe877d93e5e1057a1388b2950503b88b0c28447364fde08adbec61e524eeb8
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	bundle-symbolicname	org.jboss.logging.jboss-logging	Medium
Vendor	Manifest	automatic-module-name	org.jboss.logging	Medium
Vendor	pom	groupid	org.jboss.logging	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	file	name	jboss-logging	High
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	artifactid	jboss-logging	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Vendor	jar	package name	logging	Highest
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	name	JBoss Logging 3	High
Vendor	pom	groupid	jboss.logging	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	jar	package name	jboss	Highest
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.logging	Medium
Vendor	pom	url	http://www.jboss.org	Highest
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	parent-artifactid	jboss-parent	Low
Vendor	Manifest	implementation-url	http://www.jboss.org	Low
Product	Manifest	bundle-symbolicname	org.jboss.logging.jboss-logging	Medium
Product	Manifest	automatic-module-name	org.jboss.logging	Medium
Product	file	name	jboss-logging	High
Product	pom	parent-artifactid	jboss-parent	Medium
Product	pom	url	http://www.jboss.org	Medium
Product	Manifest	os-arch	amd64	Low
Product	pom	parent-groupid	org.jboss	Medium
Product	jar	package name	logging	Highest
Product	pom	name	JBoss Logging 3	High
Product	pom	groupid	jboss.logging	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	jboss-logging	Highest
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	jar	package name	jboss	Highest
Product	Manifest	specification-title	JBoss Logging 3	Medium
Product	Manifest	Bundle-Name	JBoss Logging 3	Medium
Product	Manifest	Implementation-Title	JBoss Logging 3	High
Product	Manifest	os-name	Linux	Medium
Product	Manifest	implementation-url	http://www.jboss.org	Low
Version	Manifest	Bundle-Version	3.4.1.Final	High
Version	Manifest	Implementation-Version	3.4.1.Final	High
Version	pom	version	3.4.1.Final	Highest
Version	pom	parent-version	3.4.1.Final	Low

Identifiers

pkg:maven/org.jboss.logging/jboss-logging@3.4.1.Final (Confidence:High)

jboss-logging-annotations-2.2.0.Final.jar

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/jboss/logging/jboss-logging-annotations/2.2.0.Final/jboss-logging-annotations-2.2.0.Final.jar
MD5: 7b79bfac07b7609b9db617c4b512d07b
SHA1: b31586bf15ac7a1f778383ce01bfc2f952a583df
SHA256:4bbbfae211d93399c64cde413d428e6fb21507cd45006b680b44adffe1e73168
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.jboss.logging	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	jar	package name	logging	Highest
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/jboss-logging-tools-parent/jboss-logging-annotations	Low
Vendor	pom	name	JBoss Logging I18n Annotations	High
Vendor	pom	groupid	jboss.logging	Highest
Vendor	pom	parent-artifactid	jboss-logging-tools-parent	Low
Vendor	file	name	jboss-logging-annotations	High
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	annotations	Highest
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.logging	Medium
Vendor	pom	artifactid	jboss-logging-annotations	Low
Vendor	pom	parent-groupid	org.jboss.logging	Medium
Vendor	Manifest	os-name	Linux	Medium
Product	Manifest	Implementation-Title	JBoss Logging I18n Annotations	High
Product	Manifest	os-arch	amd64	Low
Product	jar	package name	logging	Highest
Product	Manifest	implementation-url	http://www.jboss.org/jboss-logging-tools-parent/jboss-logging-annotations	Low
Product	pom	parent-artifactid	jboss-logging-tools-parent	Medium
Product	pom	name	JBoss Logging I18n Annotations	High
Product	pom	groupid	jboss.logging	Highest
Product	file	name	jboss-logging-annotations	High
Product	Manifest	specification-title	JBoss Logging I18n Annotations	Medium
Product	jar	package name	jboss	Highest
Product	jar	package name	annotations	Highest
Product	pom	parent-groupid	org.jboss.logging	Medium
Product	Manifest	os-name	Linux	Medium
Product	pom	artifactid	jboss-logging-annotations	Highest
Version	pom	version	2.2.0.Final	Highest
Version	Manifest	Implementation-Version	2.2.0.Final	High

Identifiers

pkg:maven/org.jboss.logging/jboss-logging-annotations@2.2.0.Final (Confidence:High)

jboss-logmanager-embedded-1.0.9.jar

Description:

An implementation of java.util.logging.LogManager

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/jboss/logmanager/jboss-logmanager-embedded/1.0.9/jboss-logmanager-embedded-1.0.9.jar
MD5: f836e2ebe3caff382b6510bdc7696d4f
SHA1: 82dca66a02351432a1c567ff3ffae6ebb7a41293
SHA256:a0469a0789d7643d3e3b7537a8d074fa76f5ae96a0177fde24ff8857bbe4cd70
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	multi-release	true	Low
Vendor	pom	groupid	org.jboss.logmanager	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	jar	package name	logmanager	Highest
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	org	Highest
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/jboss-logmanager-embedded	Low
Vendor	file	name	jboss-logmanager-embedded	High
Vendor	jar	package name	jboss	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	groupid	jboss.logmanager	Highest
Vendor	pom	artifactid	jboss-logmanager-embedded	Low
Vendor	pom	parent-artifactid	jboss-parent-mr-jar	Low
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.logmanager	Medium
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	name	JBoss Log Manager (Embedded)	High
Product	pom	parent-artifactid	jboss-parent-mr-jar	Medium
Product	Manifest	multi-release	true	Low
Product	jar	package name	logmanager	Highest
Product	jar	package name	org	Highest
Product	Manifest	os-arch	amd64	Low
Product	pom	parent-groupid	org.jboss	Medium
Product	pom	artifactid	jboss-logmanager-embedded	Highest
Product	Manifest	implementation-url	http://www.jboss.org/jboss-logmanager-embedded	Low
Product	file	name	jboss-logmanager-embedded	High
Product	jar	package name	jboss	Highest
Product	Manifest	Implementation-Title	JBoss Log Manager (Embedded)	High
Product	pom	groupid	jboss.logmanager	Highest
Product	Manifest	specification-title	JBoss Log Manager (Embedded)	Medium
Product	Manifest	os-name	Linux	Medium
Product	pom	name	JBoss Log Manager (Embedded)	High
Version	Manifest	Implementation-Version	1.0.9	High
Version	pom	version	1.0.9	Highest
Version	pom	parent-version	1.0.9	Low
Version	file	version	1.0.9	High

Identifiers

pkg:maven/org.jboss.logmanager/jboss-logmanager-embedded@1.0.9 (Confidence:High)

jboss-threads-3.2.0.Final.jar

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/jboss/threads/jboss-threads/3.2.0.Final/jboss-threads-3.2.0.Final.jar
MD5: 1e798e43004b91954d4787a68d320a02
SHA1: abe066ccb4a9b77c28da3293e3a342c10953bde7
SHA256:bbe82cab53c59e2aa8cad10c56e87e2c8986bc882928daa44500304fd94ef43f
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.threads	Medium
Vendor	Manifest	multi-release	true	Low
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	groupid	jboss.threads	Highest
Vendor	jar	package name	org	Highest
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/jboss-threads	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	threads	Highest
Vendor	pom	name	JBoss Threads	High
Vendor	pom	groupid	org.jboss.threads	Highest
Vendor	jar	package name	jboss	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	artifactid	jboss-threads	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	parent-artifactid	jboss-parent	Low
Vendor	file	name	jboss-threads	High
Product	Manifest	multi-release	true	Low
Product	Manifest	Implementation-Title	JBoss Threads	High
Product	pom	parent-artifactid	jboss-parent	Medium
Product	pom	artifactid	jboss-threads	Highest
Product	pom	groupid	jboss.threads	Highest
Product	jar	package name	org	Highest
Product	Manifest	os-arch	amd64	Low
Product	pom	parent-groupid	org.jboss	Medium
Product	Manifest	implementation-url	http://www.jboss.org/jboss-threads	Low
Product	jar	package name	threads	Highest
Product	pom	name	JBoss Threads	High
Product	jar	package name	jboss	Highest
Product	Manifest	specification-title	JBoss Threads	Medium
Product	Manifest	os-name	Linux	Medium
Product	file	name	jboss-threads	High
Version	pom	version	3.2.0.Final	Highest
Version	Manifest	Implementation-Version	3.2.0.Final	High
Version	pom	parent-version	3.2.0.Final	Low

Identifiers

pkg:maven/org.jboss.threads/jboss-threads@3.2.0.Final (Confidence:High)

jcabi-log-0.14.jar

Description:

Wrapper of SLF4J and a few supplementary logging classes

File Path: /home/jenkins/.mvnrepository/com/jcabi/jcabi-log/0.14/jcabi-log-0.14.jar
MD5: 97dec163607c73d993e787c6ec4f7319
SHA1: 819a57348f2448f01d74f8a317dab61d6a90cac2
SHA256:095815157128766570462d1df4cd7377a493427e6e0b88b9cd8ca0e9870951d3
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jcabi-log	High
Vendor	jar	package name	jcabi	Highest
Vendor	Manifest	jcabi-date	2014-07-02 11:40	Low
Vendor	Manifest	jcabi-build	5656292	Low
Vendor	pom	parent-groupid	com.jcabi	Medium
Vendor	pom	name	jcabi-log	High
Vendor	pom	groupid	jcabi	Highest
Vendor	pom	artifactid	jcabi-log	Low
Vendor	pom	parent-artifactid	jcabi	Low
Vendor	jar	package name	log	Highest
Vendor	pom	groupid	com.jcabi	Highest
Product	file	name	jcabi-log	High
Product	jar	package name	jcabi	Highest
Product	Manifest	jcabi-date	2014-07-02 11:40	Low
Product	Manifest	jcabi-build	5656292	Low
Product	pom	parent-groupid	com.jcabi	Medium
Product	pom	name	jcabi-log	High
Product	pom	groupid	jcabi	Highest
Product	jar	package name	log	Highest
Product	pom	artifactid	jcabi-log	Highest
Product	pom	parent-artifactid	jcabi	Medium
Version	Manifest	jcabi-version	0.14	Medium
Version	file	version	0.14	High
Version	pom	parent-version	0.14	Low
Version	pom	version	0.14	Highest

Identifiers

pkg:maven/com.jcabi/jcabi-log@0.14 (Confidence:High)

jcabi-manifests-1.1.jar

Description:

Manager of MANIFEST.MF files

File Path: /home/jenkins/.mvnrepository/com/jcabi/jcabi-manifests/1.1/jcabi-manifests-1.1.jar
MD5: ee7b95ad068f3ef49421aef7457b7e04
SHA1: e4f4488c0e3905c6fab287aca2569928fe1712df
SHA256:ffa9717ad78e630f210ecbe06c7108039ddaf6109725c2a139ef5d572b95c849
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	jcabi	Highest
Vendor	pom	parent-groupid	com.jcabi	Medium
Vendor	Manifest	jcabi-date	2014-10-07 11:52	Low
Vendor	pom	groupid	jcabi	Highest
Vendor	pom	parent-artifactid	jcabi	Low
Vendor	pom	name	jcabi-manifests	High
Vendor	file	name	jcabi-manifests	High
Vendor	pom	artifactid	jcabi-manifests	Low
Vendor	pom	groupid	com.jcabi	Highest
Vendor	Manifest	jcabi-build	07b37a7	Low
Vendor	jar	package name	manifests	Highest
Product	jar	package name	jcabi	Highest
Product	pom	parent-groupid	com.jcabi	Medium
Product	Manifest	jcabi-date	2014-10-07 11:52	Low
Product	pom	groupid	jcabi	Highest
Product	pom	name	jcabi-manifests	High
Product	file	name	jcabi-manifests	High
Product	Manifest	jcabi-build	07b37a7	Low
Product	jar	package name	manifests	Highest
Product	pom	parent-artifactid	jcabi	Medium
Product	pom	artifactid	jcabi-manifests	Highest
Version	pom	version	1.1	Highest
Version	Manifest	jcabi-version	1.1	Medium
Version	pom	parent-version	1.1	Low
Version	file	version	1.1	High

Identifiers

pkg:maven/com.jcabi/jcabi-manifests@1.1 (Confidence:High)

jcip-annotations-1.0-1.jar

Description:

    A clean room implementation of the JCIP Annotations based entirely on the specification provided by the javadocs.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/github/stephenc/jcip/jcip-annotations/1.0-1/jcip-annotations-1.0-1.jar
MD5: d62dbfa8789378457ada685e2f614846
SHA1: ef31541dd28ae2cefdd17c7ebf352d93e9058c63
SHA256:4fccff8382aafc589962c4edb262f6aa595e34f1e11e61057d1c6a96e8fc7323
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	net	Low
Vendor	pom	url	http://stephenc.github.com/jcip-annotations	Highest
Vendor	jar	package name	annotations	Highest
Vendor	file	name	jcip-annotations	High
Vendor	jar	package name	jcip	Low
Vendor	pom	artifactid	jcip-annotations	Low
Vendor	jar	package name	annotations	Low
Vendor	pom	groupid	github.stephenc.jcip	Highest
Vendor	pom	name	JCIP Annotations under Apache License	High
Vendor	pom	groupid	com.github.stephenc.jcip	Highest
Vendor	jar	package name	jcip	Highest
Product	pom	artifactid	jcip-annotations	Highest
Product	jar	package name	annotations	Highest
Product	file	name	jcip-annotations	High
Product	pom	url	http://stephenc.github.com/jcip-annotations	Medium
Product	jar	package name	jcip	Low
Product	jar	package name	annotations	Low
Product	pom	groupid	github.stephenc.jcip	Highest
Product	pom	name	JCIP Annotations under Apache License	High
Product	jar	package name	jcip	Highest
Version	pom	version	1.0-1	Highest

Identifiers

pkg:maven/com.github.stephenc.jcip/jcip-annotations@1.0-1 (Confidence:High)

json-patch-1.9.jar

Description:

JSON Patch (RFC 6902) and JSON Merge Patch (RFC 7386) implementation in Java

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0

File Path: /home/jenkins/.mvnrepository/com/github/fge/json-patch/1.9/json-patch-1.9.jar
MD5: 9df773c8904f39b05b6a8a6848804c96
SHA1: 0a4c3c97a0f5965dec15795acf40d3fbc897af4b
SHA256:2d6acbda3675e6f25b7b4ab338317006865a8416a69c2b5e1cfa8b8209fc10a1
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	bundle-symbolicname	com.github.fge.json-patch	Medium
Vendor	pom	groupid	com.github.fge	Highest
Vendor	pom	artifactid	json-patch	Low
Vendor	jar	package name	github	Highest
Vendor	jar	package name	fge	Highest
Vendor	pom	name	json-patch	High
Vendor	file	name	json-patch	High
Vendor	pom	url	fge/json-patch	Highest
Vendor	pom	groupid	github.fge	Highest
Product	Manifest	bundle-symbolicname	com.github.fge.json-patch	Medium
Product	pom	url	fge/json-patch	High
Product	jar	package name	github	Highest
Product	jar	package name	fge	Highest
Product	pom	name	json-patch	High
Product	file	name	json-patch	High
Product	pom	artifactid	json-patch	Highest
Product	Manifest	Bundle-Name	json-patch	Medium
Product	pom	groupid	github.fge	Highest
Version	Manifest	Bundle-Version	1.9	High
Version	file	version	1.9	High
Version	pom	version	1.9	Highest

Identifiers

pkg:maven/com.github.fge/json-patch@1.9 (Confidence:High)
cpe:2.3:a:json-patch_project:json-patch:1.9:*:*:*:*:*:*:* (Confidence:Highest)

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	com.google.code.findbugs	Highest
Vendor	pom	name	FindBugs-jsr305	High
Vendor	Manifest	bundle-symbolicname	org.jsr-305	Medium
Vendor	pom	url	http://findbugs.sourceforge.net/	Highest
Vendor	file	name	jsr305	High
Vendor	pom	groupid	google.code.findbugs	Highest
Vendor	pom	artifactid	jsr305	Low
Product	pom	name	FindBugs-jsr305	High
Product	Manifest	bundle-symbolicname	org.jsr-305	Medium
Product	pom	artifactid	jsr305	Highest
Product	Manifest	Bundle-Name	FindBugs-jsr305	Medium
Product	file	name	jsr305	High
Product	pom	groupid	google.code.findbugs	Highest
Product	pom	url	http://findbugs.sourceforge.net/	Medium
Version	Manifest	Bundle-Version	3.0.2	High
Version	pom	version	3.0.2	Highest
Version	file	version	3.0.2	High

Identifiers

pkg:maven/com.google.code.findbugs/jsr305@3.0.2 (Confidence:High)

keycloak-admin-client-15.1.1.jar

File Path: /home/jenkins/.mvnrepository/org/keycloak/keycloak-admin-client/15.1.1/keycloak-admin-client-15.1.1.jar
MD5: 7c2c7058cacdd7084d0aad96abdd4b36
SHA1: 524ed77608f8b54c680d6df009d8686a25379a87
SHA256:dafebf682c134194ab0937336c81a97728a674b9febef8d0bcb5322a4d42c6a2
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	client	Highest
Vendor	jar	package name	keycloak	Highest
Vendor	pom	parent-artifactid	keycloak-integration-parent	Low
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	name	Keycloak Admin REST Client	High
Vendor	pom	parent-groupid	org.keycloak	Medium
Vendor	Manifest	java-vendor	Red Hat, Inc.	Medium
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	groupid	org.keycloak	Highest
Vendor	file	name	keycloak-admin-client	High
Vendor	pom	groupid	keycloak	Highest
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	Manifest	implementation-url	http://keycloak.org/keycloak-integration-parent/keycloak-admin-client	Low
Vendor	jar	package name	admin	Highest
Vendor	pom	artifactid	keycloak-admin-client	Low
Vendor	Manifest	os-name	Linux	Medium
Product	jar	package name	client	Highest
Product	pom	artifactid	keycloak-admin-client	Highest
Product	Manifest	specification-title	Keycloak Admin REST Client	Medium
Product	jar	package name	keycloak	Highest
Product	pom	name	Keycloak Admin REST Client	High
Product	pom	parent-groupid	org.keycloak	Medium
Product	Manifest	os-arch	amd64	Low
Product	pom	parent-artifactid	keycloak-integration-parent	Medium
Product	file	name	keycloak-admin-client	High
Product	pom	groupid	keycloak	Highest
Product	Manifest	Implementation-Title	Keycloak Admin REST Client	High
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	implementation-url	http://keycloak.org/keycloak-integration-parent/keycloak-admin-client	Low
Product	jar	package name	admin	Highest
Product	Manifest	os-name	Linux	Medium
Version	file	version	15.1.1	High
Version	pom	version	15.1.1	Highest
Version	Manifest	Implementation-Version	15.1.1	High

Identifiers

pkg:maven/org.keycloak/keycloak-admin-client@15.1.1 (Confidence:High)
cpe:2.3:a:keycloak:keycloak:15.1.1:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:redhat:keycloak:15.1.1:*:*:*:*:*:*:* (Confidence:Highest)

keycloak-common-15.1.1.jar

Description:

Common library and dependencies shared with server and all adapters

License:

https://www.apache.org/licenses/LICENSE-2.0

File Path: /home/jenkins/.mvnrepository/org/keycloak/keycloak-common/15.1.1/keycloak-common-15.1.1.jar
MD5: 0f22e447067e6adae868160ba135f19a
SHA1: e2260310c7644594fbcad4c6a20329d8914d4395
SHA256:65d6084f8f984d1b70e6233b4341ade6c5213a2d98aaf4e7ec10ea4ca540661f
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	common	Highest
Vendor	jar	package name	keycloak	Highest
Vendor	pom	artifactid	keycloak-common	Low
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	parent-artifactid	keycloak-parent	Low
Vendor	pom	parent-groupid	org.keycloak	Medium
Vendor	Manifest	java-vendor	Red Hat, Inc.	Medium
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	groupid	org.keycloak	Highest
Vendor	pom	name	Keycloak Common	High
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	pom	groupid	keycloak	Highest
Vendor	Manifest	bundle-symbolicname	org.keycloak.keycloak-common	Medium
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	Manifest	Implementation-Vendor-Id	org.keycloak	Medium
Vendor	Manifest	implementation-url	http://keycloak.org/keycloak-common	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	file	name	keycloak-common	High
Product	jar	package name	common	Highest
Product	jar	package name	keycloak	Highest
Product	pom	parent-groupid	org.keycloak	Medium
Product	Manifest	Bundle-Name	Keycloak Common	Medium
Product	Manifest	os-arch	amd64	Low
Product	pom	name	Keycloak Common	High
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	pom	groupid	keycloak	Highest
Product	Manifest	bundle-symbolicname	org.keycloak.keycloak-common	Medium
Product	pom	parent-artifactid	keycloak-parent	Medium
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	specification-title	Keycloak Common	Medium
Product	pom	artifactid	keycloak-common	Highest
Product	Manifest	Implementation-Title	Keycloak Common	High
Product	Manifest	implementation-url	http://keycloak.org/keycloak-common	Low
Product	Manifest	os-name	Linux	Medium
Product	file	name	keycloak-common	High
Version	file	version	15.1.1	High
Version	pom	version	15.1.1	Highest
Version	Manifest	Implementation-Version	15.1.1	High
Version	Manifest	Bundle-Version	15.1.1	High

Identifiers

pkg:maven/org.keycloak/keycloak-common@15.1.1 (Confidence:High)
cpe:2.3:a:keycloak:keycloak:15.1.1:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:redhat:keycloak:15.1.1:*:*:*:*:*:*:* (Confidence:Highest)

keycloak-core-15.1.1.jar

License:

https://www.apache.org/licenses/LICENSE-2.0

File Path: /home/jenkins/.mvnrepository/org/keycloak/keycloak-core/15.1.1/keycloak-core-15.1.1.jar
MD5: e2fc830ce749945f671a25738ffe8bbe
SHA1: e88eb5197d1d3aa9976bbda58f8e5e3de73a107b
SHA256:df63613f367af5f7f24225351fac842ab8746a111c152fba7b8c923154f26f29
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	bundle-symbolicname	org.keycloak.keycloak-core	Medium
Vendor	jar	package name	keycloak	Highest
Vendor	pom	name	Keycloak Core	High
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	parent-artifactid	keycloak-parent	Low
Vendor	pom	parent-groupid	org.keycloak	Medium
Vendor	Manifest	java-vendor	Red Hat, Inc.	Medium
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	groupid	org.keycloak	Highest
Vendor	Manifest	bundle-docurl	http://www.jboss.org	Low
Vendor	pom	artifactid	keycloak-core	Low
Vendor	Manifest	implementation-url	http://keycloak.org/keycloak-core	Low
Vendor	file	name	keycloak-core	High
Vendor	pom	groupid	keycloak	Highest
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	Manifest	Implementation-Vendor-Id	org.keycloak	Medium
Vendor	Manifest	os-name	Linux	Medium
Product	Manifest	bundle-symbolicname	org.keycloak.keycloak-core	Medium
Product	Manifest	specification-title	Keycloak Core	Medium
Product	jar	package name	keycloak	Highest
Product	pom	name	Keycloak Core	High
Product	pom	parent-groupid	org.keycloak	Medium
Product	Manifest	os-arch	amd64	Low
Product	Manifest	bundle-docurl	http://www.jboss.org	Low
Product	Manifest	implementation-url	http://keycloak.org/keycloak-core	Low
Product	file	name	keycloak-core	High
Product	pom	groupid	keycloak	Highest
Product	pom	parent-artifactid	keycloak-parent	Medium
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	Implementation-Title	Keycloak Core	High
Product	pom	artifactid	keycloak-core	Highest
Product	Manifest	os-name	Linux	Medium
Product	Manifest	Bundle-Name	Keycloak Core	Medium
Version	file	version	15.1.1	High
Version	pom	version	15.1.1	Highest
Version	Manifest	Implementation-Version	15.1.1	High
Version	Manifest	Bundle-Version	15.1.1	High

Identifiers

pkg:maven/org.keycloak/keycloak-core@15.1.1 (Confidence:High)
cpe:2.3:a:keycloak:keycloak:15.1.1:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:redhat:keycloak:15.1.1:*:*:*:*:*:*:* (Confidence:Highest)

kubernetes-client-5.3.2.jar

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-client/5.3.2/kubernetes-client-5.3.2.jar
MD5: 226416945fe9a626a2601c0662c1d023
SHA1: 47c46525e56237ad0204c02d63ebfa37b9162fb4
SHA256:4c50b65a9c3ddd3fd562fd4cb62920e1fd5995ceeb77150a7b6be3f0b05ef515
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	kubernetes-client	High
Vendor	jar	package name	client	Highest
Vendor	pom	name	Fabric8 :: Kubernetes :: Java Client	High
Vendor	jar	package name	kubernetes	Highest
Vendor	pom	parent-artifactid	kubernetes-client-project	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	artifactid	kubernetes-client	Low
Vendor	jar	package name	io	Highest
Vendor	pom	groupid	io.fabric8	Highest
Product	file	name	kubernetes-client	High
Product	jar	package name	client	Highest
Product	pom	name	Fabric8 :: Kubernetes :: Java Client	High
Product	jar	package name	kubernetes	Highest
Product	pom	artifactid	kubernetes-client	Highest
Product	pom	parent-artifactid	kubernetes-client-project	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	jar	package name	io	Highest
Product	pom	groupid	io.fabric8	Highest
Version	pom	version	5.3.2	Highest
Version	file	version	5.3.2	High

Identifiers

pkg:maven/io.fabric8/kubernetes-client@5.3.2 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.2:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-admissionregistration-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-admissionregistration/5.3.1/kubernetes-model-admissionregistration-5.3.1.jar
MD5: 2ab85c7ac6a90ca15c9a979cb52c3281
SHA1: a2d32b6a3c3102d51e8e424145ac6f68f0dcd4fb
SHA256:2b91b02289839ff36d7209161c95f144af4e1f08d6324200de85bb4c6ba8075b
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-admissionregistration/	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	pom	artifactid	kubernetes-model-admissionregistration	Low
Vendor	file	name	kubernetes-model-admissionregistration	High
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Admission Registration, Authentication and Authorization	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-admissionregistration	Medium
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Admission Registration, Authentication and Authorization	Medium
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-admissionregistration/	Low
Product	jar	package name	fabric8	Highest
Product	pom	artifactid	kubernetes-model-admissionregistration	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	file	name	kubernetes-model-admissionregistration	High
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Admission Registration, Authentication and Authorization	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Admission Registration, Authentication and Authorization	High
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-admissionregistration	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-admissionregistration@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-apiextensions-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-apiextensions/5.3.1/kubernetes-model-apiextensions-5.3.1.jar
MD5: d28c5e08c71e7fc4c1b9fb22411862db
SHA1: 6b45425f96585115b1df72071c7d20184ecfcd7c
SHA256:699ccec1c9055bc48c05a8658a9e6153a4e637068d45a4cda0e41d30b066e483
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-apiextensions/	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: API Extensions	High
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-apiextensions	Medium
Vendor	pom	artifactid	kubernetes-model-apiextensions	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	file	name	kubernetes-model-apiextensions	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	api	Highest
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-apiextensions/	Low
Product	pom	artifactid	kubernetes-model-apiextensions	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: API Extensions	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	pom	name	Fabric8 :: Kubernetes Model :: API Extensions	High
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-apiextensions	Medium
Product	jar	package name	kubernetes	Highest
Product	file	name	kubernetes-model-apiextensions	High
Product	jar	package name	api	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: API Extensions	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-apiextensions@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-apps-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-apps/5.3.1/kubernetes-model-apps-5.3.1.jar
MD5: 4360873ef7cf5ffe8fb49b0b4b59c319
SHA1: 3376792449a8898dbcd7105d24e9432403eafda6
SHA256:c2f415fc9f6d5b05f0139630b718828c61818523a284b1098568902e7b38586a
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Apps	High
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-apps	Medium
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	artifactid	kubernetes-model-apps	Low
Vendor	file	name	kubernetes-model-apps	High
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-apps/	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Apps	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Apps	High
Product	jar	package name	fabric8	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Apps	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-apps	Medium
Product	jar	package name	kubernetes	Highest
Product	pom	artifactid	kubernetes-model-apps	Highest
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	kubernetes-model-apps	High
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-apps/	Low
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-apps@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-autoscaling-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-autoscaling/5.3.1/kubernetes-model-autoscaling-5.3.1.jar
MD5: 6382dbc3d4bc4fa44d8bf2ee52f39473
SHA1: 3b2f5332fde5e59a4460b67bc907ea61dae6e326
SHA256:af3a4119d175fcca1dbcddc7143987bd1c5e7d6f564df182ee6ac4d49ad46c5d
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	kubernetes-model-autoscaling	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	file	name	kubernetes-model-autoscaling	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-autoscaling	Medium
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Autoscaling	High
Vendor	pom	groupid	io.fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-autoscaling/	Low
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Autoscaling	Medium
Product	file	name	kubernetes-model-autoscaling	High
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Autoscaling	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-autoscaling	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Autoscaling	High
Product	pom	artifactid	kubernetes-model-autoscaling	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-autoscaling/	Low
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-autoscaling@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-batch-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-batch/5.3.1/kubernetes-model-batch-5.3.1.jar
MD5: 907f860a03dbf20b5d66c04d9d7f15c0
SHA1: 18fd7b86db6662953badba43bba0c4da44b09ccb
SHA256:b6ca65fd01cd19954bb25beea0f07703b393cd1715b0045630acfee4a1096efa
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	kubernetes-model-batch	Low
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	file	name	kubernetes-model-batch	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-batch	Medium
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-batch/	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Batch	High
Vendor	pom	groupid	io.fabric8	Highest
Product	file	name	kubernetes-model-batch	High
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-batch	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-batch/	Low
Product	pom	artifactid	kubernetes-model-batch	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Batch	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Batch	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Batch	High
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-batch@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-certificates-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-certificates/5.3.1/kubernetes-model-certificates-5.3.1.jar
MD5: 0623545e42ba0cb86cb52dfd51938642
SHA1: ba713c1facac7a402fd4c249dce348ab7bf3bfc6
SHA256:76dfd4ba4cbf0d5b98f15b0296b61fab46ee4c4bb418b1a937aca111c187a12d
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	kubernetes-model-certificates	Low
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Certificates	High
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-certificates/	Low
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	file	name	kubernetes-model-certificates	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-certificates	Medium
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Certificates	High
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Certificates	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-certificates/	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Certificates	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	artifactid	kubernetes-model-certificates	Highest
Product	file	name	kubernetes-model-certificates	High
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-certificates	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-certificates@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-common-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-common/5.3.1/kubernetes-model-common-5.3.1.jar
MD5: 90804583439a71e9dc2c4f77959d58e8
SHA1: 0873373f955c2b532ac3bd52db756e68e3851030
SHA256:42469c5f6ba8069e7d1367c312525b7719783102486a3b5dad5cd6d133c82d8e
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	file	name	kubernetes-model-common	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-common	Medium
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Common	High
Vendor	jar	package name	fabric8	Highest
Vendor	pom	artifactid	kubernetes-model-common	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	jar	package name	model	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	groupid	io.fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-common/	Low
Product	file	name	kubernetes-model-common	High
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-common	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Common	High
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Common	Medium
Product	jar	package name	io	Highest
Product	jar	package name	model	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	kubernetes-model-common	Highest
Product	jar	package name	kubernetes	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Common	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-common/	Low
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-common@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-coordination-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-coordination/5.3.1/kubernetes-model-coordination-5.3.1.jar
MD5: ce204cbfc55e4b58d3640b0572750de8
SHA1: cbf7fbc5210412732dbb8290b2257f5b0db745d5
SHA256:7a6b8c8542aeaabf86508d851ac3969b41bb37fa72c1ebdbcb618960bf8368d9
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	file	name	kubernetes-model-coordination	High
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Coordination	High
Vendor	jar	package name	fabric8	Highest
Vendor	pom	artifactid	kubernetes-model-coordination	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-coordination	Medium
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-coordination/	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Coordination	Medium
Product	file	name	kubernetes-model-coordination	High
Product	pom	name	Fabric8 :: Kubernetes Model :: Coordination	High
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	kubernetes-model-coordination	Highest
Product	jar	package name	kubernetes	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-coordination	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Coordination	Medium
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-coordination/	Low
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-coordination@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-core-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-core/5.3.1/kubernetes-model-core-5.3.1.jar
MD5: c5c848f93b9267c759f05a2fd04d29a2
SHA1: 08054029a8a1b601cfd716b650e58992c8d382f5
SHA256:73781b0551f7a45ee86dbce3532317214ff9e581b29e24a40c2566cfc4e10c5c
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-core/	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	pom	artifactid	kubernetes-model-core	Low
Vendor	jar	package name	io	Highest
Vendor	file	name	kubernetes-model-core	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-core	Medium
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Core	High
Vendor	pom	groupid	io.fabric8	Highest
Product	pom	artifactid	kubernetes-model-core	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-core/	Low
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	file	name	kubernetes-model-core	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Core	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Core	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-core	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Core	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-core@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-discovery-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-discovery/5.3.1/kubernetes-model-discovery-5.3.1.jar
MD5: 56534518ebda855a194569d05d3862b5
SHA1: 1d69799a2e84a2db46a47c73619d87034fe9071c
SHA256:8bd2d2d2ed443072d021fdfc7f242f55652a6a6ab76422b5807cca65ee391f6e
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-discovery	Medium
Vendor	pom	artifactid	kubernetes-model-discovery	Low
Vendor	file	name	kubernetes-model-discovery	High
Vendor	jar	package name	kubernetes	Highest
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Discovery	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-discovery/	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Discovery	Medium
Product	jar	package name	io	Highest
Product	pom	artifactid	kubernetes-model-discovery	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-discovery	Medium
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Discovery	Medium
Product	file	name	kubernetes-model-discovery	High
Product	jar	package name	kubernetes	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Discovery	High
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-discovery/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-discovery@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:redhat:discovery:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-events-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-events/5.3.1/kubernetes-model-events-5.3.1.jar
MD5: 8e5236b5e00ff1175f4c2e7dc9f9201e
SHA1: 6b8b7ca782bbdd4a7e3b0f0b10d07636d07f1755
SHA256:fc0bd1921af79490a2a369c47aab6b5da26ef844601fc3585c5de7c8cfd97677
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Events	High
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	kubernetes-model-events	Low
Vendor	file	name	kubernetes-model-events	High
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-events/	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-events	Medium
Vendor	pom	groupid	io.fabric8	Highest
Product	pom	artifactid	kubernetes-model-events	Highest
Product	jar	package name	fabric8	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Events	High
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Events	Medium
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	file	name	kubernetes-model-events	High
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-events/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Events	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-events	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-events@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-extensions-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-extensions/5.3.1/kubernetes-model-extensions-5.3.1.jar
MD5: 3686af2a8a1331420308867af321edba
SHA1: 33b11a2e9c6834227d73a48e0263c3ba2482b7ad
SHA256:0aeca92cf1350bf2aa5c1aa6585b3a21c02cb48b2086a53a1f890beccde3bb47
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Extensions	High
Vendor	jar	package name	fabric8	Highest
Vendor	pom	artifactid	kubernetes-model-extensions	Low
Vendor	file	name	kubernetes-model-extensions	High
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-extensions/	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-extensions	Medium
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Extensions	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Extensions	High
Product	pom	artifactid	kubernetes-model-extensions	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Extensions	Medium
Product	jar	package name	fabric8	Highest
Product	file	name	kubernetes-model-extensions	High
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-extensions/	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-extensions	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-extensions@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-metrics-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-metrics/5.3.1/kubernetes-model-metrics-5.3.1.jar
MD5: f6f4cfefa726a5d686d4e420abb23ed3
SHA1: fd63c29fc8c195044b25c96d4eee9408da4116a6
SHA256:5c7854b3bbb293f7af7c4abb274b14f7fc0c37b94f97b55c71b1d6ca96317aed
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Metrics	High
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-metrics/	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-metrics	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	file	name	kubernetes-model-metrics	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	artifactid	kubernetes-model-metrics	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	pom	artifactid	kubernetes-model-metrics	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Metrics	High
Product	jar	package name	fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-metrics/	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Metrics	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-metrics	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	file	name	kubernetes-model-metrics	High
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Metrics	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-metrics@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-networking-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-networking/5.3.1/kubernetes-model-networking-5.3.1.jar
MD5: 42ba97f281248f62b9af1bbe32853600
SHA1: a91d4e941c4d1909168c77b3c9b331cde376b6ea
SHA256:bab503ae79156df400189cee437be475bc12b5bac4133d0461a6e0e1995b8dd1
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-networking	Medium
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-networking/	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	kubernetes-model-networking	Low
Vendor	file	name	kubernetes-model-networking	High
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Networking	High
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Networking	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-networking	Medium
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-networking/	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	file	name	kubernetes-model-networking	High
Product	jar	package name	kubernetes	Highest
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Networking	High
Product	pom	artifactid	kubernetes-model-networking	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Networking	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-networking@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-node-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-node/5.3.1/kubernetes-model-node-5.3.1.jar
MD5: 5976ea1af20de2d8a78f8e82d402b92e
SHA1: cb0da2e02fa163b28e21bb429689a540efae10b6
SHA256:295afe4cd0d7ab953056ebed15a479e88707af421e30ff31bf8e9d34ccd7384b
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-node/	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Node	High
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-node	Medium
Vendor	jar	package name	kubernetes	Highest
Vendor	file	name	kubernetes-model-node	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	artifactid	kubernetes-model-node	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-node/	Low
Product	pom	name	Fabric8 :: Kubernetes Model :: Node	High
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Node	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-node	Medium
Product	jar	package name	kubernetes	Highest
Product	file	name	kubernetes-model-node	High
Product	pom	artifactid	kubernetes-model-node	Highest
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Node	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-node@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-policy-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-policy/5.3.1/kubernetes-model-policy-5.3.1.jar
MD5: f67052de69c31e47e8f0fd47683bdf76
SHA1: 68e49ecc663f6869cc15f987abfb2d3a99639fd8
SHA256:57bea43842ad98822c75b479e51adbfd69d04f53ad963ad09080bb009ff099bd
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-policy/	Low
Vendor	file	name	kubernetes-model-policy	High
Vendor	jar	package name	fabric8	Highest
Vendor	pom	artifactid	kubernetes-model-policy	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Policy	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-policy	Medium
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-policy/	Low
Product	file	name	kubernetes-model-policy	High
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	pom	artifactid	kubernetes-model-policy	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Policy	High
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Policy	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-policy	Medium
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Policy	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-policy@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-rbac-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-rbac/5.3.1/kubernetes-model-rbac-5.3.1.jar
MD5: b10c079bdf6ce82d2239d822b4242cb5
SHA1: 617ab8115309f51f37ee8988a74649f3abfed479
SHA256:46973ef711caf5451460993ab322b86f2c504a3ea2730c71e3c88d99c06eccf6
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	file	name	kubernetes-model-rbac	High
Vendor	pom	artifactid	kubernetes-model-rbac	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-rbac	Medium
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: RBAC	High
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-rbac/	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	pom	artifactid	kubernetes-model-rbac	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	file	name	kubernetes-model-rbac	High
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: RBAC	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-rbac	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: RBAC	High
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-rbac/	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: RBAC	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-rbac@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-scheduling-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-scheduling/5.3.1/kubernetes-model-scheduling-5.3.1.jar
MD5: 59a88846f29109d620abed09345eb437
SHA1: 938971ba59aa611e6edf9d5c48b89e7bdfb74821
SHA256:3f2558d4ed97c7217f883712ad641fd73aec713df9f0b76aa3349811b8f54b2d
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-scheduling	Medium
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-scheduling/	Low
Vendor	pom	artifactid	kubernetes-model-scheduling	Low
Vendor	file	name	kubernetes-model-scheduling	High
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Scheduling	High
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-scheduling	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Scheduling	Medium
Product	pom	artifactid	kubernetes-model-scheduling	Highest
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-scheduling/	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Scheduling	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	kubernetes-model-scheduling	High
Product	pom	name	Fabric8 :: Kubernetes Model :: Scheduling	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-scheduling@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

kubernetes-model-storageclass-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-storageclass/5.3.1/kubernetes-model-storageclass-5.3.1.jar
MD5: f518536c72c632b99d10299c0754c62d
SHA1: 2cc4929a067a43355107dcd1b0118dda4dbc86a5
SHA256:6eff7c11d175a9846cd8563af78cf3d3948e7f6b76e2cda2369861b13055c5d9
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Storage Class	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-storageclass	Medium
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-storageclass/	Low
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	file	name	kubernetes-model-storageclass	High
Vendor	pom	artifactid	kubernetes-model-storageclass	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Storage Class	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Storage Class	High
Product	pom	artifactid	kubernetes-model-storageclass	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Storage Class	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-storageclass	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-storageclass/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	kubernetes-model-storageclass	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/kubernetes-model-storageclass@5.3.1 (Confidence:High)
cpe:2.3:a:storage_project:storage:5.3.1:*:*:*:*:*:*:* (Confidence:High)

listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar

Description:

    An empty artifact that Guava depends on to signal that it is providing
    ListenableFuture -- but is also available in a second "version" that
    contains com.google.common.util.concurrent.ListenableFuture class, without
    any other Guava classes. The idea is:

    - If users want only ListenableFuture, they depend on listenablefuture-1.0.

    - If users want all of Guava, they depend on guava, which, as of Guava
    27.0, depends on
    listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-...
    version number is enough for some build systems (notably, Gradle) to select
    that empty artifact over the "real" listenablefuture-1.0 -- avoiding a
    conflict with the copy of ListenableFuture in guava itself. If users are
    using an older version of Guava or a build system other than Gradle, they
    may see class conflicts. If so, they can solve them by manually excluding
    the listenablefuture artifact or manually forcing their build systems to
    use 9999.0-....

File Path: /home/jenkins/.mvnrepository/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
MD5: d094c22570d65e132c19cea5d352e381
SHA1: b421526c5f297295adef1c886e5246c39d4ac629
SHA256:b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	guava-parent	Low
Vendor	pom	groupid	com.google.guava	Highest
Vendor	pom	name	Guava ListenableFuture only	High
Vendor	pom	groupid	google.guava	Highest
Vendor	file	name	listenablefuture	High
Vendor	pom	parent-groupid	com.google.guava	Medium
Vendor	pom	artifactid	listenablefuture	Low
Product	pom	artifactid	listenablefuture	Highest
Product	pom	parent-artifactid	guava-parent	Medium
Product	pom	name	Guava ListenableFuture only	High
Product	pom	groupid	google.guava	Highest
Product	file	name	listenablefuture	High
Product	pom	parent-groupid	com.google.guava	Medium
Version	pom	version	9999.0-empty-to-avoid-conflict-with-guava	Highest
Version	pom	parent-version	9999.0-empty-to-avoid-conflict-with-guava	Low

Identifiers

pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava (Confidence:High)

logging-interceptor-3.12.1.jar

File Path: /home/jenkins/.mvnrepository/com/squareup/okhttp3/logging-interceptor/3.12.1/logging-interceptor-3.12.1.jar
MD5: 73b31646886b0efe515b3aad96d90077
SHA1: f0304756a8d9f745fd7de3f82a32090cf5b71166
SHA256:fa455a235aa7af3327babe3f0523a05dca76b71ec88c6d548fa92927efdf6cda
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	okhttp3	Highest
Vendor	pom	parent-artifactid	parent	Low
Vendor	pom	name	OkHttp Logging Interceptor	High
Vendor	pom	groupid	squareup.okhttp3	Highest
Vendor	file	name	logging-interceptor	High
Vendor	Manifest	automatic-module-name	okhttp3.logging	Medium
Vendor	pom	groupid	com.squareup.okhttp3	Highest
Vendor	jar	package name	logging	Highest
Vendor	pom	artifactid	logging-interceptor	Low
Vendor	pom	parent-groupid	com.squareup.okhttp3	Medium
Product	pom	artifactid	logging-interceptor	Highest
Product	jar	package name	okhttp3	Highest
Product	pom	name	OkHttp Logging Interceptor	High
Product	pom	groupid	squareup.okhttp3	Highest
Product	file	name	logging-interceptor	High
Product	Manifest	automatic-module-name	okhttp3.logging	Medium
Product	pom	parent-artifactid	parent	Medium
Product	jar	package name	logging	Highest
Product	pom	parent-groupid	com.squareup.okhttp3	Medium
Version	pom	version	3.12.1	Highest
Version	file	version	3.12.1	High

Identifiers

pkg:maven/com.squareup.okhttp3/logging-interceptor@3.12.1 (Confidence:High)
cpe:2.3:a:squareup:okhttp:3.12.1:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:squareup:okhttp3:3.12.1:*:*:*:*:*:*:* (Confidence:Highest)

microprofile-config-api-1.4.jar

Description:

MicroProfile Config :: API

License:

Apache License, Version 2.0

File Path: /home/jenkins/.mvnrepository/org/eclipse/microprofile/config/microprofile-config-api/1.4/microprofile-config-api-1.4.jar
MD5: b82dd24314981b5cf1c75ac2c92f477d
SHA1: 31e82390ef54f43070cdc361e010cef9beacff6a
SHA256:5ceac3228290ce4c166869958019853c036b5c46c951756898fa20e8429cd470
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	bundle-symbolicname	org.eclipse.microprofile.config	Medium
Vendor	pom	parent-groupid	org.eclipse.microprofile.config	Medium
Vendor	pom	groupid	eclipse.microprofile.config	Highest
Vendor	jar	package name	eclipse	Highest
Vendor	pom	artifactid	microprofile-config-api	Low
Vendor	file	name	microprofile-config-api	High
Vendor	pom	groupid	org.eclipse.microprofile.config	Highest
Vendor	jar	package name	microprofile	Highest
Vendor	jar	package name	config	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	name	MicroProfile Config API	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	parent-artifactid	microprofile-config-parent	Low
Product	Manifest	bundle-symbolicname	org.eclipse.microprofile.config	Medium
Product	pom	parent-groupid	org.eclipse.microprofile.config	Medium
Product	pom	groupid	eclipse.microprofile.config	Highest
Product	jar	package name	eclipse	Highest
Product	file	name	microprofile-config-api	High
Product	jar	package name	microprofile	Highest
Product	jar	package name	config	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	name	MicroProfile Config API	High
Product	pom	parent-artifactid	microprofile-config-parent	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	microprofile-config-api	Highest
Product	Manifest	Bundle-Name	MicroProfile Config Bundle	Medium
Version	file	version	1.4	High
Version	pom	version	1.4	Highest

Identifiers

pkg:maven/org.eclipse.microprofile.config/microprofile-config-api@1.4 (Confidence:High)

microprofile-context-propagation-api-1.0.1.jar

Description:

MicroProfile Context Propagation :: API

File Path: /home/jenkins/.mvnrepository/org/eclipse/microprofile/context-propagation/microprofile-context-propagation-api/1.0.1/microprofile-context-propagation-api-1.0.1.jar
MD5: 7fa031f7effbfc699e51e0e6283b5340
SHA1: b7825e202a09dfb9dbb4b0e65b74237ab1fc6cec
SHA256:1731627424ac020eb9f2fc3b82df8b984315387cdc0488bbf3f7a86eecfacb49
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	eclipse.microprofile.context-propagation	Highest
Vendor	jar	package name	context	Highest
Vendor	pom	artifactid	microprofile-context-propagation-api	Low
Vendor	pom	groupid	org.eclipse.microprofile.context-propagation	Highest
Vendor	file	name	microprofile-context-propagation-api	High
Vendor	jar	package name	eclipse	Highest
Vendor	pom	name	MicroProfile Context Propagation	High
Vendor	jar	package name	microprofile	Highest
Vendor	pom	parent-artifactid	microprofile-context-propagation-parent	Low
Vendor	jar	package name	context	Low
Vendor	pom	parent-groupid	org.eclipse.microprofile.context-propagation	Medium
Vendor	jar	package name	microprofile	Low
Vendor	jar	package name	eclipse	Low
Product	pom	groupid	eclipse.microprofile.context-propagation	Highest
Product	jar	package name	context	Highest
Product	file	name	microprofile-context-propagation-api	High
Product	jar	package name	eclipse	Highest
Product	pom	name	MicroProfile Context Propagation	High
Product	jar	package name	microprofile	Highest
Product	jar	package name	context	Low
Product	pom	parent-groupid	org.eclipse.microprofile.context-propagation	Medium
Product	jar	package name	microprofile	Low
Product	pom	parent-artifactid	microprofile-context-propagation-parent	Medium
Product	pom	artifactid	microprofile-context-propagation-api	Highest
Product	jar	package name	spi	Low
Version	pom	version	1.0.1	Highest
Version	file	version	1.0.1	High

Identifiers

pkg:maven/org.eclipse.microprofile.context-propagation/microprofile-context-propagation-api@1.0.1 (Confidence:High)

msg-simple-1.1.jar

Description:

null

License:

Lesser General Public License, version 3 or greater: http://www.gnu.org/licenses/lgpl.html
Apache Software License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0

File Path: /home/jenkins/.mvnrepository/com/github/fge/msg-simple/1.1/msg-simple-1.1.jar
MD5: b0d8d70468edff2e223b3d2f07cc5de1
SHA1: f261263e13dd4cfa93cc6b83f1f58f619097a2c4
SHA256:c3c5add3971a9a7f1868beb7607780d73f36bb611c7505de01f1baf49ab4ff75
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	fge/msg-simple	Highest
Vendor	file	name	msg-simple	High
Vendor	pom	name	null	High
Vendor	pom	groupid	com.github.fge	Highest
Vendor	jar	package name	github	Highest
Vendor	jar	package name	fge	Highest
Vendor	pom	artifactid	msg-simple	Low
Vendor	Manifest	bundle-symbolicname	com.github.fge.msg-simple	Medium
Vendor	pom	groupid	github.fge	Highest
Product	file	name	msg-simple	High
Product	pom	name	null	High
Product	pom	url	fge/msg-simple	High
Product	jar	package name	github	Highest
Product	jar	package name	fge	Highest
Product	Manifest	bundle-symbolicname	com.github.fge.msg-simple	Medium
Product	Manifest	Bundle-Name	msg-simple	Medium
Product	pom	artifactid	msg-simple	Highest
Product	pom	groupid	github.fge	Highest
Version	pom	version	1.1	Highest
Version	Manifest	Bundle-Version	1.1	High
Version	file	version	1.1	High

Identifiers

pkg:maven/com.github.fge/msg-simple@1.1 (Confidence:High)

mysql-connector-java-8.0.28.jar

Description:

JDBC Type 4 driver for MySQL

License:

The GNU General Public License, v2 with FOSS exception

File Path: /home/jenkins/.mvnrepository/mysql/mysql-connector-java/8.0.28/mysql-connector-java-8.0.28.jar
MD5: 95cde01c78e7b04e13305338d60e056a
SHA1: 33678b1729d4f832b9e4bcb2d5bbd67940920a7a
SHA256:a00ccdf537ff50e50067b989108c2235197ffb65e197149bbb669db843cd1c3e
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	driver	Highest
Vendor	pom	groupid	mysql	Highest
Vendor	file	name	mysql-connector-java	High
Vendor	jar	package name	jdbc	Highest
Vendor	pom	artifactid	mysql-connector-java	Low
Vendor	hint analyzer (hint)	vendor	sun	Highest
Vendor	hint analyzer	vendor	oracle	Highest
Vendor	Manifest	bundle-symbolicname	com.mysql.cj	Medium
Vendor	Manifest (hint)	Implementation-Vendor	sun	High
Vendor	pom	url	http://dev.mysql.com/doc/connector-j/en/	Highest
Vendor	Manifest	Implementation-Vendor-Id	com.mysql	Medium
Vendor	Manifest	Implementation-Vendor	Oracle	High
Vendor	jar	package name	mysql	Highest
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	organization url	http://www.oracle.com	Medium
Vendor	pom	organization name	Oracle Corporation	High
Vendor	pom	name	MySQL Connector/J	High
Vendor	jar	package name	type	Highest
Vendor	jar	package name	cj	Highest
Product	jar	package name	driver	Highest
Product	file	name	mysql-connector-java	High
Product	jar	package name	jdbc	Highest
Product	pom	groupid	mysql	Highest
Product	pom	organization url	http://www.oracle.com	Low
Product	pom	organization name	Oracle Corporation	Low
Product	Manifest	Implementation-Title	MySQL Connector/J	High
Product	Manifest	bundle-symbolicname	com.mysql.cj	Medium
Product	pom	artifactid	mysql-connector-java	Highest
Product	Manifest	Bundle-Name	Oracle Corporation's JDBC and XDevAPI Driver for MySQL	Medium
Product	hint analyzer	product	mysql_connectors	Highest
Product	hint analyzer	product	mysql_connector_j	Highest
Product	Manifest	specification-title	JDBC	Medium
Product	jar	package name	mysql	Highest
Product	hint analyzer	product	mysql_connector/j	Highest
Product	pom	url	http://dev.mysql.com/doc/connector-j/en/	Medium
Product	pom	name	MySQL Connector/J	High
Product	jar	package name	type	Highest
Product	jar	package name	cj	Highest
Product	jar	package name	xdevapi	Highest
Version	Manifest	Bundle-Version	8.0.28	High
Version	file	version	8.0.28	High
Version	pom	version	8.0.28	Highest
Version	Manifest	Implementation-Version	8.0.28	High

Identifiers

pkg:maven/mysql/mysql-connector-java@8.0.28 (Confidence:High)
cpe:2.3:a:mysql:mysql:8.0.28:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:oracle:mysql_connector\/j:8.0.28:*:*:*:*:*:*:* (Confidence:Highest)

ojdbc8-19.3.0.0.jar

Description:

Oracle JDBC Driver compatible with JDK8, JDK9, and JDK11

License:

Oracle Free Use Terms and Conditions (FUTC)

File Path: /home/jenkins/.mvnrepository/com/oracle/ojdbc/ojdbc8/19.3.0.0/ojdbc8-19.3.0.0.jar
MD5: 0b2a8e010df63e6feb396287d2ea7dbd
SHA1: 967c0b1a2d5b1435324de34a9b8018d294f8f47b
SHA256:a66d27a14f3adee484427cc4de008af85a5c3e78e2e3285a4dba1277332978a5
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar (hint)	package name	sun	Highest
Vendor	jar	package name	driver	Highest
Vendor	jar	package name	jdbc	Highest
Vendor	pom	groupid	oracle.ojdbc	Highest
Vendor	pom	name	ojdbc8	High
Vendor	Manifest	repository-id	JAVAVM_19.0.0.0.0_LINUX.X64_190404	Low
Vendor	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Highest
Vendor	pom	groupid	com.oracle.ojdbc	Highest
Vendor	Manifest	specification-vendor	Sun Microsystems Inc.	Low
Vendor	file	name	ojdbc8	High
Vendor	jar	package name	oracle	Highest
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	pom	artifactid	ojdbc8	Low
Product	jar	package name	driver	Highest
Product	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Medium
Product	Manifest	Implementation-Title	JDBC	High
Product	jar	package name	jdbc	Highest
Product	pom	groupid	oracle.ojdbc	Highest
Product	pom	name	ojdbc8	High
Product	file	name	ojdbc8	High
Product	Manifest	specification-title	JDBC	Medium
Product	pom	artifactid	ojdbc8	Highest
Product	jar	package name	oracle	Highest
Product	Manifest	repository-id	JAVAVM_19.0.0.0.0_LINUX.X64_190404	Low
Version	pom	version	19.3.0.0	Highest
Version	file	version	19.3.0.0	High

Identifiers

pkg:maven/com.oracle.ojdbc/ojdbc8@19.3.0.0 (Confidence:High)
cpe:2.3:a:oracle:jdbc:19.3.0.0:*:*:*:*:*:*:* (Confidence:Highest)

okhttp-3.12.1.jar

File Path: /home/jenkins/.mvnrepository/com/squareup/okhttp3/okhttp/3.12.1/okhttp-3.12.1.jar
MD5: 8e397d184bcca38deb5c06122d10adc5
SHA1: dc6d02e4e68514eff5631963e28ca7742ac69efe
SHA256:07c3d82ca7eaf4722f00b2da807dc7860f6169ae60cfedcf5d40218f90880a46
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	okhttp3	Highest
Vendor	pom	parent-artifactid	parent	Low
Vendor	pom	name	OkHttp	High
Vendor	pom	groupid	squareup.okhttp3	Highest
Vendor	Manifest	automatic-module-name	okhttp3	Medium
Vendor	pom	groupid	com.squareup.okhttp3	Highest
Vendor	file	name	okhttp	High
Vendor	pom	artifactid	okhttp	Low
Vendor	pom	parent-groupid	com.squareup.okhttp3	Medium
Product	jar	package name	okhttp3	Highest
Product	pom	name	OkHttp	High
Product	pom	groupid	squareup.okhttp3	Highest
Product	Manifest	automatic-module-name	okhttp3	Medium
Product	pom	artifactid	okhttp	Highest
Product	pom	parent-artifactid	parent	Medium
Product	file	name	okhttp	High
Product	pom	parent-groupid	com.squareup.okhttp3	Medium
Version	pom	version	3.12.1	Highest
Version	file	version	3.12.1	High

Identifiers

pkg:maven/com.squareup.okhttp3/okhttp@3.12.1 (Confidence:High)
cpe:2.3:a:squareup:okhttp:3.12.1:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:squareup:okhttp3:3.12.1:*:*:*:*:*:*:* (Confidence:Highest)

okio-1.15.0.jar

File Path: /home/jenkins/.mvnrepository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar
MD5: e8ddbcb79210050527c2eda7562e63ce
SHA1: bc28b5a964c8f5721eb58ee3f3c47a9bcbf4f4d8
SHA256:693fa319a7e8843300602b204023b7674f106ebcb577f2dd5807212b66118bd2
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	com.squareup.okio	Highest
Vendor	Manifest	automatic-module-name	okio	Medium
Vendor	jar	package name	okio	Highest
Vendor	pom	groupid	squareup.okio	Highest
Vendor	pom	artifactid	okio	Low
Vendor	file	name	okio	High
Vendor	pom	parent-artifactid	okio-parent	Low
Vendor	pom	parent-groupid	com.squareup.okio	Medium
Vendor	pom	name	Okio	High
Product	pom	parent-artifactid	okio-parent	Medium
Product	Manifest	automatic-module-name	okio	Medium
Product	jar	package name	okio	Highest
Product	pom	groupid	squareup.okio	Highest
Product	file	name	okio	High
Product	pom	parent-groupid	com.squareup.okio	Medium
Product	pom	name	Okio	High
Product	pom	artifactid	okio	Highest
Version	pom	version	1.15.0	Highest
Version	file	version	1.15.0	High

Identifiers

pkg:maven/com.squareup.okio/okio@1.15.0 (Confidence:High)

ons-19.3.0.0.jar

Description:

Java Client-Side Oracle Notification Services(ONS)

License:

Oracle Free Use Terms and Conditions (FUTC)

File Path: /home/jenkins/.mvnrepository/com/oracle/ojdbc/ons/19.3.0.0/ons-19.3.0.0.jar
MD5: ac4a31065dcbf2286a46cb68e9f4d1fd
SHA1: cf3f3ef525c61a27fe9952652a156ddd738b1cd5
SHA256:6e3f243700716c4fa2e9ddfaa08c9394ad6fda3a640d3bef03941f7b573df9d7
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Highest
Vendor	jar (hint)	package name	sun	Highest
Vendor	pom	groupid	com.oracle.ojdbc	Highest
Vendor	jar	package name	notification	Highest
Vendor	file	name	ons	High
Vendor	jar	package name	ons	Highest
Vendor	pom	groupid	oracle.ojdbc	Highest
Vendor	pom	artifactid	ons	Low
Vendor	pom	name	ons	High
Vendor	jar	package name	oracle	Highest
Vendor	Manifest	label	ONS_19.0.0.0.0_LINUX.X64_181205.1445	Low
Product	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Medium
Product	jar	package name	notification	Highest
Product	file	name	ons	High
Product	jar	package name	ons	Highest
Product	pom	groupid	oracle.ojdbc	Highest
Product	pom	name	ons	High
Product	jar	package name	oracle	Highest
Product	Manifest	label	ONS_19.0.0.0.0_LINUX.X64_181205.1445	Low
Product	pom	artifactid	ons	Highest
Version	pom	version	19.3.0.0	Highest
Version	file	version	19.3.0.0	High

Identifiers

pkg:maven/com.oracle.ojdbc/ons@19.3.0.0 (Confidence:High)
cpe:2.3:a:oracle:oracle_database:19.3.0.0:*:*:*:*:*:*:* (Confidence:Low)

openshift-client-5.3.2.jar

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-client/5.3.2/openshift-client-5.3.2.jar
MD5: ba0008db46e5a3606bb8cac97feaa5bb
SHA1: 9119e78817b5f18e66e29036bb7c4811ff28ce65
SHA256:c1a33745e9db1105cf82cf940afe701d8f2fdb3bded536eb55b62f4550340d53
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	client	Highest
Vendor	pom	name	Fabric8 :: Openshift :: Java Client	High
Vendor	file	name	openshift-client	High
Vendor	jar	package name	openshift	Highest
Vendor	pom	parent-artifactid	kubernetes-client-project	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	artifactid	openshift-client	Low
Vendor	jar	package name	io	Highest
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	client	Highest
Product	pom	name	Fabric8 :: Openshift :: Java Client	High
Product	pom	artifactid	openshift-client	Highest
Product	file	name	openshift-client	High
Product	pom	parent-artifactid	kubernetes-client-project	Medium
Product	jar	package name	openshift	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	jar	package name	io	Highest
Product	pom	groupid	io.fabric8	Highest
Version	pom	version	5.3.2	Highest
Version	file	version	5.3.2	High

Identifiers

pkg:maven/io.fabric8/openshift-client@5.3.2 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.2:*:*:*:*:*:*:* (Confidence:Low)

openshift-model-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model/5.3.1/openshift-model-5.3.1.jar
MD5: 3ce206e9b705ef9ce505af22fc268c72
SHA1: 7c178a967e8ad18b4e29a938fe310d92cfda4efd
SHA256:d37911a3214b4811163ddf699847a180badedbf696e594bc8385edbcf5e28a25
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	file	name	openshift-model	High
Vendor	pom	name	Fabric8 :: OpenShift Model	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	openshift	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model/	Low
Vendor	pom	groupid	io.fabric8	Highest
Vendor	pom	artifactid	openshift-model	Low
Product	pom	artifactid	openshift-model	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift Model	Medium
Product	jar	package name	io	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	file	name	openshift-model	High
Product	pom	name	Fabric8 :: OpenShift Model	High
Product	Manifest	specification-title	Fabric8 :: OpenShift Model	Medium
Product	jar	package name	openshift	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/openshift-model@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

openshift-model-console-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model-console/5.3.1/openshift-model-console-5.3.1.jar
MD5: e9a4135b59f594840877e4cba3d53b0a
SHA1: 0bbdb8aa74cba2f3fd12dc5981001a5504df4cc6
SHA256:0164ce87aa72b3c2750d5e13627bf46cdfd89d6da7e96e928d72672aab5b26dd
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model-console	Medium
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-console/	Low
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	openshift	Highest
Vendor	file	name	openshift-model-console	High
Vendor	pom	name	Fabric8 :: OpenShift Console Model	High
Vendor	pom	artifactid	openshift-model-console	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model-console	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift Console Model	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-console/	Low
Product	pom	artifactid	openshift-model-console	Highest
Product	jar	package name	openshift	Highest
Product	file	name	openshift-model-console	High
Product	pom	name	Fabric8 :: OpenShift Console Model	High
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	specification-title	Fabric8 :: OpenShift Console Model	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/openshift-model-console@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

openshift-model-monitoring-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model-monitoring/5.3.1/openshift-model-monitoring-5.3.1.jar
MD5: 169af95527fb30ccc6109abc20b90f29
SHA1: 648788408c56b8068f850cac07c1b707c4ff0fbd
SHA256:a99ff75b409cfbfb43f70a93dae0b7c2c2868a895a9d3260a406004edd799105
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	name	Fabric8 :: OpenShift Monitoring Model	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	openshift	Highest
Vendor	file	name	openshift-model-monitoring	High
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-monitoring/	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model-monitoring	Medium
Vendor	pom	artifactid	openshift-model-monitoring	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	pom	artifactid	openshift-model-monitoring	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	name	Fabric8 :: OpenShift Monitoring Model	High
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift Monitoring Model	Medium
Product	Manifest	specification-title	Fabric8 :: OpenShift Monitoring Model	Medium
Product	jar	package name	openshift	Highest
Product	file	name	openshift-model-monitoring	High
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-monitoring/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model-monitoring	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/openshift-model-monitoring@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

openshift-model-operator-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model-operator/5.3.1/openshift-model-operator-5.3.1.jar
MD5: 55a1c0a88fb5996ea0db81eeb923b2a2
SHA1: 7a945f7ef96526081b097648ef2491abbb53c943
SHA256:7c21b3027d14e8166c79bdb12c7cdc9f65005266e314557127b15b34a6d41362
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-operator/	Low
Vendor	jar	package name	fabric8	Highest
Vendor	pom	name	Fabric8 :: OpenShift Operator Model	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model-operator	Medium
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	openshift	Highest
Vendor	file	name	openshift-model-operator	High
Vendor	pom	artifactid	openshift-model-operator	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-operator/	Low
Product	jar	package name	fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift Operator Model	Medium
Product	pom	name	Fabric8 :: OpenShift Operator Model	High
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model-operator	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	openshift-model-operator	Highest
Product	Manifest	specification-title	Fabric8 :: OpenShift Operator Model	Medium
Product	jar	package name	openshift	Highest
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	openshift-model-operator	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/openshift-model-operator@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

openshift-model-operatorhub-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model-operatorhub/5.3.1/openshift-model-operatorhub-5.3.1.jar
MD5: 4c2d5e382a9c425a8413e4e71feb6524
SHA1: 0e65dee874276e6a322c258998e37b748401777a
SHA256:e1225d0febc847cba241f7f1c62c8970cfe269ce545877fe3c04a3731ae5d8fe
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-operatorhub/	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	name	Fabric8 :: OpenShift OperatorHub Model	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model-operatorhub	Medium
Vendor	jar	package name	openshift	Highest
Vendor	file	name	openshift-model-operatorhub	High
Vendor	pom	artifactid	openshift-model-operatorhub	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-operatorhub/	Low
Product	pom	artifactid	openshift-model-operatorhub	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift OperatorHub Model	Medium
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	name	Fabric8 :: OpenShift OperatorHub Model	High
Product	Manifest	specification-title	Fabric8 :: OpenShift OperatorHub Model	Medium
Product	jar	package name	openshift	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model-operatorhub	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	openshift-model-operatorhub	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Identifiers

pkg:maven/io.fabric8/openshift-model-operatorhub@5.3.1 (Confidence:High)
cpe:2.3:a:kubernetes:java:5.3.1:*:*:*:*:*:*:* (Confidence:Low)

oraclepki-19.3.0.0.jar

Description:

Oracle PKI to access Oracle Wallets from Java

License:

Oracle Free Use Terms and Conditions (FUTC)

File Path: /home/jenkins/.mvnrepository/com/oracle/ojdbc/oraclepki/19.3.0.0/oraclepki-19.3.0.0.jar
MD5: babe79be0b8106cd1090a7194994b300
SHA1: 0e52a34f271c6c62ee1a73b71cc19da5459b709f
SHA256:04bdcbaa8da2c5800403ad0f448bec2867c6e9a12665d3f2c2aba1539dec24dc
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Highest
Vendor	jar (hint)	package name	sun	Highest
Vendor	pom	groupid	com.oracle.ojdbc	Highest
Vendor	pom	groupid	oracle.ojdbc	Highest
Vendor	file	name	oraclepki	High
Vendor	jar	package name	oracle	Highest
Vendor	jar	package name	pki	Highest
Vendor	pom	artifactid	oraclepki	Low
Vendor	jar	package name	oraclepki	Highest
Vendor	pom	name	oraclepki	High
Product	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Medium
Product	Manifest	specification-title	ENTSEC_DB19.3.0.0.0_GENERIC_190302.0616	Medium
Product	pom	artifactid	oraclepki	Highest
Product	pom	groupid	oracle.ojdbc	Highest
Product	file	name	oraclepki	High
Product	jar	package name	oracle	Highest
Product	jar	package name	pki	Highest
Product	jar	package name	oraclepki	Highest
Product	pom	name	oraclepki	High
Version	pom	version	19.3.0.0	Highest
Version	file	version	19.3.0.0	High

Identifiers

pkg:maven/com.oracle.ojdbc/oraclepki@19.3.0.0 (Confidence:High)
cpe:2.3:a:oracle:oracle_database:19.3.0.0:*:*:*:*:*:*:* (Confidence:Low)

osdt_cert-19.3.0.0.jar

Description:

osdt_cert.jar to access Oracle Wallets from Java

License:

Oracle Free Use Terms and Conditions (FUTC)

File Path: /home/jenkins/.mvnrepository/com/oracle/ojdbc/osdt_cert/19.3.0.0/osdt_cert-19.3.0.0.jar
MD5: 8bde9e2dabea91083a737ab02aed4b73
SHA1: c134652fdcb17ff72963d386efd8ade902d2eaff
SHA256:faa0cca594d354d5bb1f5eac3dafa1568387a27576813a9bd723d6fd8744be8c
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar (hint)	package name	sun	Highest
Vendor	pom	groupid	oracle.ojdbc	Highest
Vendor	file	name	osdt_cert	High
Vendor	pom	artifactid	osdt_cert	Low
Vendor	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Highest
Vendor	pom	groupid	com.oracle.ojdbc	Highest
Vendor	jar	package name	cert	Highest
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	jar	package name	oracle	Highest
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	Manifest	repository-id	ENTSEC_DB19.3.0.0.0_GENERIC_190302.0616	Low
Vendor	pom	name	osdt_cert	High
Product	Manifest	Implementation-Title	Oracle Security Developer Tools Security Engine	High
Product	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Medium
Product	jar	package name	security	Highest
Product	pom	artifactid	osdt_cert	Highest
Product	pom	groupid	oracle.ojdbc	Highest
Product	jar	package name	cert	Highest
Product	file	name	osdt_cert	High
Product	jar	package name	oracle	Highest
Product	Manifest	specification-title	Oracle Security Developer Tools Security Engine	Medium
Product	Manifest	repository-id	ENTSEC_DB19.3.0.0.0_GENERIC_190302.0616	Low
Product	pom	name	osdt_cert	High
Version	pom	version	19.3.0.0	Highest
Version	file	version	19.3.0.0	High

Identifiers

pkg:maven/com.oracle.ojdbc/osdt_cert@19.3.0.0 (Confidence:High)
cpe:2.3:a:oracle:oracle_database:19.3.0.0:*:*:*:*:*:*:* (Confidence:Low)

osdt_core-19.3.0.0.jar

Description:

osdt_core.jar to access Oracle Wallets from Java

License:

Oracle Free Use Terms and Conditions (FUTC)

File Path: /home/jenkins/.mvnrepository/com/oracle/ojdbc/osdt_core/19.3.0.0/osdt_core-19.3.0.0.jar
MD5: 74366ecfe0555a7ee277d1ce11a4933e
SHA1: 2e01c262879c97de876c238966eb1da48542f2e8
SHA256:c7a90c07a12e73d03c1edd6a02e699001213e698fe0f5225a2771ccd46ab0b63
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar (hint)	package name	sun	Highest
Vendor	pom	artifactid	osdt_core	Low
Vendor	pom	groupid	oracle.ojdbc	Highest
Vendor	pom	name	osdt_core	High
Vendor	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Highest
Vendor	pom	groupid	com.oracle.ojdbc	Highest
Vendor	file	name	osdt_core	High
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	jar	package name	oracle	Highest
Vendor	jar	package name	core	Highest
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	Manifest	repository-id	ENTSEC_DB19.3.0.0.0_GENERIC_190302.0616	Low
Product	pom	groupid	oracle.ojdbc	Highest
Product	pom	name	osdt_core	High
Product	pom	artifactid	osdt_core	Highest
Product	Manifest	Implementation-Title	Oracle Security Developer Tools Crypto	High
Product	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Medium
Product	jar	package name	security	Highest
Product	file	name	osdt_core	High
Product	jar	package name	oracle	Highest
Product	jar	package name	core	Highest
Product	Manifest	repository-id	ENTSEC_DB19.3.0.0.0_GENERIC_190302.0616	Low
Product	jar	package name	crypto	Highest
Product	Manifest	specification-title	Oracle Security Developer Tools Crypto	Medium
Version	pom	version	19.3.0.0	Highest
Version	file	version	19.3.0.0	High

Identifiers

pkg:maven/com.oracle.ojdbc/osdt_core@19.3.0.0 (Confidence:High)
cpe:2.3:a:oracle:oracle_database:19.3.0.0:*:*:*:*:*:*:* (Confidence:Low)

postgresql-42.2.25.jar

Description:

PostgreSQL JDBC Driver Postgresql

License:

BSD-2-Clause: https://jdbc.postgresql.org/about/license.html

File Path: /home/jenkins/.mvnrepository/org/postgresql/postgresql/42.2.25/postgresql-42.2.25.jar
MD5: e03cf95ae1b5d5b58eda64f6563b9d11
SHA1: 1e0f0adf6d9479ec72a8b4c4d1b464f456c4eab3
SHA256:e97fafe15bee2358cf8d0ede26f80e31d4e6387a58e194fd7cc0f203f648a9f2
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	driver	Highest
Vendor	Manifest	bundle-copyright	Copyright (c) 2003-2020, PostgreSQL Global Development Group	Low
Vendor	pom	groupid	org.postgresql	Highest
Vendor	jar	package name	jdbc	Highest
Vendor	Manifest	provide-capability	osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory";osgi.jdbc.driver.class="org.postgresql.Driver";osgi.jdbc.driver.name="PostgreSQL JDBC Driver"	Low
Vendor	pom	organization name	PostgreSQL Global Development Group	High
Vendor	pom	organization url	https://jdbc.postgresql.org/	Medium
Vendor	Manifest	bundle-docurl	https://jdbc.postgresql.org/	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(\|(osgi.ee=J2SE)(osgi.ee=JavaSE))(version>=1.8))"	Low
Vendor	Manifest	Implementation-Vendor	PostgreSQL Global Development Group	High
Vendor	pom	artifactid	postgresql	Low
Vendor	pom	name	PostgreSQL JDBC Driver	High
Vendor	file	name	postgresql	High
Vendor	Manifest	Implementation-Vendor-Id	org.postgresql	Medium
Vendor	Manifest	automatic-module-name	org.postgresql.jdbc	Medium
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	groupid	postgresql	Highest
Vendor	jar	package name	postgresql	Highest
Vendor	pom	url	https://jdbc.postgresql.org	Highest
Vendor	Manifest	bundle-symbolicname	org.postgresql.jdbc	Medium
Product	jar	package name	driver	Highest
Product	Manifest	bundle-copyright	Copyright (c) 2003-2020, PostgreSQL Global Development Group	Low
Product	pom	organization url	https://jdbc.postgresql.org/	Low
Product	jar	package name	jdbc	Highest
Product	Manifest	provide-capability	osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory";osgi.jdbc.driver.class="org.postgresql.Driver";osgi.jdbc.driver.name="PostgreSQL JDBC Driver"	Low
Product	pom	url	https://jdbc.postgresql.org	Medium
Product	Manifest	bundle-docurl	https://jdbc.postgresql.org/	Low
Product	pom	artifactid	postgresql	Highest
Product	pom	organization name	PostgreSQL Global Development Group	Low
Product	jar	package name	osgi	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(\|(osgi.ee=J2SE)(osgi.ee=JavaSE))(version>=1.8))"	Low
Product	jar	package name	version	Highest
Product	Manifest	Implementation-Title	PostgreSQL JDBC Driver	High
Product	pom	name	PostgreSQL JDBC Driver	High
Product	file	name	postgresql	High
Product	Manifest	Bundle-Name	PostgreSQL JDBC Driver	Medium
Product	Manifest	automatic-module-name	org.postgresql.jdbc	Medium
Product	Manifest	specification-title	JDBC	Medium
Product	pom	groupid	postgresql	Highest
Product	jar	package name	postgresql	Highest
Product	Manifest	bundle-symbolicname	org.postgresql.jdbc	Medium
Version	Manifest	Bundle-Version	42.2.25	High
Version	Manifest	Implementation-Version	42.2.25	High
Version	pom	version	42.2.25	Highest
Version	file	version	42.2.25	High

Identifiers

pkg:maven/org.postgresql/postgresql@42.2.25 (Confidence:High)
cpe:2.3:a:postgresql:postgresql:42.2.25:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.2.25:*:*:*:*:*:*:* (Confidence:Low)

protobuf-java-3.16.1.jar

Description:

    Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
    efficient yet extensible format.

License:

https://opensource.org/licenses/BSD-3-Clause

File Path: /home/jenkins/.mvnrepository/com/google/protobuf/protobuf-java/3.16.1/protobuf-java-3.16.1.jar
MD5: 3d6923b9f2bf3f237a53f003c862709a
SHA1: 23b80908eaf488134ceef1904e83e6f6821908c0
SHA256:7b845a34210acde78b7f77977b3724988b9c60b2dce7a93a9afbbb1fee7978c4
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	Protocol Buffers [Core]	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	groupid	google.protobuf	Highest
Vendor	file	name	protobuf-java	High
Vendor	Manifest	bundle-symbolicname	com.google.protobuf	Medium
Vendor	pom	parent-groupid	com.google.protobuf	Medium
Vendor	pom	artifactid	protobuf-java	Low
Vendor	pom	parent-artifactid	protobuf-parent	Low
Vendor	pom	groupid	com.google.protobuf	Highest
Vendor	Manifest	bundle-docurl	https://developers.google.com/protocol-buffers/	Low
Vendor	Manifest	automatic-module-name	com.google.protobuf	Medium
Vendor	jar	package name	protobuf	Highest
Vendor	jar	package name	google	Highest
Product	pom	name	Protocol Buffers [Core]	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	parent-artifactid	protobuf-parent	Medium
Product	pom	groupid	google.protobuf	Highest
Product	file	name	protobuf-java	High
Product	Manifest	bundle-symbolicname	com.google.protobuf	Medium
Product	pom	parent-groupid	com.google.protobuf	Medium
Product	Manifest	Bundle-Name	Protocol Buffers [Core]	Medium
Product	Manifest	bundle-docurl	https://developers.google.com/protocol-buffers/	Low
Product	Manifest	automatic-module-name	com.google.protobuf	Medium
Product	jar	package name	protobuf	Highest
Product	pom	artifactid	protobuf-java	Highest
Product	jar	package name	google	Highest
Version	file	version	3.16.1	High
Version	pom	version	3.16.1	Highest
Version	Manifest	Bundle-Version	3.16.1	High

Identifiers

pkg:maven/com.google.protobuf/protobuf-java@3.16.1 (Confidence:High)
cpe:2.3:a:google:protobuf-java:3.16.1:*:*:*:*:*:*:* (Confidence:Highest)

quarkus-arc-1.13.7.Final.jar

Description:

Build time CDI dependency injection

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-arc/1.13.7.Final/quarkus-arc-1.13.7.Final.jar
MD5: fb5c9e9b6477e59fe79f73b6c29d4a6e
SHA1: 7b5e15f86fc4a7340cf5f8832d02ac9a7a5d3cdc
SHA256:eec42a76cecdf9cbeedb9859cd1ed54b7ec8f6a7d61348734fffc1a048fd8dda
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-arc-parent/quarkus-arc	Low
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	name	Quarkus - ArC - Runtime	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	jar	package name	runtime	Highest
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	arc	Highest
Vendor	file	name	quarkus-arc	High
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	artifactid	quarkus-arc	Low
Vendor	pom	parent-artifactid	quarkus-arc-parent	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	pom	artifactid	quarkus-arc	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-arc-parent/quarkus-arc	Low
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	name	Quarkus - ArC - Runtime	High
Product	Manifest	os-arch	amd64	Low
Product	jar	package name	runtime	Highest
Product	jar	package name	arc	Highest
Product	jar	package name	io	Highest
Product	file	name	quarkus-arc	High
Product	Manifest	specification-title	Quarkus - ArC - Runtime	Medium
Product	Manifest	Implementation-Title	Quarkus - ArC - Runtime	High
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Product	pom	parent-artifactid	quarkus-arc-parent	Medium
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Identifiers

pkg:maven/io.quarkus/quarkus-arc@1.13.7.Final (Confidence:High)
cpe:2.3:a:arc_project:arc:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:quarkus:quarkus:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)

quarkus-bootstrap-runner-1.13.7.Final.jar

Description:

        The entry point for production applications using the custom ClassLoader.
        This contains the production ClassLoader code and must not have any non
        parent first dependencies.

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-bootstrap-runner/1.13.7.Final/quarkus-bootstrap-runner-1.13.7.Final.jar
MD5: 57a3e39a45aedcde95858e0426223058
SHA1: e1f2ee0ec42fcffa417f1d49ff3edded25212528
SHA256:da8b7f5dfd7403a180df34dd482bb8abf0b3aec836f7c9d02b41185535e744e7
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	jar	package name	bootstrap	Highest
Vendor	jar	package name	runner	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	file	name	quarkus-bootstrap-runner	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-bootstrap-parent/quarkus-bootstrap-runner	Low
Vendor	jar	package name	io	Highest
Vendor	pom	artifactid	quarkus-bootstrap-runner	Low
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	name	Quarkus - Bootstrap - Runner	High
Vendor	pom	parent-artifactid	quarkus-bootstrap-parent	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	pom	parent-artifactid	quarkus-bootstrap-parent	Medium
Product	jar	package name	quarkus	Highest
Product	jar	package name	bootstrap	Highest
Product	jar	package name	runner	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	file	name	quarkus-bootstrap-runner	High
Product	Manifest	os-arch	amd64	Low
Product	Manifest	Implementation-Title	Quarkus - Bootstrap - Runner	High
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-bootstrap-parent/quarkus-bootstrap-runner	Low
Product	jar	package name	io	Highest
Product	pom	artifactid	quarkus-bootstrap-runner	Highest
Product	pom	name	Quarkus - Bootstrap - Runner	High
Product	Manifest	specification-title	Quarkus - Bootstrap - Runner	Medium
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Identifiers

pkg:maven/io.quarkus/quarkus-bootstrap-runner@1.13.7.Final (Confidence:High)
cpe:2.3:a:quarkus:quarkus:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)

quarkus-core-1.13.7.Final.jar

Description:

Quarkus core components

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-core/1.13.7.Final/quarkus-core-1.13.7.Final.jar
MD5: 5b51d9946e3afd459b0bd7464ad299ce
SHA1: 771c74d1ec7f2179e33b22145414af969cd0d66e
SHA256:7e8aae1493920f98bfb29be1b67310c4d8ef1e4d0e7a8ae2fa9696fca21a9f78
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-core-parent/quarkus-core	Low
Vendor	pom	name	Quarkus - Core - Runtime	High
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	jar	package name	runtime	Highest
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	quarkus-core-parent	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	file	name	quarkus-core	High
Vendor	pom	artifactid	quarkus-core	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-core-parent/quarkus-core	Low
Product	pom	name	Quarkus - Core - Runtime	High
Product	Manifest	specification-title	Quarkus - Core - Runtime	Medium
Product	pom	artifactid	quarkus-core	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	jar	package name	runtime	Highest
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	quarkus-core-parent	Medium
Product	file	name	quarkus-core	High
Product	Manifest	os-name	Linux	Medium
Product	Manifest	Implementation-Title	Quarkus - Core - Runtime	High
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Identifiers

pkg:maven/io.quarkus/quarkus-core@1.13.7.Final (Confidence:High)
cpe:2.3:a:quarkus:quarkus:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)

quarkus-development-mode-spi-1.13.7.Final.jar

Description:

SPI classes for Quarkus Development mode.

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-development-mode-spi/1.13.7.Final/quarkus-development-mode-spi-1.13.7.Final.jar
MD5: 6cde3f8cbc0a3c5a10587095636ff42c
SHA1: 1653a85ffc1b85895b91f7eed70e84f3317ea15c
SHA256:17ab4d067124469fdfab48f9dbbe734acb60737f8ae4b958e38eb6a8693607a9
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	jar	package name	spi	Highest
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	name	Quarkus - Development mode - SPI	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	quarkus-build-parent	Low
Vendor	pom	artifactid	quarkus-development-mode-spi	Low
Vendor	jar	package name	io	Highest
Vendor	file	name	quarkus-development-mode-spi	High
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-development-mode-spi	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	pom	artifactid	quarkus-development-mode-spi	Highest
Product	jar	package name	spi	Highest
Product	Manifest	specification-title	Quarkus - Development mode - SPI	Medium
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	pom	name	Quarkus - Development mode - SPI	High
Product	jar	package name	io	Highest
Product	file	name	quarkus-development-mode-spi	High
Product	pom	parent-artifactid	quarkus-build-parent	Medium
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-development-mode-spi	Low
Product	Manifest	Implementation-Title	Quarkus - Development mode - SPI	High
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Identifiers

pkg:maven/io.quarkus/quarkus-development-mode-spi@1.13.7.Final (Confidence:High)
cpe:2.3:a:quarkus:quarkus:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)

quarkus-ide-launcher-1.13.7.Final.jar

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-ide-launcher/1.13.7.Final/quarkus-ide-launcher-1.13.7.Final.jar
MD5: 3536e9a347cd1e23bfb136daf94da609
SHA1: 9fc2506080352358d9c707814d91eb5c6ca8d740
SHA256:ab8d9bc2c92a91e6301d62956ef00e6f6107b5554835f009c7917264d07e41ca
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-ide-launcher	Low
Vendor	jar	package name	launcher	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	quarkus-build-parent	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	artifactid	quarkus-ide-launcher	Low
Vendor	file	name	quarkus-ide-launcher	High
Vendor	pom	name	Quarkus - IDE Launcher	High
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-ide-launcher	Low
Product	jar	package name	launcher	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	Manifest	Implementation-Title	Quarkus - IDE Launcher	High
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	quarkus-build-parent	Medium
Product	file	name	quarkus-ide-launcher	High
Product	pom	name	Quarkus - IDE Launcher	High
Product	pom	artifactid	quarkus-ide-launcher	Highest
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Product	Manifest	specification-title	Quarkus - IDE Launcher	Medium
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Identifiers

pkg:maven/io.quarkus/quarkus-ide-launcher@1.13.7.Final (Confidence:High)
cpe:2.3:a:quarkus:quarkus:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)

quarkus-jackson-1.13.7.Final.jar

Description:

Jackson Databind support

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-jackson/1.13.7.Final/quarkus-jackson-1.13.7.Final.jar
MD5: 60fbd76f3529a1cf7d648d3319110982
SHA1: aecd315a3627c81e3adf9b281102523d77c8cfb6
SHA256:8abe6a94c3430077f4cbfbad1dcfcfbaa9b904a98516ab1a300a7d9c9e9fcf17
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	pom	parent-artifactid	quarkus-jackson-parent	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	file	name	quarkus-jackson	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	name	Quarkus - Jackson - Runtime	High
Vendor	jar	package name	runtime	Highest
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-jackson-parent/quarkus-jackson	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	artifactid	quarkus-jackson	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Vendor	jar	package name	jackson	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	file	name	quarkus-jackson	High
Product	Manifest	os-arch	amd64	Low
Product	pom	name	Quarkus - Jackson - Runtime	High
Product	jar	package name	runtime	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-jackson-parent/quarkus-jackson	Low
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	quarkus-jackson-parent	Medium
Product	Manifest	Implementation-Title	Quarkus - Jackson - Runtime	High
Product	Manifest	specification-title	Quarkus - Jackson - Runtime	Medium
Product	pom	artifactid	quarkus-jackson	Highest
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Product	jar	package name	jackson	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Identifiers

pkg:maven/io.quarkus/quarkus-jackson@1.13.7.Final (Confidence:High)
cpe:2.3:a:quarkus:quarkus:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)

quarkus-kubernetes-client-1.13.7.Final.jar

Description:

Interact with Kubernetes and develop Kubernetes Operators

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-kubernetes-client/1.13.7.Final/quarkus-kubernetes-client-1.13.7.Final.jar
MD5: cbce9ceb54dc3943c882712216872b30
SHA1: f47e6d6ce87dfc9ec2ecf34774e877f2b8c0fc2f
SHA256:ea64840e131030828c6a9c09e13775586b2985716c3e09dd9d89930d4830a035
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	client	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	io	Highest
Vendor	pom	name	Quarkus - Kubernetes Client - Runtime	High
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-kubernetes-client-parent/quarkus-kubernetes-client	Low
Vendor	file	name	quarkus-kubernetes-client	High
Vendor	pom	parent-artifactid	quarkus-kubernetes-client-parent	Low
Vendor	pom	artifactid	quarkus-kubernetes-client	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	jar	package name	client	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	pom	artifactid	quarkus-kubernetes-client	Highest
Product	jar	package name	io	Highest
Product	pom	name	Quarkus - Kubernetes Client - Runtime	High
Product	Manifest	specification-title	Quarkus - Kubernetes Client - Runtime	Medium
Product	pom	parent-artifactid	quarkus-kubernetes-client-parent	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-kubernetes-client-parent/quarkus-kubernetes-client	Low
Product	file	name	quarkus-kubernetes-client	High
Product	Manifest	Implementation-Title	Quarkus - Kubernetes Client - Runtime	High
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Identifiers

pkg:maven/io.quarkus/quarkus-kubernetes-client@1.13.7.Final (Confidence:High)
cpe:2.3:a:quarkus:quarkus:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:redhat:kubernetes-client:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)

quarkus-kubernetes-client-internal-1.13.7.Final.jar

Description:

This module only exists as a separate module to house the configuration that needs to be present on the runtime classpath when the kubernetes extension is used

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-kubernetes-client-internal/1.13.7.Final/quarkus-kubernetes-client-internal-1.13.7.Final.jar
MD5: 92ccbbaeb0a1092dd925eb6c8076d4a7
SHA1: 96bc4ec35a82f92db48620f7971305411363e766
SHA256:58601b9a5ed6fe782979d258fcba31025909075ab736b80925f509f747592025
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	client	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-kubernetes-client-parent/quarkus-kubernetes-client-internal	Low
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	name	Quarkus - Kubernetes Client - Runtime - Internal	High
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	file	name	quarkus-kubernetes-client-internal	High
Vendor	pom	artifactid	quarkus-kubernetes-client-internal	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	jar	package name	kubernetes	Highest
Vendor	pom	parent-artifactid	quarkus-kubernetes-client-parent	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	jar	package name	client	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-kubernetes-client-parent/quarkus-kubernetes-client-internal	Low
Product	Manifest	specification-title	Quarkus - Kubernetes Client - Runtime - Internal	Medium
Product	pom	name	Quarkus - Kubernetes Client - Runtime - Internal	High
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	file	name	quarkus-kubernetes-client-internal	High
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	quarkus-kubernetes-client-parent	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	Implementation-Title	Quarkus - Kubernetes Client - Runtime - Internal	High
Product	pom	artifactid	quarkus-kubernetes-client-internal	Highest
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Identifiers

pkg:maven/io.quarkus/quarkus-kubernetes-client-internal@1.13.7.Final (Confidence:High)
cpe:2.3:a:quarkus:quarkus:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)
cpe:2.3:a:redhat:kubernetes-client:1.13.7:*:*:*:*:*:*:* (Confidence:Highest)

reactive-streams-1.0.3.jar

Description:

A Protocol for Asynchronous Non-Blocking Data Sequence

License:

CC0: http://creativecommons.org/publicdomain/zero/1.0/

File Path: /home/jenkins/.mvnrepository/org/reactivestreams/reactive-streams/1.0.3/reactive-streams-1.0.3.jar
MD5: 69122b098fff1c6b1bf2cd3b355e7e03
SHA1: d9fb7a7926ffa635b3dcaa5049fb2bfa25b3e7d0
SHA256:1dee0481072d19c929b623e155e14d2f6085dc011529a0a0dbefc84cf571d865
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	automatic-module-name	org.reactivestreams	Medium
Vendor	pom	artifactid	reactive-streams	Low
Vendor	pom	groupid	org.reactivestreams	Highest
Vendor	file	name	reactive-streams	High
Vendor	jar	package name	reactivestreams	Highest
Vendor	pom	name	reactive-streams	High
Vendor	pom	groupid	reactivestreams	Highest
Vendor	Manifest	bundle-docurl	http://reactive-streams.org	Low
Vendor	pom	url	http://www.reactive-streams.org/	Highest
Vendor	Manifest	bundle-symbolicname	org.reactivestreams.reactive-streams	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	Manifest	automatic-module-name	org.reactivestreams	Medium
Product	file	name	reactive-streams	High
Product	jar	package name	reactivestreams	Highest
Product	pom	name	reactive-streams	High
Product	pom	url	http://www.reactive-streams.org/	Medium
Product	pom	artifactid	reactive-streams	Highest
Product	Manifest	Bundle-Name	reactive-streams	Medium
Product	pom	groupid	reactivestreams	Highest
Product	Manifest	bundle-docurl	http://reactive-streams.org	Low
Product	Manifest	bundle-symbolicname	org.reactivestreams.reactive-streams	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Version	pom	version	1.0.3	Highest
Version	file	version	1.0.3	High
Version	Manifest	Bundle-Version	1.0.3	High

Identifiers

pkg:maven/org.reactivestreams/reactive-streams@1.0.3 (Confidence:High)

resteasy-client-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-client/3.15.1.Final/resteasy-client-3.15.1.Final.jar
MD5: 59b54410b06cbf2d95a0ce05a22ccbf2
SHA1: ae668cf8c46c5d6a5923097b6573d689ebe17593
SHA256:41840b1d073ba46a9305cf02ed8ff417cb67314354d9f4c21947f687082e9e42
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	client	Highest
Vendor	file	name	resteasy-client	High
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-client	Low
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	artifactid	resteasy-client	Low
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	jaxrs	Highest
Vendor	jar	package name	resteasy	Highest
Vendor	pom	name	RESTEasy JAX-RS Client	High
Vendor	Manifest	os-name	Linux	Medium
Product	jar	package name	client	Highest
Product	file	name	resteasy-client	High
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-client	Low
Product	Manifest	os-arch	amd64	Low
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	pom	artifactid	resteasy-client	Highest
Product	Manifest	specification-title	RESTEasy JAX-RS Client	Medium
Product	jar	package name	jboss	Highest
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	jaxrs	Highest
Product	jar	package name	resteasy	Highest
Product	Manifest	Implementation-Title	RESTEasy JAX-RS Client	High
Product	pom	name	RESTEasy JAX-RS Client	High
Product	Manifest	os-name	Linux	Medium
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Identifiers

pkg:maven/org.jboss.resteasy/resteasy-client@3.15.1.Final (Confidence:High)
cpe:2.3:a:redhat:resteasy:3.15.1:*:*:*:*:*:*:* (Confidence:Highest)

resteasy-jackson2-provider-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-jackson2-provider/3.15.1.Final/resteasy-jackson2-provider-3.15.1.Final.jar
MD5: eaf321ba922f881ff3fde06dcc53768f
SHA1: c4939964fbea5ea5e9d3e0c4cf8461de00bdb140
SHA256:7544b3788bca2277f09145bcbffd22184c133e96b36cfe8956e4fdb51b0941cb
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	pom	name	RESTEasy Jackson 2 Provider	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	file	name	resteasy-jackson2-provider	High
Vendor	jar	package name	resteasy	Highest
Vendor	pom	artifactid	resteasy-jackson2-provider	Low
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-jackson2-provider	Low
Vendor	Manifest	os-name	Linux	Medium
Product	pom	artifactid	resteasy-jackson2-provider	Highest
Product	Manifest	os-arch	amd64	Low
Product	pom	name	RESTEasy Jackson 2 Provider	High
Product	Manifest	specification-title	RESTEasy Jackson 2 Provider	Medium
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	jar	package name	jboss	Highest
Product	file	name	resteasy-jackson2-provider	High
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	resteasy	Highest
Product	Manifest	Implementation-Title	RESTEasy Jackson 2 Provider	High
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-jackson2-provider	Low
Product	Manifest	os-name	Linux	Medium
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Identifiers

pkg:maven/org.jboss.resteasy/resteasy-jackson2-provider@3.15.1.Final (Confidence:High)
cpe:2.3:a:redhat:resteasy:3.15.1:*:*:*:*:*:*:* (Confidence:Highest)

resteasy-jaxb-provider-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-jaxb-provider/3.15.1.Final/resteasy-jaxb-provider-3.15.1.Final.jar
MD5: 7f0e9a2a4cf4465d7070c2f0231c8c51
SHA1: 6b97aa1caf68999cb638515feec02e5a87f76788
SHA256:2fd0cd55f92236913ce62403d18be8b4c04cc9ce9a578e40d4f6bfb7182553e8
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	artifactid	resteasy-jaxb-provider	Low
Vendor	file	name	resteasy-jaxb-provider	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	name	RESTEasy JAXB Provider	High
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	resteasy	Highest
Vendor	Manifest	os-name	Linux	Medium
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-jaxb-provider	Low
Product	file	name	resteasy-jaxb-provider	High
Product	Manifest	os-arch	amd64	Low
Product	pom	name	RESTEasy JAXB Provider	High
Product	Manifest	specification-title	RESTEasy JAXB Provider	Medium
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	jar	package name	jboss	Highest
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	resteasy	Highest
Product	pom	artifactid	resteasy-jaxb-provider	Highest
Product	Manifest	os-name	Linux	Medium
Product	Manifest	Implementation-Title	RESTEasy JAXB Provider	High
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-jaxb-provider	Low
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Identifiers

pkg:maven/org.jboss.resteasy/resteasy-jaxb-provider@3.15.1.Final (Confidence:High)
cpe:2.3:a:redhat:resteasy:3.15.1:*:*:*:*:*:*:* (Confidence:Highest)

resteasy-jaxrs-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-jaxrs/3.15.1.Final/resteasy-jaxrs-3.15.1.Final.jar
MD5: 0ed93dd155af2ed91968fbfa30897340
SHA1: bc52bae060345e776008103d02289146f208176b
SHA256:6d1e1155d1ce582c66c0262d4504314bd32ca2328643c49c78e912048da12352
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	name	RESTEasy JAX-RS Implementation	High
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	jaxrs	Highest
Vendor	jar	package name	resteasy	Highest
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-jaxrs	Low
Vendor	pom	artifactid	resteasy-jaxrs	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	file	name	resteasy-jaxrs	High
Product	pom	name	RESTEasy JAX-RS Implementation	High
Product	Manifest	os-arch	amd64	Low
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	pom	artifactid	resteasy-jaxrs	Highest
Product	Manifest	Implementation-Title	RESTEasy JAX-RS Implementation	High
Product	jar	package name	jboss	Highest
Product	jar	package name	jaxrs	Highest
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	resteasy	Highest
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-jaxrs	Low
Product	Manifest	os-name	Linux	Medium
Product	file	name	resteasy-jaxrs	High
Product	Manifest	specification-title	RESTEasy JAX-RS Implementation	Medium
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Identifiers

pkg:maven/org.jboss.resteasy/resteasy-jaxrs@3.15.1.Final (Confidence:High)
cpe:2.3:a:redhat:resteasy:3.15.1:*:*:*:*:*:*:* (Confidence:Highest)

resteasy-multipart-provider-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-multipart-provider/3.15.1.Final/resteasy-multipart-provider-3.15.1.Final.jar
MD5: 5b587259661c94cce338354fb1569ead
SHA1: 50d2a0fc2692cc9a4254b337d6a38db96fc2c614
SHA256:44ba543ae8e7743ea30cefb49fa98351ce337bdc39dd0b36cad78bbe1b5e302d
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-multipart-provider	Low
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	file	name	resteasy-multipart-provider	High
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	name	RESTEasy Multipart Provider	High
Vendor	pom	artifactid	resteasy-multipart-provider	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	resteasy	Highest
Vendor	Manifest	os-name	Linux	Medium
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-multipart-provider	Low
Product	file	name	resteasy-multipart-provider	High
Product	pom	name	RESTEasy Multipart Provider	High
Product	Manifest	os-arch	amd64	Low
Product	Manifest	specification-title	RESTEasy Multipart Provider	Medium
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	pom	artifactid	resteasy-multipart-provider	Highest
Product	jar	package name	jboss	Highest
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	resteasy	Highest
Product	Manifest	Implementation-Title	RESTEasy Multipart Provider	High
Product	Manifest	os-name	Linux	Medium
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Identifiers

pkg:maven/org.jboss.resteasy/resteasy-multipart-provider@3.15.1.Final (Confidence:High)
cpe:2.3:a:redhat:resteasy:3.15.1:*:*:*:*:*:*:* (Confidence:Highest)

simplefan-19.3.0.0.jar

Description:

Oracle Simple FAN

License:

Oracle Free Use Terms and Conditions (FUTC)

File Path: /home/jenkins/.mvnrepository/com/oracle/ojdbc/simplefan/19.3.0.0/simplefan-19.3.0.0.jar
MD5: 9a1f7448f4c1fb779b1d8816e51a2c2f
SHA1: bcbfbb3cc529995f33c8694eb7cbc605c129e4e6
SHA256:5138d658edff0e0106f0559f68c72fb90f1cd34381492995b75d0012ea9e12f2
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Highest
Vendor	jar (hint)	package name	sun	Highest
Vendor	pom	groupid	com.oracle.ojdbc	Highest
Vendor	pom	groupid	oracle.ojdbc	Highest
Vendor	pom	name	simplefan	High
Vendor	jar	package name	oracle	Highest
Vendor	file	name	simplefan	High
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	pom	artifactid	simplefan	Low
Vendor	jar	package name	simplefan	Highest
Product	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Medium
Product	pom	groupid	oracle.ojdbc	Highest
Product	Manifest	Implementation-Title	Oracle Simple FAN	High
Product	pom	name	simplefan	High
Product	pom	artifactid	simplefan	Highest
Product	jar	package name	oracle	Highest
Product	file	name	simplefan	High
Product	jar	package name	simplefan	Highest
Version	pom	version	19.3.0.0	Highest
Version	file	version	19.3.0.0	High

Identifiers

pkg:maven/com.oracle.ojdbc/simplefan@19.3.0.0 (Confidence:High)
cpe:2.3:a:oracle:oracle_database:19.3.0.0:*:*:*:*:*:*:* (Confidence:Low)

slf4j-api-1.7.16.jar

Description:

The slf4j API

File Path: /home/jenkins/.mvnrepository/org/slf4j/slf4j-api/1.7.16/slf4j-api-1.7.16.jar
MD5: 88a2b365604915be96d5a472209f6a37
SHA1: 3a6274f658487d5bfff9af3862beff6da1e7fd52
SHA256:e56288031f5e60652c06e7bb6e9fa410a61231ab54890f7b708fc6adc4107c5b
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	pom	groupid	slf4j	Highest
Vendor	Manifest	bundle-symbolicname	slf4j.api	Medium
Vendor	jar	package name	slf4j	Highest
Vendor	pom	url	http://www.slf4j.org	Highest
Vendor	pom	parent-groupid	org.slf4j	Medium
Vendor	pom	groupid	org.slf4j	Highest
Vendor	file	name	slf4j-api	High
Vendor	pom	artifactid	slf4j-api	Low
Vendor	pom	parent-artifactid	slf4j-parent	Low
Vendor	pom	name	SLF4J API Module	High
Product	pom	groupid	slf4j	Highest
Product	pom	artifactid	slf4j-api	Highest
Product	file	name	slf4j-api	High
Product	pom	url	http://www.slf4j.org	Medium
Product	pom	parent-artifactid	slf4j-parent	Medium
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	jar	package name	slf4j	Highest
Product	Manifest	Implementation-Title	slf4j-api	High
Product	Manifest	bundle-symbolicname	slf4j.api	Medium
Product	pom	parent-groupid	org.slf4j	Medium
Product	pom	name	SLF4J API Module	High
Product	Manifest	Bundle-Name	slf4j-api	Medium
Version	file	version	1.7.16	High
Version	Manifest	Bundle-Version	1.7.16	High
Version	pom	version	1.7.16	Highest
Version	Manifest	Implementation-Version	1.7.16	High

Identifiers

pkg:maven/org.slf4j/slf4j-api@1.7.16 (Confidence:High)

slf4j-jboss-logmanager-1.1.0.Final.jar

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/jboss/slf4j/slf4j-jboss-logmanager/1.1.0.Final/slf4j-jboss-logmanager-1.1.0.Final.jar
MD5: 5caba5010589a8455cb37317d674f82f
SHA1: 5f1c0e3f5082c21f6b4964b97fe5b1d5f8c42f53
SHA256:1470840f56dee84303b0a81202c4b47f4b54815e9731e44cddb81c38df5e6d4d
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	file	name	slf4j-jboss-logmanager	High
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	artifactid	slf4j-jboss-logmanager	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Vendor	pom	name	SLF4J: JBoss Log Manager	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	groupid	jboss.slf4j	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/slf4j-jboss-logmanager	Low
Vendor	pom	groupid	org.jboss.slf4j	Highest
Vendor	jar	package name	slf4j	Highest
Vendor	Manifest	java-vendor	Red Hat, Inc	Medium
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	parent-artifactid	jboss-parent	Low
Product	file	name	slf4j-jboss-logmanager	High
Product	pom	parent-artifactid	jboss-parent	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	pom	parent-groupid	org.jboss	Medium
Product	pom	name	SLF4J: JBoss Log Manager	High
Product	Manifest	specification-title	SLF4J: JBoss Log Manager	Medium
Product	pom	groupid	jboss.slf4j	Highest
Product	pom	artifactid	slf4j-jboss-logmanager	Highest
Product	Manifest	implementation-url	http://www.jboss.org/slf4j-jboss-logmanager	Low
Product	jar	package name	slf4j	Highest
Product	Manifest	Implementation-Title	SLF4J: JBoss Log Manager	High
Product	Manifest	os-name	Linux	Medium
Version	Manifest	Implementation-Version	1.1.0.Final	High
Version	pom	version	1.1.0.Final	Highest
Version	pom	parent-version	1.1.0.Final	Low

Identifiers

pkg:maven/org.jboss.slf4j/slf4j-jboss-logmanager@1.1.0.Final (Confidence:High)

smallrye-common-annotation-1.5.0.jar

File Path: /home/jenkins/.mvnrepository/io/smallrye/common/smallrye-common-annotation/1.5.0/smallrye-common-annotation-1.5.0.jar
MD5: dbbec1367ea326522e1972102db3b923
SHA1: 5a0a6bc9566d90ff8e6d1b9485a955fba7446785
SHA256:45b4ee5b7df145a57b3d830ee8b605c9349a193bc20476280a82b0ef8b180cc0
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	common	Highest
Vendor	pom	parent-artifactid	smallrye-common-parent	Low
Vendor	pom	name	SmallRye Common: Annotations	High
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	jar	package name	annotation	Highest
Vendor	pom	artifactid	smallrye-common-annotation	Low
Vendor	pom	groupid	io.smallrye.common	Highest
Vendor	jar	package name	io	Highest
Vendor	file	name	smallrye-common-annotation	High
Vendor	jar	package name	smallrye	Highest
Product	jar	package name	common	Highest
Product	pom	name	SmallRye Common: Annotations	High
Product	pom	artifactid	smallrye-common-annotation	Highest
Product	Manifest	build-jdk-spec	11	Low
Product	jar	package name	annotation	Highest
Product	pom	parent-artifactid	smallrye-common-parent	Medium
Product	pom	groupid	io.smallrye.common	Highest
Product	jar	package name	io	Highest
Product	file	name	smallrye-common-annotation	High
Product	jar	package name	smallrye	Highest
Version	pom	version	1.5.0	Highest
Version	file	version	1.5.0	High

Identifiers

pkg:maven/io.smallrye.common/smallrye-common-annotation@1.5.0 (Confidence:High)

smallrye-common-classloader-1.5.0.jar

File Path: /home/jenkins/.mvnrepository/io/smallrye/common/smallrye-common-classloader/1.5.0/smallrye-common-classloader-1.5.0.jar
MD5: dc7f0d656ccba8e4806b84a3c5688b86
SHA1: 26cf4eb8cdb9c9cd997937f55359e4aada9e4e69
SHA256:fc5fb97f877ce9955ff470d9404756a92e1ccaeab60ce8398b43ccc6e4a2fd07
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	common	Highest
Vendor	pom	name	SmallRye Common: Classloader	High
Vendor	Manifest	multi-release	true	Low
Vendor	pom	parent-artifactid	smallrye-common-parent	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	jar	package name	classloader	Highest
Vendor	pom	artifactid	smallrye-common-classloader	Low
Vendor	pom	groupid	io.smallrye.common	Highest
Vendor	file	name	smallrye-common-classloader	High
Vendor	jar	package name	io	Highest
Vendor	jar	package name	smallrye	Highest
Product	jar	package name	common	Highest
Product	pom	name	SmallRye Common: Classloader	High
Product	Manifest	multi-release	true	Low
Product	Manifest	build-jdk-spec	11	Low
Product	jar	package name	classloader	Highest
Product	pom	parent-artifactid	smallrye-common-parent	Medium
Product	pom	artifactid	smallrye-common-classloader	Highest
Product	file	name	smallrye-common-classloader	High
Product	pom	groupid	io.smallrye.common	Highest
Product	jar	package name	io	Highest
Product	jar	package name	smallrye	Highest
Version	pom	version	1.5.0	Highest
Version	file	version	1.5.0	High

Identifiers

pkg:maven/io.smallrye.common/smallrye-common-classloader@1.5.0 (Confidence:High)

smallrye-common-constraint-1.5.0.jar

File Path: /home/jenkins/.mvnrepository/io/smallrye/common/smallrye-common-constraint/1.5.0/smallrye-common-constraint-1.5.0.jar
MD5: 3fc3f2e0bc5620798bcf8880186f40dc
SHA1: f00fa70282ca30369c8e6894a9a98211040df96e
SHA256:e9e7e0b2b6ea8193831ee50576ae7ba3a4473c42f302bc970010b78894bdb081
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	SmallRye Common: Constraints	High
Vendor	jar	package name	common	Highest
Vendor	pom	parent-artifactid	smallrye-common-parent	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	file	name	smallrye-common-constraint	High
Vendor	pom	artifactid	smallrye-common-constraint	Low
Vendor	pom	groupid	io.smallrye.common	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	smallrye	Highest
Vendor	jar	package name	constraint	Highest
Product	pom	name	SmallRye Common: Constraints	High
Product	jar	package name	common	Highest
Product	Manifest	build-jdk-spec	11	Low
Product	file	name	smallrye-common-constraint	High
Product	pom	parent-artifactid	smallrye-common-parent	Medium
Product	pom	artifactid	smallrye-common-constraint	Highest
Product	pom	groupid	io.smallrye.common	Highest
Product	jar	package name	io	Highest
Product	jar	package name	smallrye	Highest
Product	jar	package name	constraint	Highest
Version	pom	version	1.5.0	Highest
Version	file	version	1.5.0	High

Identifiers

pkg:maven/io.smallrye.common/smallrye-common-constraint@1.5.0 (Confidence:High)

smallrye-common-expression-1.5.0.jar

File Path: /home/jenkins/.mvnrepository/io/smallrye/common/smallrye-common-expression/1.5.0/smallrye-common-expression-1.5.0.jar
MD5: eb134b289137b024dd1cc69e5ab32cfb
SHA1: 7abbf56d3351467be41b9065ccff36a03e2ef8b3
SHA256:075f6fccc45651a8dbd46fcecac696f34cebbe248edc7ef1455bdbdca4693c44
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	SmallRye Common: Expressions	High
Vendor	jar	package name	common	Highest
Vendor	file	name	smallrye-common-expression	High
Vendor	pom	parent-artifactid	smallrye-common-parent	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	jar	package name	expression	Highest
Vendor	pom	artifactid	smallrye-common-expression	Low
Vendor	pom	groupid	io.smallrye.common	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	smallrye	Highest
Product	pom	name	SmallRye Common: Expressions	High
Product	jar	package name	common	Highest
Product	file	name	smallrye-common-expression	High
Product	pom	artifactid	smallrye-common-expression	Highest
Product	Manifest	build-jdk-spec	11	Low
Product	pom	parent-artifactid	smallrye-common-parent	Medium
Product	jar	package name	expression	Highest
Product	pom	groupid	io.smallrye.common	Highest
Product	jar	package name	io	Highest
Product	jar	package name	smallrye	Highest
Version	pom	version	1.5.0	Highest
Version	file	version	1.5.0	High

Identifiers

pkg:maven/io.smallrye.common/smallrye-common-expression@1.5.0 (Confidence:High)

smallrye-common-function-1.5.0.jar

File Path: /home/jenkins/.mvnrepository/io/smallrye/common/smallrye-common-function/1.5.0/smallrye-common-function-1.5.0.jar
MD5: 9a23ed939b63b257580cc8c577f49ec7
SHA1: 52f4e5172906ec8b73458565d5e6e2da9a5a1ec7
SHA256:a42324709399656f6b60264098a964d5a9345f1f3babb30331d786a27a022d45
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	smallrye-common-function	Low
Vendor	jar	package name	common	Highest
Vendor	pom	parent-artifactid	smallrye-common-parent	Low
Vendor	file	name	smallrye-common-function	High
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	jar	package name	function	Highest
Vendor	pom	name	SmallRye Common: Functions	High
Vendor	pom	groupid	io.smallrye.common	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	smallrye	Highest
Product	jar	package name	common	Highest
Product	file	name	smallrye-common-function	High
Product	Manifest	build-jdk-spec	11	Low
Product	pom	parent-artifactid	smallrye-common-parent	Medium
Product	jar	package name	function	Highest
Product	pom	artifactid	smallrye-common-function	Highest
Product	pom	name	SmallRye Common: Functions	High
Product	pom	groupid	io.smallrye.common	Highest
Product	jar	package name	io	Highest
Product	jar	package name	smallrye	Highest
Version	pom	version	1.5.0	Highest
Version	file	version	1.5.0	High

Identifiers

pkg:maven/io.smallrye.common/smallrye-common-function@1.5.0 (Confidence:High)

smallrye-common-io-1.5.0.jar

File Path: /home/jenkins/.mvnrepository/io/smallrye/common/smallrye-common-io/1.5.0/smallrye-common-io-1.5.0.jar
MD5: ee5ebde7295cc479845a142088a18591
SHA1: 7672bac031cf77e646335ea2cd21f9a1e47986e9
SHA256:a366e809957556822fa672628902c55410f7c20b0fea20e774a29a193bf96c7a
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	common	Highest
Vendor	Manifest	multi-release	true	Low
Vendor	pom	name	SmallRye Common: IO	High
Vendor	pom	parent-artifactid	smallrye-common-parent	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	pom	groupid	io.smallrye.common	Highest
Vendor	file	name	smallrye-common-io	High
Vendor	jar	package name	io	Highest
Vendor	jar	package name	smallrye	Highest
Vendor	pom	artifactid	smallrye-common-io	Low
Product	jar	package name	common	Highest
Product	Manifest	multi-release	true	Low
Product	pom	name	SmallRye Common: IO	High
Product	Manifest	build-jdk-spec	11	Low
Product	pom	artifactid	smallrye-common-io	Highest
Product	pom	parent-artifactid	smallrye-common-parent	Medium
Product	file	name	smallrye-common-io	High
Product	pom	groupid	io.smallrye.common	Highest
Product	jar	package name	io	Highest
Product	jar	package name	smallrye	Highest
Version	pom	version	1.5.0	Highest
Version	file	version	1.5.0	High

Identifiers

pkg:maven/io.smallrye.common/smallrye-common-io@1.5.0 (Confidence:High)

smallrye-config-1.13.1.jar

File Path: /home/jenkins/.mvnrepository/io/smallrye/config/smallrye-config/1.13.1/smallrye-config-1.13.1.jar
MD5: e4cdab3f7624c2b9ac630c55b1bdead6
SHA1: 17ba13f054d26cab64874ddc1d148dc925c441b2
SHA256:80c33b79c9285a696651fd4386028025553d6f53dee7ae391aa74280878086cd
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	io.smallrye.config	Highest
Vendor	pom	parent-artifactid	smallrye-config-parent	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	jar	package name	config	Highest
Vendor	file	name	smallrye-config	High
Vendor	pom	artifactid	smallrye-config	Low
Vendor	pom	name	SmallRye: MicroProfile Config Implementation	High
Vendor	jar	package name	io	Highest
Vendor	jar	package name	smallrye	Highest
Product	pom	parent-artifactid	smallrye-config-parent	Medium
Product	pom	artifactid	smallrye-config	Highest
Product	pom	groupid	io.smallrye.config	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	jar	package name	config	Highest
Product	file	name	smallrye-config	High
Product	pom	name	SmallRye: MicroProfile Config Implementation	High
Product	jar	package name	io	Highest
Product	jar	package name	smallrye	Highest
Version	pom	version	1.13.1	Highest
Version	file	version	1.13.1	High

Identifiers

pkg:maven/io.smallrye.config/smallrye-config@1.13.1 (Confidence:High)

smallrye-config-common-1.13.1.jar

File Path: /home/jenkins/.mvnrepository/io/smallrye/config/smallrye-config-common/1.13.1/smallrye-config-common-1.13.1.jar
MD5: bca4e718110408a4321fd399ffebf383
SHA1: 1b7420e8ea07f22e61593d74f075054fa6771733
SHA256:dcf759013e39eb77d55618bd07f98e61134adaecfa8d3835ed0ad96a24793ab8
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	common	Highest
Vendor	file	name	smallrye-config-common	High
Vendor	pom	groupid	io.smallrye.config	Highest
Vendor	pom	artifactid	smallrye-config-common	Low
Vendor	pom	parent-artifactid	smallrye-config-parent	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	jar	package name	config	Highest
Vendor	pom	name	SmallRye: Common classes	High
Vendor	jar	package name	io	Highest
Vendor	jar	package name	smallrye	Highest
Product	jar	package name	common	Highest
Product	pom	parent-artifactid	smallrye-config-parent	Medium
Product	file	name	smallrye-config-common	High
Product	pom	groupid	io.smallrye.config	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	jar	package name	config	Highest
Product	pom	name	SmallRye: Common classes	High
Product	pom	artifactid	smallrye-config-common	Highest
Product	jar	package name	io	Highest
Product	jar	package name	smallrye	Highest
Version	pom	version	1.13.1	Highest
Version	file	version	1.13.1	High

Identifiers

pkg:maven/io.smallrye.config/smallrye-config-common@1.13.1 (Confidence:High)

smallrye-config-source-yaml-1.13.1.jar

File Path: /home/jenkins/.mvnrepository/io/smallrye/config/smallrye-config-source-yaml/1.13.1/smallrye-config-source-yaml-1.13.1.jar
MD5: 96b5c72053cc96db0bf3dc54f38cccbd
SHA1: d97fdef62f082739b046eca1ab7a19f6556e8464
SHA256:8a43f9c82bd28ea9ce439d2d5a64610152d4bc52ae470ece9379ba316ca08760
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	io.smallrye.config	Highest
Vendor	pom	parent-artifactid	smallrye-config-parent	Low
Vendor	pom	name	SmallRye: MicroProfile Config Source - Yaml	High
Vendor	pom	artifactid	smallrye-config-source-yaml	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	jar	package name	config	Highest
Vendor	file	name	smallrye-config-source-yaml	High
Vendor	jar	package name	source	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	smallrye	Highest
Product	pom	parent-artifactid	smallrye-config-parent	Medium
Product	pom	groupid	io.smallrye.config	Highest
Product	pom	name	SmallRye: MicroProfile Config Source - Yaml	High
Product	Manifest	build-jdk-spec	1.8	Low
Product	jar	package name	config	Highest
Product	file	name	smallrye-config-source-yaml	High
Product	jar	package name	source	Highest
Product	pom	artifactid	smallrye-config-source-yaml	Highest
Product	jar	package name	io	Highest
Product	jar	package name	smallrye	Highest
Version	pom	version	1.13.1	Highest
Version	file	version	1.13.1	High

Identifiers

pkg:maven/io.smallrye.config/smallrye-config-source-yaml@1.13.1 (Confidence:High)

snakeyaml-1.27.jar

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar
MD5: 466ff09da784f9f21b2e6bf3b486a8cd
SHA1: 359d62567480b07a679dc643f82fc926b100eed5
SHA256:7e7cce6740ed705bfdfaac7b442c1375d2986d2f2935936a5bd40c14e18fd736
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	http://www.snakeyaml.org	Highest
Vendor	Manifest	automatic-module-name	org.yaml.snakeyaml	Medium
Vendor	pom	artifactid	snakeyaml	Low
Vendor	file	name	snakeyaml	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	groupid	yaml	Highest
Vendor	Manifest	bundle-symbolicname	org.yaml.snakeyaml	Medium
Vendor	jar	package name	parser	Highest
Vendor	pom	name	SnakeYAML	High
Vendor	jar	package name	snakeyaml	Highest
Vendor	jar	package name	yaml	Highest
Vendor	pom	groupid	org.yaml	Highest
Vendor	jar	package name	emitter	Highest
Product	pom	url	http://www.snakeyaml.org	Medium
Product	Manifest	automatic-module-name	org.yaml.snakeyaml	Medium
Product	file	name	snakeyaml	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	groupid	yaml	Highest
Product	jar	package name	parser	Highest
Product	Manifest	bundle-symbolicname	org.yaml.snakeyaml	Medium
Product	pom	name	SnakeYAML	High
Product	pom	artifactid	snakeyaml	Highest
Product	jar	package name	snakeyaml	Highest
Product	jar	package name	yaml	Highest
Product	jar	package name	emitter	Highest
Product	Manifest	Bundle-Name	SnakeYAML	Medium
Version	pom	version	1.27	Highest
Version	file	version	1.27	High

Identifiers

pkg:maven/org.yaml/snakeyaml@1.27 (Confidence:High)
cpe:2.3:a:snakeyaml_project:snakeyaml:1.27:*:*:*:*:*:*:* (Confidence:Highest)

txw2-2.3.3-b02.jar

Description:

        TXW is a library that allows you to write XML documents.

File Path: /home/jenkins/.mvnrepository/org/glassfish/jaxb/txw2/2.3.3-b02/txw2-2.3.3-b02.jar
MD5: 8354df7c79df67d56170b934a79a7df2
SHA1: 5c7ccf06d7f80cf101f20a03678b98e737aeadd7
SHA256:44d9bfdadbbaeb90825180fec1e550970c2f75f19f39430e2d5e3e052ca6ffed
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Vendor	pom	groupid	org.glassfish.jaxb	Highest
Vendor	Manifest	Implementation-Vendor	Eclipse Foundation	High
Vendor	pom	groupid	glassfish.jaxb	Highest
Vendor	jar	package name	xml	Highest
Vendor	jar	package name	txw	Highest
Vendor	pom	name	TXW2 Runtime	High
Vendor	jar	package name	sun	Highest
Vendor	jar	package name	txw2	Highest
Vendor	file	name	txw2	High
Vendor	pom	parent-artifactid	jaxb-txw-parent	Low
Vendor	Manifest	build-jdk-spec	11	Low
Vendor	pom	artifactid	txw2	Low
Vendor	jar (hint)	package name	oracle	Highest
Vendor	Manifest	git-revision	31fcc6e	Low
Vendor	Manifest	Implementation-Vendor-Id	org.eclipse	Medium
Product	pom	parent-groupid	com.sun.xml.bind.mvn	Medium
Product	jar	package name	xml	Highest
Product	pom	groupid	glassfish.jaxb	Highest
Product	jar	package name	txw	Highest
Product	pom	name	TXW2 Runtime	High
Product	jar	package name	sun	Highest
Product	jar	package name	txw2	Highest
Product	file	name	txw2	High
Product	Manifest	build-jdk-spec	11	Low
Product	Manifest	Implementation-Title	Jakarta XML Binding Implementation	High
Product	Manifest	specification-title	Jakarta XML Binding	Medium
Product	pom	parent-artifactid	jaxb-txw-parent	Medium
Product	Manifest	git-revision	31fcc6e	Low
Product	pom	artifactid	txw2	Highest
Version	Manifest	build-id	2.3.3-b02	Medium
Version	pom	version	2.3.3-b02	Highest
Version	Manifest	Implementation-Version	2.3.3-b02	High

Identifiers

pkg:maven/org.glassfish.jaxb/txw2@2.3.3-b02 (Confidence:High)

ucp-19.3.0.0.jar

Description:

Oracle Universal Connection Pool (UCP)

License:

Oracle Free Use Terms and Conditions (FUTC)

File Path: /home/jenkins/.mvnrepository/com/oracle/ojdbc/ucp/19.3.0.0/ucp-19.3.0.0.jar
MD5: 9845d08450b16c7ae81da60689d27f3c
SHA1: 796b661b0bb1818b7c04171837356acddcea504c
SHA256:23d8debe40a764df74d5eda7e8c1ce9b2c190a34f739ca4d751eaa94114d31cc
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Highest
Vendor	jar (hint)	package name	sun	Highest
Vendor	pom	groupid	com.oracle.ojdbc	Highest
Vendor	jar	package name	ucp	Highest
Vendor	pom	name	ucp	High
Vendor	file	name	ucp	High
Vendor	Manifest	build-info	190404	Low
Vendor	pom	artifactid	ucp	Low
Vendor	pom	groupid	oracle.ojdbc	Highest
Vendor	jar	package name	oracle	Highest
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Product	pom	url	https://www.oracle.com/database/technologies/appdev/jdbc.html	Medium
Product	Manifest	Implementation-Title	Oracle Universal Connection Pool	High
Product	jar	package name	ucp	Highest
Product	pom	name	ucp	High
Product	file	name	ucp	High
Product	Manifest	build-info	190404	Low
Product	pom	groupid	oracle.ojdbc	Highest
Product	jar	package name	oracle	Highest
Product	pom	artifactid	ucp	Highest
Version	pom	version	19.3.0.0	Highest
Version	file	version	19.3.0.0	High

Identifiers

pkg:maven/com.oracle.ojdbc/ucp@19.3.0.0 (Confidence:High)
cpe:2.3:a:oracle:oracle_database:19.3.0.0:*:*:*:*:*:*:* (Confidence:Low)

wildfly-common-1.5.4.Final-format-001.jar

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt

File Path: /home/jenkins/.mvnrepository/org/wildfly/common/wildfly-common/1.5.4.Final-format-001/wildfly-common-1.5.4.Final-format-001.jar
MD5: 8cf2730c4d707939cbe16a1b7e846aa3
SHA1: d600b29d51306b30b29e7de64f6fedf61beb1808
SHA256:9884f791f815d0fed8c51771af71164afd48f96e621f26009f9ebe791c053f1b
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.wildfly.common	Highest
Vendor	jar	package name	common	Highest
Vendor	Manifest	multi-release	true	Low
Vendor	jar	package name	wildfly	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/wildfly-common	Low
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	org	Highest
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	parent-groupid	org.jboss	Medium
Vendor	pom	groupid	wildfly.common	Highest
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	artifactid	wildfly-common	Low
Vendor	file	name	wildfly-common	High
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	parent-artifactid	jboss-parent	Low
Vendor	Manifest	Implementation-Vendor-Id	org.wildfly.common	Medium
Product	jar	package name	common	Highest
Product	Manifest	multi-release	true	Low
Product	jar	package name	wildfly	Highest
Product	Manifest	implementation-url	http://www.jboss.org/wildfly-common	Low
Product	pom	parent-artifactid	jboss-parent	Medium
Product	jar	package name	org	Highest
Product	Manifest	os-arch	amd64	Low
Product	pom	parent-groupid	org.jboss	Medium
Product	pom	groupid	wildfly.common	Highest
Product	Manifest	specification-title	wildfly-common	Medium
Product	file	name	wildfly-common	High
Product	Manifest	Implementation-Title	wildfly-common	High
Product	pom	artifactid	wildfly-common	Highest
Product	Manifest	os-name	Linux	Medium
Version	pom	version	1.5.4.Final-format-001	Highest
Version	pom	parent-version	1.5.4.Final-format-001	Low
Version	Manifest	Implementation-Version	1.5.4.Final-format-001	High

Identifiers

pkg:maven/org.wildfly.common/wildfly-common@1.5.4.Final-format-001 (Confidence:High)

zjsonpatch-0.3.0.jar

Description:

Java Library to find / apply JSON Patches according to RFC 6902

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/zjsonpatch/0.3.0/zjsonpatch-0.3.0.jar
MD5: c47f98189f594bd86ccbf40c5391b600
SHA1: d3ebf0f291297649b4c8dc3ecc81d2eddedc100d
SHA256:ae4e5e931646a25cb09b55186de4f3346e358e01130bef279ddf495a719c71d5
Referenced In Project/Scope:Entando Kubernetes Custom Model:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor-Id	io.fabric8	Medium
Vendor	pom	artifactid	zjsonpatch	Low
Vendor	pom	url	fabric8io/zjsonpatch/	Highest
Vendor	Manifest	implementation-url	https://github.com/fabric8io/zjsonpatch/	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Vendor	pom	name	zjsonpatch	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	jar	package name	io	Highest
Vendor	Manifest	bundle-symbolicname	io.fabric8.zjsonpatch	Medium
Vendor	file	name	zjsonpatch	High
Vendor	jar	package name	zjsonpatch	Highest
Vendor	Manifest	build-timestamp	${build.datetime}	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	implementation-url	https://github.com/fabric8io/zjsonpatch/	Low
Product	jar	package name	fabric8	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"	Low
Product	pom	name	zjsonpatch	High
Product	Manifest	os-arch	amd64	Low
Product	Manifest	specification-title	zjsonpatch	Medium
Product	jar	package name	io	Highest
Product	pom	url	fabric8io/zjsonpatch/	High
Product	Manifest	Bundle-Name	zjsonpatch	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.zjsonpatch	Medium
Product	file	name	zjsonpatch	High
Product	jar	package name	zjsonpatch	Highest
Product	pom	artifactid	zjsonpatch	Highest
Product	Manifest	build-timestamp	${build.datetime}	Low
Product	Manifest	os-name	Linux	Medium
Product	Manifest	Implementation-Title	zjsonpatch	High
Product	pom	groupid	io.fabric8	Highest
Version	Manifest	Implementation-Version	0.3.0	High
Version	Manifest	Bundle-Version	0.3.0	High
Version	pom	version	0.3.0	Highest
Version	file	version	0.3.0	High

Identifiers

pkg:maven/io.fabric8/zjsonpatch@0.3.0 (Confidence:High)
cpe:2.3:a:oracle:java_se:0.3.0:*:*:*:*:*:*:* (Confidence:Low)

Suppressed Vulnerabilities

apache-mime4j-0.6.jar

Description:

Java stream based MIME message parser

License:

http://www.apache.org/licenses/LICENSE-2.0.html

File Path: /home/jenkins/.mvnrepository/org/apache/james/apache-mime4j/0.6/apache-mime4j-0.6.jar
MD5: e90fb1ab3f8145ad00def6359da22faf
SHA1: 945007627e8d12275d755081a9e609c018e1210d
SHA256: fd7dde90195ba1aea3cfacb95b3022b2499adf676d1bc896d0fa5c257b596c6c

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	mime4j	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.james.apache-mime4j	Medium
Vendor	Manifest	url	http://james.apache.org/mime4j	Low
Vendor	jar	package name	apache	Highest
Vendor	pom	groupid	org.apache.james	Highest
Vendor	jar	package name	message	Highest
Vendor	pom	url	http://james.apache.org/mime4j	Highest
Vendor	pom	parent-groupid	org.apache.james	Medium
Vendor	jar	package name	parser	Highest
Vendor	file	name	apache-mime4j	High
Vendor	pom	name	Apache JAMES Mime4j	High
Vendor	pom	artifactid	apache-mime4j	Low
Vendor	pom	parent-artifactid	james-project	Low
Vendor	jar	package name	james	Highest
Vendor	Manifest	originally-created-by	1.6.0_10 (Sun Microsystems Inc.)	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	pom	groupid	apache.james	Highest
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	bundle-docurl	http://www.apache.org	Low
Product	pom	artifactid	apache-mime4j	Highest
Product	jar	package name	mime4j	Highest
Product	Manifest	bundle-symbolicname	org.apache.james.apache-mime4j	Medium
Product	Manifest	url	http://james.apache.org/mime4j	Low
Product	jar	package name	apache	Highest
Product	jar	package name	message	Highest
Product	jar	package name	parser	Highest
Product	pom	parent-groupid	org.apache.james	Medium
Product	Manifest	Implementation-Title	Apache Mime4j	High
Product	file	name	apache-mime4j	High
Product	pom	parent-artifactid	james-project	Medium
Product	pom	name	Apache JAMES Mime4j	High
Product	Manifest	Bundle-Name	Apache JAMES Mime4j	Medium
Product	jar	package name	james	Highest
Product	Manifest	originally-created-by	1.6.0_10 (Sun Microsystems Inc.)	Low
Product	Manifest	specification-title	Apache Mime4j	Medium
Product	pom	url	http://james.apache.org/mime4j	Medium
Product	pom	groupid	apache.james	Highest
Product	Manifest	bundle-docurl	http://www.apache.org	Low
Version	pom	version	0.6	Highest
Version	pom	parent-version	0.6	Low
Version	file	version	0.6	High
Version	Manifest	Bundle-Version	0.6	High
Version	Manifest	Implementation-Version	0.6	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2021-38542 suppressed

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:james:*:*:*:*:*:*:*:* versions up to (excluding) 3.6.1

CVE-2021-40110 suppressed

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

NVD-CWE-Other

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:james:*:*:*:*:*:*:*:* versions up to (excluding) 3.6.1

CVE-2021-40111 suppressed

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:

Base Score: MEDIUM (4.0)
Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:james:*:*:*:*:*:*:*:* versions up to (excluding) 3.6.1

CVE-2021-40525 suppressed

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSSv3:

CRITICAL (9.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions:

cpe:2.3:a:apache:james:*:*:*:*:*:*:*:* versions up to (excluding) 3.6.1

arc-1.13.7.Final.jar

File Path: /home/jenkins/.mvnrepository/io/quarkus/arc/arc/1.13.7.Final/arc-1.13.7.Final.jar
MD5: 7fb241ef8cd6c9b51d5317c694e013f0
SHA1: e40d0d14b2d9e8825bd6429c69e150f5b05b549d
SHA256: 9ae5d30d3257efd1cafa2a59ebad62434a65dcc2c2e1e1053663d4e4e30e18a0

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	pom	groupid	io.quarkus.arc	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	parent-artifactid	arc-parent	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	name	ArC - Runtime	High
Vendor	file	name	arc	High
Vendor	jar	package name	io	Highest
Vendor	jar	package name	arc	Highest
Vendor	pom	artifactid	arc	Low
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	Manifest	os-name	Linux	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/arc-parent/arc	Low
Product	jar	package name	quarkus	Highest
Product	Manifest	specification-title	ArC - Runtime	Medium
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	groupid	io.quarkus.arc	Highest
Product	Manifest	os-arch	amd64	Low
Product	pom	name	ArC - Runtime	High
Product	file	name	arc	High
Product	jar	package name	arc	Highest
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	arc-parent	Medium
Product	Manifest	Implementation-Title	ArC - Runtime	High
Product	pom	artifactid	arc	Highest
Product	Manifest	os-name	Linux	Medium
Product	Manifest	implementation-url	http://www.jboss.org/arc-parent/arc	Low
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2020-28491 suppressed

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions: (show all)

CVE-2021-21290 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (2.6)
Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-2471 suppressed

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

NVD-CWE-noinfo

CVSSv2:

Base Score: HIGH (7.9)
Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

MISC - https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Software & Versions: (show all)

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

CVE-2021-29427 suppressed

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (7.2)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29428 suppressed

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (7.8)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29429 suppressed

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CWE-377 Insecure Temporary File

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3642 suppressed

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CWE-203 Information Exposure Through Discrepancy

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Vulnerable Software & Versions: (show all)

CVE-2021-37136 suppressed

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137 suppressed

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37714 suppressed

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

CWE-248 Uncaught Exception, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-38153 suppressed

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MLIST - [kafka-dev] 20211007 Re: CVE Back Port?
MLIST - [kafka-dev] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-dev] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0

Vulnerable Software & Versions: (show all)

CVE-2021-43797 suppressed

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

jakarta.el-api-3.0.3.jar

Description:

        Jakarta Expression Language defines an expression language for Java applications

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html

File Path: /home/jenkins/.mvnrepository/jakarta/el/jakarta.el-api/3.0.3/jakarta.el-api-3.0.3.jar
MD5: 528ed6138395d22fb54912b2b889e88e
SHA1: f311ab94bb1d4380690a53d737226a6b879dd4f1
SHA256: 47ae0a91fb6dd32fdaa5d9bda63df043ac8148e00c297ccce8ab9c56b95cf261

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jakarta.el-api	High
Vendor	pom	name	Jakarta Expression Language 3.0 API	High
Vendor	pom	artifactid	jakarta.el-api	Low
Vendor	jar	package name	javax	Highest
Vendor	jar	package name	expression	Highest
Vendor	Manifest	bundle-docurl	https://www.eclipse.org	Low
Vendor	pom	parent-groupid	org.eclipse.ee4j	Medium
Vendor	pom	groupid	jakarta.el	Highest
Vendor	Manifest	extension-name	javax.el	Medium
Vendor	pom	url	https://projects.eclipse.org/projects/ee4j.el	Highest
Vendor	Manifest	bundle-symbolicname	javax.el-api	Medium
Vendor	Manifest	specification-vendor	Oracle Corporation	Low
Vendor	pom	parent-artifactid	project	Low
Vendor	Manifest	Implementation-Vendor	Oracle Corporation	High
Vendor	jar	package name	el	Highest
Product	file	name	jakarta.el-api	High
Product	pom	name	Jakarta Expression Language 3.0 API	High
Product	Manifest	Bundle-Name	Jakarta Expression Language 3.0 API	Medium
Product	jar	package name	javax	Highest
Product	jar	package name	expression	Highest
Product	Manifest	bundle-docurl	https://www.eclipse.org	Low
Product	pom	parent-groupid	org.eclipse.ee4j	Medium
Product	pom	artifactid	jakarta.el-api	Highest
Product	pom	groupid	jakarta.el	Highest
Product	Manifest	extension-name	javax.el	Medium
Product	Manifest	bundle-symbolicname	javax.el-api	Medium
Product	pom	url	https://projects.eclipse.org/projects/ee4j.el	Medium
Product	pom	parent-artifactid	project	Medium
Product	jar	package name	el	Highest
Version	Manifest	Bundle-Version	3.0.3	High
Version	pom	parent-version	3.0.3	Low
Version	file	version	3.0.3	High
Version	pom	version	3.0.3	Highest
Version	Manifest	Implementation-Version	3.0.3	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: will fall away once we upgrade to Qaurkus 2.x

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

kubernetes-client-5.3.2.jar

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-client/5.3.2/kubernetes-client-5.3.2.jar
MD5: 226416945fe9a626a2601c0662c1d023
SHA1: 47c46525e56237ad0204c02d63ebfa37b9162fb4
SHA256: 4c50b65a9c3ddd3fd562fd4cb62920e1fd5995ceeb77150a7b6be3f0b05ef515

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	kubernetes-client	High
Vendor	jar	package name	client	Highest
Vendor	pom	name	Fabric8 :: Kubernetes :: Java Client	High
Vendor	jar	package name	kubernetes	Highest
Vendor	pom	parent-artifactid	kubernetes-client-project	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	artifactid	kubernetes-client	Low
Vendor	jar	package name	io	Highest
Vendor	pom	groupid	io.fabric8	Highest
Product	file	name	kubernetes-client	High
Product	jar	package name	client	Highest
Product	pom	name	Fabric8 :: Kubernetes :: Java Client	High
Product	jar	package name	kubernetes	Highest
Product	pom	artifactid	kubernetes-client	Highest
Product	pom	parent-artifactid	kubernetes-client-project	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	jar	package name	io	Highest
Product	pom	groupid	io.fabric8	Highest
Version	pom	version	5.3.2	Highest
Version	file	version	5.3.2	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.2:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-admissionregistration-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-admissionregistration/5.3.1/kubernetes-model-admissionregistration-5.3.1.jar
MD5: 2ab85c7ac6a90ca15c9a979cb52c3281
SHA1: a2d32b6a3c3102d51e8e424145ac6f68f0dcd4fb
SHA256: 2b91b02289839ff36d7209161c95f144af4e1f08d6324200de85bb4c6ba8075b

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-admissionregistration/	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	pom	artifactid	kubernetes-model-admissionregistration	Low
Vendor	file	name	kubernetes-model-admissionregistration	High
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Admission Registration, Authentication and Authorization	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-admissionregistration	Medium
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Admission Registration, Authentication and Authorization	Medium
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-admissionregistration/	Low
Product	jar	package name	fabric8	Highest
Product	pom	artifactid	kubernetes-model-admissionregistration	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	file	name	kubernetes-model-admissionregistration	High
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Admission Registration, Authentication and Authorization	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Admission Registration, Authentication and Authorization	High
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-admissionregistration	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-apiextensions-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-apiextensions/5.3.1/kubernetes-model-apiextensions-5.3.1.jar
MD5: d28c5e08c71e7fc4c1b9fb22411862db
SHA1: 6b45425f96585115b1df72071c7d20184ecfcd7c
SHA256: 699ccec1c9055bc48c05a8658a9e6153a4e637068d45a4cda0e41d30b066e483

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-apiextensions/	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: API Extensions	High
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-apiextensions	Medium
Vendor	pom	artifactid	kubernetes-model-apiextensions	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	file	name	kubernetes-model-apiextensions	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	api	Highest
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-apiextensions/	Low
Product	pom	artifactid	kubernetes-model-apiextensions	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: API Extensions	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	pom	name	Fabric8 :: Kubernetes Model :: API Extensions	High
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-apiextensions	Medium
Product	jar	package name	kubernetes	Highest
Product	file	name	kubernetes-model-apiextensions	High
Product	jar	package name	api	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: API Extensions	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-apps-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-apps/5.3.1/kubernetes-model-apps-5.3.1.jar
MD5: 4360873ef7cf5ffe8fb49b0b4b59c319
SHA1: 3376792449a8898dbcd7105d24e9432403eafda6
SHA256: c2f415fc9f6d5b05f0139630b718828c61818523a284b1098568902e7b38586a

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Apps	High
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-apps	Medium
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	artifactid	kubernetes-model-apps	Low
Vendor	file	name	kubernetes-model-apps	High
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-apps/	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Apps	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Apps	High
Product	jar	package name	fabric8	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Apps	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-apps	Medium
Product	jar	package name	kubernetes	Highest
Product	pom	artifactid	kubernetes-model-apps	Highest
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	kubernetes-model-apps	High
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-apps/	Low
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-autoscaling-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-autoscaling/5.3.1/kubernetes-model-autoscaling-5.3.1.jar
MD5: 6382dbc3d4bc4fa44d8bf2ee52f39473
SHA1: 3b2f5332fde5e59a4460b67bc907ea61dae6e326
SHA256: af3a4119d175fcca1dbcddc7143987bd1c5e7d6f564df182ee6ac4d49ad46c5d

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	kubernetes-model-autoscaling	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	file	name	kubernetes-model-autoscaling	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-autoscaling	Medium
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Autoscaling	High
Vendor	pom	groupid	io.fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-autoscaling/	Low
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Autoscaling	Medium
Product	file	name	kubernetes-model-autoscaling	High
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Autoscaling	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-autoscaling	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Autoscaling	High
Product	pom	artifactid	kubernetes-model-autoscaling	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-autoscaling/	Low
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-batch-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-batch/5.3.1/kubernetes-model-batch-5.3.1.jar
MD5: 907f860a03dbf20b5d66c04d9d7f15c0
SHA1: 18fd7b86db6662953badba43bba0c4da44b09ccb
SHA256: b6ca65fd01cd19954bb25beea0f07703b393cd1715b0045630acfee4a1096efa

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	kubernetes-model-batch	Low
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	file	name	kubernetes-model-batch	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-batch	Medium
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-batch/	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Batch	High
Vendor	pom	groupid	io.fabric8	Highest
Product	file	name	kubernetes-model-batch	High
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-batch	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-batch/	Low
Product	pom	artifactid	kubernetes-model-batch	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Batch	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Batch	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Batch	High
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-certificates-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-certificates/5.3.1/kubernetes-model-certificates-5.3.1.jar
MD5: 0623545e42ba0cb86cb52dfd51938642
SHA1: ba713c1facac7a402fd4c249dce348ab7bf3bfc6
SHA256: 76dfd4ba4cbf0d5b98f15b0296b61fab46ee4c4bb418b1a937aca111c187a12d

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	kubernetes-model-certificates	Low
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Certificates	High
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-certificates/	Low
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	file	name	kubernetes-model-certificates	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-certificates	Medium
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Certificates	High
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Certificates	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-certificates/	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Certificates	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	artifactid	kubernetes-model-certificates	Highest
Product	file	name	kubernetes-model-certificates	High
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-certificates	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-common-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-common/5.3.1/kubernetes-model-common-5.3.1.jar
MD5: 90804583439a71e9dc2c4f77959d58e8
SHA1: 0873373f955c2b532ac3bd52db756e68e3851030
SHA256: 42469c5f6ba8069e7d1367c312525b7719783102486a3b5dad5cd6d133c82d8e

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	file	name	kubernetes-model-common	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-common	Medium
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Common	High
Vendor	jar	package name	fabric8	Highest
Vendor	pom	artifactid	kubernetes-model-common	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	jar	package name	model	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	groupid	io.fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-common/	Low
Product	file	name	kubernetes-model-common	High
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-common	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Common	High
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Common	Medium
Product	jar	package name	io	Highest
Product	jar	package name	model	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	kubernetes-model-common	Highest
Product	jar	package name	kubernetes	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Common	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-common/	Low
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-coordination-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-coordination/5.3.1/kubernetes-model-coordination-5.3.1.jar
MD5: ce204cbfc55e4b58d3640b0572750de8
SHA1: cbf7fbc5210412732dbb8290b2257f5b0db745d5
SHA256: 7a6b8c8542aeaabf86508d851ac3969b41bb37fa72c1ebdbcb618960bf8368d9

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	file	name	kubernetes-model-coordination	High
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Coordination	High
Vendor	jar	package name	fabric8	Highest
Vendor	pom	artifactid	kubernetes-model-coordination	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-coordination	Medium
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-coordination/	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Coordination	Medium
Product	file	name	kubernetes-model-coordination	High
Product	pom	name	Fabric8 :: Kubernetes Model :: Coordination	High
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	kubernetes-model-coordination	Highest
Product	jar	package name	kubernetes	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-coordination	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Coordination	Medium
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-coordination/	Low
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-core-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-core/5.3.1/kubernetes-model-core-5.3.1.jar
MD5: c5c848f93b9267c759f05a2fd04d29a2
SHA1: 08054029a8a1b601cfd716b650e58992c8d382f5
SHA256: 73781b0551f7a45ee86dbce3532317214ff9e581b29e24a40c2566cfc4e10c5c

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-core/	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	pom	artifactid	kubernetes-model-core	Low
Vendor	jar	package name	io	Highest
Vendor	file	name	kubernetes-model-core	High
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-core	Medium
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Core	High
Vendor	pom	groupid	io.fabric8	Highest
Product	pom	artifactid	kubernetes-model-core	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-core/	Low
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	file	name	kubernetes-model-core	High
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Core	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Core	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-core	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Core	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-discovery-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-discovery/5.3.1/kubernetes-model-discovery-5.3.1.jar
MD5: 56534518ebda855a194569d05d3862b5
SHA1: 1d69799a2e84a2db46a47c73619d87034fe9071c
SHA256: 8bd2d2d2ed443072d021fdfc7f242f55652a6a6ab76422b5807cca65ee391f6e

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-discovery	Medium
Vendor	pom	artifactid	kubernetes-model-discovery	Low
Vendor	file	name	kubernetes-model-discovery	High
Vendor	jar	package name	kubernetes	Highest
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Discovery	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-discovery/	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Discovery	Medium
Product	jar	package name	io	Highest
Product	pom	artifactid	kubernetes-model-discovery	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-discovery	Medium
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Discovery	Medium
Product	file	name	kubernetes-model-discovery	High
Product	jar	package name	kubernetes	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Discovery	High
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-discovery/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-events-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-events/5.3.1/kubernetes-model-events-5.3.1.jar
MD5: 8e5236b5e00ff1175f4c2e7dc9f9201e
SHA1: 6b8b7ca782bbdd4a7e3b0f0b10d07636d07f1755
SHA256: fc0bd1921af79490a2a369c47aab6b5da26ef844601fc3585c5de7c8cfd97677

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Events	High
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	kubernetes-model-events	Low
Vendor	file	name	kubernetes-model-events	High
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-events/	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-events	Medium
Vendor	pom	groupid	io.fabric8	Highest
Product	pom	artifactid	kubernetes-model-events	Highest
Product	jar	package name	fabric8	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Events	High
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Events	Medium
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	file	name	kubernetes-model-events	High
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-events/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Events	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-events	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-extensions-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-extensions/5.3.1/kubernetes-model-extensions-5.3.1.jar
MD5: 3686af2a8a1331420308867af321edba
SHA1: 33b11a2e9c6834227d73a48e0263c3ba2482b7ad
SHA256: 0aeca92cf1350bf2aa5c1aa6585b3a21c02cb48b2086a53a1f890beccde3bb47

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Extensions	High
Vendor	jar	package name	fabric8	Highest
Vendor	pom	artifactid	kubernetes-model-extensions	Low
Vendor	file	name	kubernetes-model-extensions	High
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-extensions/	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-extensions	Medium
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Extensions	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Extensions	High
Product	pom	artifactid	kubernetes-model-extensions	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Extensions	Medium
Product	jar	package name	fabric8	Highest
Product	file	name	kubernetes-model-extensions	High
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-extensions/	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-extensions	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-metrics-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-metrics/5.3.1/kubernetes-model-metrics-5.3.1.jar
MD5: f6f4cfefa726a5d686d4e420abb23ed3
SHA1: fd63c29fc8c195044b25c96d4eee9408da4116a6
SHA256: 5c7854b3bbb293f7af7c4abb274b14f7fc0c37b94f97b55c71b1d6ca96317aed

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Metrics	High
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-metrics/	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-metrics	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	file	name	kubernetes-model-metrics	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	artifactid	kubernetes-model-metrics	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	pom	artifactid	kubernetes-model-metrics	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Metrics	High
Product	jar	package name	fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-metrics/	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Metrics	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-metrics	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	file	name	kubernetes-model-metrics	High
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Metrics	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-networking-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-networking/5.3.1/kubernetes-model-networking-5.3.1.jar
MD5: 42ba97f281248f62b9af1bbe32853600
SHA1: a91d4e941c4d1909168c77b3c9b331cde376b6ea
SHA256: bab503ae79156df400189cee437be475bc12b5bac4133d0461a6e0e1995b8dd1

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-networking	Medium
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-networking/	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	artifactid	kubernetes-model-networking	Low
Vendor	file	name	kubernetes-model-networking	High
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Networking	High
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Networking	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-networking	Medium
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-networking/	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	file	name	kubernetes-model-networking	High
Product	jar	package name	kubernetes	Highest
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Networking	High
Product	pom	artifactid	kubernetes-model-networking	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Networking	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-node-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-node/5.3.1/kubernetes-model-node-5.3.1.jar
MD5: 5976ea1af20de2d8a78f8e82d402b92e
SHA1: cb0da2e02fa163b28e21bb429689a540efae10b6
SHA256: 295afe4cd0d7ab953056ebed15a479e88707af421e30ff31bf8e9d34ccd7384b

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-node/	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Node	High
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-node	Medium
Vendor	jar	package name	kubernetes	Highest
Vendor	file	name	kubernetes-model-node	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	artifactid	kubernetes-model-node	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-node/	Low
Product	pom	name	Fabric8 :: Kubernetes Model :: Node	High
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Node	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-node	Medium
Product	jar	package name	kubernetes	Highest
Product	file	name	kubernetes-model-node	High
Product	pom	artifactid	kubernetes-model-node	Highest
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Node	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-policy-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-policy/5.3.1/kubernetes-model-policy-5.3.1.jar
MD5: f67052de69c31e47e8f0fd47683bdf76
SHA1: 68e49ecc663f6869cc15f987abfb2d3a99639fd8
SHA256: 57bea43842ad98822c75b479e51adbfd69d04f53ad963ad09080bb009ff099bd

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-policy/	Low
Vendor	file	name	kubernetes-model-policy	High
Vendor	jar	package name	fabric8	Highest
Vendor	pom	artifactid	kubernetes-model-policy	Low
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Policy	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-policy	Medium
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-policy/	Low
Product	file	name	kubernetes-model-policy	High
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	pom	artifactid	kubernetes-model-policy	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	pom	name	Fabric8 :: Kubernetes Model :: Policy	High
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Policy	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-policy	Medium
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Policy	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-rbac-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-rbac/5.3.1/kubernetes-model-rbac-5.3.1.jar
MD5: b10c079bdf6ce82d2239d822b4242cb5
SHA1: 617ab8115309f51f37ee8988a74649f3abfed479
SHA256: 46973ef711caf5451460993ab322b86f2c504a3ea2730c71e3c88d99c06eccf6

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	file	name	kubernetes-model-rbac	High
Vendor	pom	artifactid	kubernetes-model-rbac	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-rbac	Medium
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: RBAC	High
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-rbac/	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	pom	artifactid	kubernetes-model-rbac	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	file	name	kubernetes-model-rbac	High
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: RBAC	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-rbac	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: RBAC	High
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-rbac/	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: RBAC	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-scheduling-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-scheduling/5.3.1/kubernetes-model-scheduling-5.3.1.jar
MD5: 59a88846f29109d620abed09345eb437
SHA1: 938971ba59aa611e6edf9d5c48b89e7bdfb74821
SHA256: 3f2558d4ed97c7217f883712ad641fd73aec713df9f0b76aa3349811b8f54b2d

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-scheduling	Medium
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-scheduling/	Low
Vendor	pom	artifactid	kubernetes-model-scheduling	Low
Vendor	file	name	kubernetes-model-scheduling	High
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Scheduling	High
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-scheduling	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Scheduling	Medium
Product	pom	artifactid	kubernetes-model-scheduling	Highest
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-scheduling/	Low
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Scheduling	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	kubernetes-model-scheduling	High
Product	pom	name	Fabric8 :: Kubernetes Model :: Scheduling	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

kubernetes-model-storageclass-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/kubernetes-model-storageclass/5.3.1/kubernetes-model-storageclass-5.3.1.jar
MD5: f518536c72c632b99d10299c0754c62d
SHA1: 2cc4929a067a43355107dcd1b0118dda4dbc86a5
SHA256: 6eff7c11d175a9846cd8563af78cf3d3948e7f6b76e2cda2369861b13055c5d9

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	pom	name	Fabric8 :: Kubernetes Model :: Storage Class	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-storageclass	Medium
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-storageclass/	Low
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	file	name	kubernetes-model-storageclass	High
Vendor	pom	artifactid	kubernetes-model-storageclass	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	specification-title	Fabric8 :: Kubernetes Model :: Storage Class	Medium
Product	pom	name	Fabric8 :: Kubernetes Model :: Storage Class	High
Product	pom	artifactid	kubernetes-model-storageclass	Highest
Product	Manifest	Bundle-Name	Fabric8 :: Kubernetes Model :: Storage Class	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.kubernetes-model-storageclass	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/kubernetes-model-storageclass/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	kubernetes-model-storageclass	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

openshift-client-5.3.2.jar

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-client/5.3.2/openshift-client-5.3.2.jar
MD5: ba0008db46e5a3606bb8cac97feaa5bb
SHA1: 9119e78817b5f18e66e29036bb7c4811ff28ce65
SHA256: c1a33745e9db1105cf82cf940afe701d8f2fdb3bded536eb55b62f4550340d53

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	client	Highest
Vendor	pom	name	Fabric8 :: Openshift :: Java Client	High
Vendor	file	name	openshift-client	High
Vendor	jar	package name	openshift	Highest
Vendor	pom	parent-artifactid	kubernetes-client-project	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	artifactid	openshift-client	Low
Vendor	jar	package name	io	Highest
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	client	Highest
Product	pom	name	Fabric8 :: Openshift :: Java Client	High
Product	pom	artifactid	openshift-client	Highest
Product	file	name	openshift-client	High
Product	pom	parent-artifactid	kubernetes-client-project	Medium
Product	jar	package name	openshift	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	jar	package name	io	Highest
Product	pom	groupid	io.fabric8	Highest
Version	pom	version	5.3.2	Highest
Version	file	version	5.3.2	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.2:*:*:*:*:*:*:* suppressed (Confidence:Low)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

openshift-model-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model/5.3.1/openshift-model-5.3.1.jar
MD5: 3ce206e9b705ef9ce505af22fc268c72
SHA1: 7c178a967e8ad18b4e29a938fe310d92cfda4efd
SHA256: d37911a3214b4811163ddf699847a180badedbf696e594bc8385edbcf5e28a25

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model	Medium
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	file	name	openshift-model	High
Vendor	pom	name	Fabric8 :: OpenShift Model	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	openshift	Highest
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model/	Low
Vendor	pom	groupid	io.fabric8	Highest
Vendor	pom	artifactid	openshift-model	Low
Product	pom	artifactid	openshift-model	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift Model	Medium
Product	jar	package name	io	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model	Medium
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	file	name	openshift-model	High
Product	pom	name	Fabric8 :: OpenShift Model	High
Product	Manifest	specification-title	Fabric8 :: OpenShift Model	Medium
Product	jar	package name	openshift	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Low)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

openshift-model-console-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model-console/5.3.1/openshift-model-console-5.3.1.jar
MD5: e9a4135b59f594840877e4cba3d53b0a
SHA1: 0bbdb8aa74cba2f3fd12dc5981001a5504df4cc6
SHA256: 0164ce87aa72b3c2750d5e13627bf46cdfd89d6da7e96e928d72672aab5b26dd

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model-console	Medium
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-console/	Low
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	openshift	Highest
Vendor	file	name	openshift-model-console	High
Vendor	pom	name	Fabric8 :: OpenShift Console Model	High
Vendor	pom	artifactid	openshift-model-console	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model-console	Medium
Product	jar	package name	fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift Console Model	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-console/	Low
Product	pom	artifactid	openshift-model-console	Highest
Product	jar	package name	openshift	Highest
Product	file	name	openshift-model-console	High
Product	pom	name	Fabric8 :: OpenShift Console Model	High
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	specification-title	Fabric8 :: OpenShift Console Model	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Low)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

openshift-model-monitoring-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model-monitoring/5.3.1/openshift-model-monitoring-5.3.1.jar
MD5: 169af95527fb30ccc6109abc20b90f29
SHA1: 648788408c56b8068f850cac07c1b707c4ff0fbd
SHA256: a99ff75b409cfbfb43f70a93dae0b7c2c2868a895a9d3260a406004edd799105

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	name	Fabric8 :: OpenShift Monitoring Model	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	openshift	Highest
Vendor	file	name	openshift-model-monitoring	High
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-monitoring/	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model-monitoring	Medium
Vendor	pom	artifactid	openshift-model-monitoring	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	jar	package name	fabric8	Highest
Product	pom	artifactid	openshift-model-monitoring	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	name	Fabric8 :: OpenShift Monitoring Model	High
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift Monitoring Model	Medium
Product	Manifest	specification-title	Fabric8 :: OpenShift Monitoring Model	Medium
Product	jar	package name	openshift	Highest
Product	file	name	openshift-model-monitoring	High
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-monitoring/	Low
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model-monitoring	Medium
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Low)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

openshift-model-operator-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model-operator/5.3.1/openshift-model-operator-5.3.1.jar
MD5: 55a1c0a88fb5996ea0db81eeb923b2a2
SHA1: 7a945f7ef96526081b097648ef2491abbb53c943
SHA256: 7c21b3027d14e8166c79bdb12c7cdc9f65005266e314557127b15b34a6d41362

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-operator/	Low
Vendor	jar	package name	fabric8	Highest
Vendor	pom	name	Fabric8 :: OpenShift Operator Model	High
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model-operator	Medium
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	jar	package name	openshift	Highest
Vendor	file	name	openshift-model-operator	High
Vendor	pom	artifactid	openshift-model-operator	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-operator/	Low
Product	jar	package name	fabric8	Highest
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift Operator Model	Medium
Product	pom	name	Fabric8 :: OpenShift Operator Model	High
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model-operator	Medium
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	artifactid	openshift-model-operator	Highest
Product	Manifest	specification-title	Fabric8 :: OpenShift Operator Model	Medium
Product	jar	package name	openshift	Highest
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	openshift-model-operator	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Low)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

openshift-model-operatorhub-5.3.1.jar

Description:

Java client for Kubernetes and OpenShift

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/jenkins/.mvnrepository/io/fabric8/openshift-model-operatorhub/5.3.1/openshift-model-operatorhub-5.3.1.jar
MD5: 4c2d5e382a9c425a8413e4e71feb6524
SHA1: 0e65dee874276e6a322c258998e37b748401777a
SHA256: e1225d0febc847cba241f7f1c62c8970cfe269ce545877fe3c04a3731ae5d8fe

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-artifactid	kubernetes-model-generator	Low
Vendor	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-operatorhub/	Low
Vendor	jar	package name	fabric8	Highest
Vendor	Manifest	bundle-docurl	http://redhat.com	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Vendor	pom	name	Fabric8 :: OpenShift OperatorHub Model	High
Vendor	Manifest	specification-vendor	Red Hat	Low
Vendor	Manifest	bundle-symbolicname	io.fabric8.openshift-model-operatorhub	Medium
Vendor	jar	package name	openshift	Highest
Vendor	file	name	openshift-model-operatorhub	High
Vendor	pom	artifactid	openshift-model-operatorhub	Low
Vendor	pom	groupid	io.fabric8	Highest
Product	Manifest	implementation-url	http://fabric8.io/kubernetes-model-generator/openshift-model-operatorhub/	Low
Product	pom	artifactid	openshift-model-operatorhub	Highest
Product	jar	package name	fabric8	Highest
Product	Manifest	bundle-docurl	http://redhat.com	Low
Product	Manifest	Bundle-Name	Fabric8 :: OpenShift OperatorHub Model	Medium
Product	jar	package name	io	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"	Low
Product	pom	name	Fabric8 :: OpenShift OperatorHub Model	High
Product	Manifest	specification-title	Fabric8 :: OpenShift OperatorHub Model	Medium
Product	jar	package name	openshift	Highest
Product	Manifest	bundle-symbolicname	io.fabric8.openshift-model-operatorhub	Medium
Product	pom	parent-artifactid	kubernetes-model-generator	Medium
Product	file	name	openshift-model-operatorhub	High
Product	pom	groupid	io.fabric8	Highest
Version	file	version	5.3.1	High
Version	pom	version	5.3.1	Highest
Version	Manifest	Bundle-Version	5.3.1	High
Version	Manifest	specification-version	5.3.1	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:5.3.1:*:*:*:*:*:*:* suppressed (Confidence:Low)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8570 suppressed

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25738 suppressed

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CWE-20 Improper Input Validation

Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.7)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

quarkus-arc-1.13.7.Final.jar

Description:

Build time CDI dependency injection

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-arc/1.13.7.Final/quarkus-arc-1.13.7.Final.jar
MD5: fb5c9e9b6477e59fe79f73b6c29d4a6e
SHA1: 7b5e15f86fc4a7340cf5f8832d02ac9a7a5d3cdc
SHA256: eec42a76cecdf9cbeedb9859cd1ed54b7ec8f6a7d61348734fffc1a048fd8dda

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-arc-parent/quarkus-arc	Low
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	pom	name	Quarkus - ArC - Runtime	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	jar	package name	runtime	Highest
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	io	Highest
Vendor	jar	package name	arc	Highest
Vendor	file	name	quarkus-arc	High
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	artifactid	quarkus-arc	Low
Vendor	pom	parent-artifactid	quarkus-arc-parent	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	pom	artifactid	quarkus-arc	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-arc-parent/quarkus-arc	Low
Product	Manifest	build-jdk-spec	1.8	Low
Product	pom	name	Quarkus - ArC - Runtime	High
Product	Manifest	os-arch	amd64	Low
Product	jar	package name	runtime	Highest
Product	jar	package name	arc	Highest
Product	jar	package name	io	Highest
Product	file	name	quarkus-arc	High
Product	Manifest	specification-title	Quarkus - ArC - Runtime	Medium
Product	Manifest	Implementation-Title	Quarkus - ArC - Runtime	High
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Product	pom	parent-artifactid	quarkus-arc-parent	Medium
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2020-28491 suppressed

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions: (show all)

CVE-2021-21290 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295 suppressed

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (2.6)
Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-2471 suppressed

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

NVD-CWE-noinfo

CVSSv2:

Base Score: HIGH (7.9)
Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

MISC - https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Software & Versions: (show all)

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

CVE-2021-29427 suppressed

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (7.2)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29428 suppressed

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (7.8)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29429 suppressed

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CWE-377 Insecure Temporary File

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3642 suppressed

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CWE-203 Information Exposure Through Discrepancy

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Vulnerable Software & Versions: (show all)

CVE-2021-37136 suppressed

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137 suppressed

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37714 suppressed

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-38153 suppressed

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MLIST - [kafka-dev] 20211007 Re: CVE Back Port?
MLIST - [kafka-dev] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-dev] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0

Vulnerable Software & Versions: (show all)

CVE-2021-43797 suppressed

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

quarkus-bootstrap-runner-1.13.7.Final.jar

Description:

        The entry point for production applications using the custom ClassLoader.
        This contains the production ClassLoader code and must not have any non
        parent first dependencies.

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-bootstrap-runner/1.13.7.Final/quarkus-bootstrap-runner-1.13.7.Final.jar
MD5: 57a3e39a45aedcde95858e0426223058
SHA1: e1f2ee0ec42fcffa417f1d49ff3edded25212528
SHA256: da8b7f5dfd7403a180df34dd482bb8abf0b3aec836f7c9d02b41185535e744e7

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	jar	package name	bootstrap	Highest
Vendor	jar	package name	runner	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	file	name	quarkus-bootstrap-runner	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-bootstrap-parent/quarkus-bootstrap-runner	Low
Vendor	jar	package name	io	Highest
Vendor	pom	artifactid	quarkus-bootstrap-runner	Low
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	name	Quarkus - Bootstrap - Runner	High
Vendor	pom	parent-artifactid	quarkus-bootstrap-parent	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	pom	parent-artifactid	quarkus-bootstrap-parent	Medium
Product	jar	package name	quarkus	Highest
Product	jar	package name	bootstrap	Highest
Product	jar	package name	runner	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	file	name	quarkus-bootstrap-runner	High
Product	Manifest	os-arch	amd64	Low
Product	Manifest	Implementation-Title	Quarkus - Bootstrap - Runner	High
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-bootstrap-parent/quarkus-bootstrap-runner	Low
Product	jar	package name	io	Highest
Product	pom	artifactid	quarkus-bootstrap-runner	Highest
Product	pom	name	Quarkus - Bootstrap - Runner	High
Product	Manifest	specification-title	Quarkus - Bootstrap - Runner	Medium
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2020-28491 suppressed

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions: (show all)

CVE-2021-21290 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295 suppressed

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (2.6)
Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-2471 suppressed

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

NVD-CWE-noinfo

CVSSv2:

Base Score: HIGH (7.9)
Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

MISC - https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Software & Versions: (show all)

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

CVE-2021-29427 suppressed

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (7.2)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29428 suppressed

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (7.8)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29429 suppressed

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CWE-377 Insecure Temporary File

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3642 suppressed

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CWE-203 Information Exposure Through Discrepancy

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Vulnerable Software & Versions: (show all)

CVE-2021-37136 suppressed

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137 suppressed

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37714 suppressed

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-38153 suppressed

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MLIST - [kafka-dev] 20211007 Re: CVE Back Port?
MLIST - [kafka-dev] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-dev] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0

Vulnerable Software & Versions: (show all)

CVE-2021-43797 suppressed

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

quarkus-core-1.13.7.Final.jar

Description:

Quarkus core components

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-core/1.13.7.Final/quarkus-core-1.13.7.Final.jar
MD5: 5b51d9946e3afd459b0bd7464ad299ce
SHA1: 771c74d1ec7f2179e33b22145414af969cd0d66e
SHA256: 7e8aae1493920f98bfb29be1b67310c4d8ef1e4d0e7a8ae2fa9696fca21a9f78

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-core-parent/quarkus-core	Low
Vendor	pom	name	Quarkus - Core - Runtime	High
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	jar	package name	runtime	Highest
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	quarkus-core-parent	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	file	name	quarkus-core	High
Vendor	pom	artifactid	quarkus-core	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-core-parent/quarkus-core	Low
Product	pom	name	Quarkus - Core - Runtime	High
Product	Manifest	specification-title	Quarkus - Core - Runtime	Medium
Product	pom	artifactid	quarkus-core	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	jar	package name	runtime	Highest
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	quarkus-core-parent	Medium
Product	file	name	quarkus-core	High
Product	Manifest	os-name	Linux	Medium
Product	Manifest	Implementation-Title	Quarkus - Core - Runtime	High
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2020-28491 suppressed

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions: (show all)

CVE-2021-21290 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295 suppressed

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (2.6)
Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-2471 suppressed

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

NVD-CWE-noinfo

CVSSv2:

Base Score: HIGH (7.9)
Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

MISC - https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Software & Versions: (show all)

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

CVE-2021-29427 suppressed

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (7.2)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29428 suppressed

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (7.8)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29429 suppressed

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CWE-377 Insecure Temporary File

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3642 suppressed

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CWE-203 Information Exposure Through Discrepancy

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Vulnerable Software & Versions: (show all)

CVE-2021-37136 suppressed

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137 suppressed

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37714 suppressed

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-38153 suppressed

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MLIST - [kafka-dev] 20211007 Re: CVE Back Port?
MLIST - [kafka-dev] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-dev] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0

Vulnerable Software & Versions: (show all)

CVE-2021-43797 suppressed

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

quarkus-development-mode-spi-1.13.7.Final.jar

Description:

SPI classes for Quarkus Development mode.

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-development-mode-spi/1.13.7.Final/quarkus-development-mode-spi-1.13.7.Final.jar
MD5: 6cde3f8cbc0a3c5a10587095636ff42c
SHA1: 1653a85ffc1b85895b91f7eed70e84f3317ea15c
SHA256: 17ab4d067124469fdfab48f9dbbe734acb60737f8ae4b958e38eb6a8693607a9

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	jar	package name	spi	Highest
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	name	Quarkus - Development mode - SPI	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	quarkus-build-parent	Low
Vendor	pom	artifactid	quarkus-development-mode-spi	Low
Vendor	jar	package name	io	Highest
Vendor	file	name	quarkus-development-mode-spi	High
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-development-mode-spi	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	pom	artifactid	quarkus-development-mode-spi	Highest
Product	jar	package name	spi	Highest
Product	Manifest	specification-title	Quarkus - Development mode - SPI	Medium
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	pom	name	Quarkus - Development mode - SPI	High
Product	jar	package name	io	Highest
Product	file	name	quarkus-development-mode-spi	High
Product	pom	parent-artifactid	quarkus-build-parent	Medium
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-development-mode-spi	Low
Product	Manifest	Implementation-Title	Quarkus - Development mode - SPI	High
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2020-28491 suppressed

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions: (show all)

CVE-2021-21290 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295 suppressed

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (2.6)
Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-2471 suppressed

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

NVD-CWE-noinfo

CVSSv2:

Base Score: HIGH (7.9)
Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

MISC - https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Software & Versions: (show all)

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

CVE-2021-29427 suppressed

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (7.2)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29428 suppressed

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (7.8)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29429 suppressed

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CWE-377 Insecure Temporary File

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3642 suppressed

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CWE-203 Information Exposure Through Discrepancy

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Vulnerable Software & Versions: (show all)

CVE-2021-37136 suppressed

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137 suppressed

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37714 suppressed

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-38153 suppressed

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MLIST - [kafka-dev] 20211007 Re: CVE Back Port?
MLIST - [kafka-dev] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-dev] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0

Vulnerable Software & Versions: (show all)

CVE-2021-43797 suppressed

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

quarkus-ide-launcher-1.13.7.Final.jar

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-ide-launcher/1.13.7.Final/quarkus-ide-launcher-1.13.7.Final.jar
MD5: 3536e9a347cd1e23bfb136daf94da609
SHA1: 9fc2506080352358d9c707814d91eb5c6ca8d740
SHA256: ab8d9bc2c92a91e6301d62956ef00e6f6107b5554835f009c7917264d07e41ca

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-ide-launcher	Low
Vendor	jar	package name	launcher	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	quarkus-build-parent	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	artifactid	quarkus-ide-launcher	Low
Vendor	file	name	quarkus-ide-launcher	High
Vendor	pom	name	Quarkus - IDE Launcher	High
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-ide-launcher	Low
Product	jar	package name	launcher	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	Manifest	Implementation-Title	Quarkus - IDE Launcher	High
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	quarkus-build-parent	Medium
Product	file	name	quarkus-ide-launcher	High
Product	pom	name	Quarkus - IDE Launcher	High
Product	pom	artifactid	quarkus-ide-launcher	Highest
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Product	Manifest	specification-title	Quarkus - IDE Launcher	Medium
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2020-28491 suppressed

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions: (show all)

CVE-2021-21290 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295 suppressed

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (2.6)
Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-2471 suppressed

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

NVD-CWE-noinfo

CVSSv2:

Base Score: HIGH (7.9)
Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

MISC - https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Software & Versions: (show all)

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

CVE-2021-29427 suppressed

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (7.2)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29428 suppressed

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (7.8)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29429 suppressed

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CWE-377 Insecure Temporary File

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3642 suppressed

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CWE-203 Information Exposure Through Discrepancy

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Vulnerable Software & Versions: (show all)

CVE-2021-37136 suppressed

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137 suppressed

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37714 suppressed

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-38153 suppressed

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MLIST - [kafka-dev] 20211007 Re: CVE Back Port?
MLIST - [kafka-dev] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-dev] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0

Vulnerable Software & Versions: (show all)

CVE-2021-43797 suppressed

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

quarkus-jackson-1.13.7.Final.jar

Description:

Jackson Databind support

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-jackson/1.13.7.Final/quarkus-jackson-1.13.7.Final.jar
MD5: 60fbd76f3529a1cf7d648d3319110982
SHA1: aecd315a3627c81e3adf9b281102523d77c8cfb6
SHA256: 8abe6a94c3430077f4cbfbad1dcfcfbaa9b904a98516ab1a300a7d9c9e9fcf17

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	pom	parent-artifactid	quarkus-jackson-parent	Low
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	file	name	quarkus-jackson	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	name	Quarkus - Jackson - Runtime	High
Vendor	jar	package name	runtime	Highest
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-jackson-parent/quarkus-jackson	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	pom	artifactid	quarkus-jackson	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Vendor	jar	package name	jackson	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	file	name	quarkus-jackson	High
Product	Manifest	os-arch	amd64	Low
Product	pom	name	Quarkus - Jackson - Runtime	High
Product	jar	package name	runtime	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-jackson-parent/quarkus-jackson	Low
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	quarkus-jackson-parent	Medium
Product	Manifest	Implementation-Title	Quarkus - Jackson - Runtime	High
Product	Manifest	specification-title	Quarkus - Jackson - Runtime	Medium
Product	pom	artifactid	quarkus-jackson	Highest
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Product	jar	package name	jackson	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2020-28491 suppressed

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions: (show all)

CVE-2021-21290 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295 suppressed

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (2.6)
Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-2471 suppressed

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

NVD-CWE-noinfo

CVSSv2:

Base Score: HIGH (7.9)
Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

MISC - https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Software & Versions: (show all)

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

CVE-2021-29427 suppressed

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (7.2)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29428 suppressed

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (7.8)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29429 suppressed

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CWE-377 Insecure Temporary File

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3642 suppressed

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CWE-203 Information Exposure Through Discrepancy

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Vulnerable Software & Versions: (show all)

CVE-2021-37136 suppressed

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137 suppressed

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37714 suppressed

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-38153 suppressed

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MLIST - [kafka-dev] 20211007 Re: CVE Back Port?
MLIST - [kafka-dev] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-dev] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0

Vulnerable Software & Versions: (show all)

CVE-2021-43797 suppressed

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

quarkus-kubernetes-client-1.13.7.Final.jar

Description:

Interact with Kubernetes and develop Kubernetes Operators

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-kubernetes-client/1.13.7.Final/quarkus-kubernetes-client-1.13.7.Final.jar
MD5: cbce9ceb54dc3943c882712216872b30
SHA1: f47e6d6ce87dfc9ec2ecf34774e877f2b8c0fc2f
SHA256: ea64840e131030828c6a9c09e13775586b2985716c3e09dd9d89930d4830a035

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	client	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	jar	package name	io	Highest
Vendor	pom	name	Quarkus - Kubernetes Client - Runtime	High
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	jar	package name	kubernetes	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-kubernetes-client-parent/quarkus-kubernetes-client	Low
Vendor	file	name	quarkus-kubernetes-client	High
Vendor	pom	parent-artifactid	quarkus-kubernetes-client-parent	Low
Vendor	pom	artifactid	quarkus-kubernetes-client	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	jar	package name	client	Highest
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	pom	artifactid	quarkus-kubernetes-client	Highest
Product	jar	package name	io	Highest
Product	pom	name	Quarkus - Kubernetes Client - Runtime	High
Product	Manifest	specification-title	Quarkus - Kubernetes Client - Runtime	Medium
Product	pom	parent-artifactid	quarkus-kubernetes-client-parent	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-kubernetes-client-parent/quarkus-kubernetes-client	Low
Product	file	name	quarkus-kubernetes-client	High
Product	Manifest	Implementation-Title	Quarkus - Kubernetes Client - Runtime	High
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:1.13.7:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs
cpe:2.3:a:kubernetes:kubernetes:1.13.7:-:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs
cpe:2.3:a:kubernetes:kubernetes:1.13.7:beta.0:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2018-1002102 suppressed

Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet.

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:N/AC:H/Au:S/C:P/I:N/A:N

CVSSv3:

LOW (2.6)
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/85867
FEDORA - FEDORA-2020-943f4b03d2

Vulnerable Software & Versions: (show all)

CVE-2019-11244 suppressed

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

References:

BID - 108064
CONFIRM - https://security.netapp.com/advisory/ntap-20190509-0002/
MISC - https://github.com/kubernetes/kubernetes/issues/76676
REDHAT - RHSA-2019:3942
REDHAT - RHSA-2020:0020
REDHAT - RHSA-2020:0074

Vulnerable Software & Versions: (show all)

CVE-2019-11246 suppressed

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11247 suppressed

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.5)
Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (8.1)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/80983
CONFIRM - https://security.netapp.com/advisory/ntap-20190919-0003/
MLIST - v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
REDHAT - RHBA-2019:2816
REDHAT - RHBA-2019:2824
REDHAT - RHSA-2019:2690
REDHAT - RHSA-2019:2769

Vulnerable Software & Versions: (show all)

CVE-2019-11248 suppressed

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

CWE-862 Missing Authorization

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSSv3:

HIGH (8.2)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11249 suppressed

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/80984
CONFIRM - https://security.netapp.com/advisory/ntap-20190919-0003/
MLIST - v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
REDHAT - RHBA-2019:2794
REDHAT - RHBA-2019:2816
REDHAT - RHBA-2019:2824
REDHAT - RHSA-2019:3239
REDHAT - RHSA-2019:3811

Vulnerable Software & Versions: (show all)

CVE-2019-11250 suppressed

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

CWE-532 Information Exposure Through Log Files

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/81114
CONFIRM - https://security.netapp.com/advisory/ntap-20190919-0003/
MLIST - [oss-security] 20201016 Kubernetes: Multiple secret leaks when verbose logging is enabled
REDHAT - RHSA-2019:4052
REDHAT - RHSA-2019:4087

Vulnerable Software & Versions: (show all)

CVE-2019-11251 suppressed

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.

CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.7)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11252 suppressed

The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.

CWE-209 Information Exposure Through an Error Message

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://github.com/kubernetes/kubernetes/pull/88684

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:* versions from (including) 1.0.0; versions up to (including) 1.17.0

CVE-2019-11254 suppressed

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

NVD-CWE-Other

CVSSv2:

Base Score: MEDIUM (4.0)
Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-28491 suppressed

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions: (show all)

CVE-2020-8552 suppressed

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (4.0)
Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSSv3:

MEDIUM (4.3)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8555 suppressed

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (6.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/91542
CONFIRM - https://security.netapp.com/advisory/ntap-20200724-0005/
FEDORA - FEDORA-2020-aeea04cd13
MLIST - N/A
MLIST - [oss-security] 20200601 CVE-2020-8555: Kubernetes: Half-Blind SSRF in kube-controller-manager
MLIST - [oss-security] 20210504 [kubernetes] CVE-2020-8562: Bypass of Kubernetes API Server proxy TOCTOU

Vulnerable Software & Versions: (show all)

CVE-2020-8557 suppressed

The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8558 suppressed

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

CWE-287 Improper Authentication

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:A/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (8.8)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8559 suppressed

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.8)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8562 suppressed

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

LOW (3.1)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8563 suppressed

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.

CWE-532 Information Exposure Through Log Files

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/95621
CONFIRM - https://security.netapp.com/advisory/ntap-20210122-0006/
MLIST - Multiple secret leaks when verbose logging is enabled

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:* versions up to (excluding) 1.19.3

CVE-2021-21290 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295 suppressed

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (2.6)
Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-2471 suppressed

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

NVD-CWE-noinfo

CVSSv2:

Base Score: HIGH (7.9)
Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

MISC - https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Software & Versions: (show all)

CVE-2021-25735 suppressed

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (5.5)
Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25741 suppressed

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

CWE-552 Files or Directories Accessible to External Parties

CVSSv2:

Base Score: MEDIUM (5.5)
Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSSv3:

HIGH (8.1)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

CONFIRM - N/A
CONFIRM - https://security.netapp.com/advisory/ntap-20211008-0006/
MLIST - N/A

Vulnerable Software & Versions: (show all)

CVE-2021-25743 suppressed

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.

NVD-CWE-Other

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:N/AC:H/Au:S/C:N/I:P/A:N

CVSSv3:

LOW (3.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

References:

CONFIRM - N/A
CONFIRM - https://security.netapp.com/advisory/ntap-20220217-0003/

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:* versions up to (including) 1.18.0

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

CVE-2021-29427 suppressed

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (7.2)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29428 suppressed

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (7.8)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29429 suppressed

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CWE-377 Insecure Temporary File

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3642 suppressed

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CWE-203 Information Exposure Through Discrepancy

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Vulnerable Software & Versions: (show all)

CVE-2021-37136 suppressed

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137 suppressed

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37714 suppressed

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-38153 suppressed

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MLIST - [kafka-dev] 20211007 Re: CVE Back Port?
MLIST - [kafka-dev] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-dev] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0

Vulnerable Software & Versions: (show all)

CVE-2021-43797 suppressed

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

quarkus-kubernetes-client-internal-1.13.7.Final.jar

Description:

This module only exists as a separate module to house the configuration that needs to be present on the runtime classpath when the kubernetes extension is used

File Path: /home/jenkins/.mvnrepository/io/quarkus/quarkus-kubernetes-client-internal/1.13.7.Final/quarkus-kubernetes-client-internal-1.13.7.Final.jar
MD5: 92ccbbaeb0a1092dd925eb6c8076d4a7
SHA1: 96bc4ec35a82f92db48620f7971305411363e766
SHA256: 58601b9a5ed6fe782979d258fcba31025909075ab736b80925f509f747592025

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	client	Highest
Vendor	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-kubernetes-client-parent/quarkus-kubernetes-client-internal	Low
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	name	Quarkus - Kubernetes Client - Runtime - Internal	High
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	jar	package name	quarkus	Highest
Vendor	Manifest	build-jdk-spec	1.8	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	file	name	quarkus-kubernetes-client-internal	High
Vendor	pom	artifactid	quarkus-kubernetes-client-internal	Low
Vendor	jar	package name	io	Highest
Vendor	Manifest	java-vendor	AdoptOpenJDK	Medium
Vendor	jar	package name	kubernetes	Highest
Vendor	pom	parent-artifactid	quarkus-kubernetes-client-parent	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	groupid	io.quarkus	Highest
Product	jar	package name	client	Highest
Product	Manifest	implementation-url	http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-extensions-parent/quarkus-kubernetes-client-parent/quarkus-kubernetes-client-internal	Low
Product	Manifest	specification-title	Quarkus - Kubernetes Client - Runtime - Internal	Medium
Product	pom	name	Quarkus - Kubernetes Client - Runtime - Internal	High
Product	jar	package name	quarkus	Highest
Product	Manifest	build-jdk-spec	1.8	Low
Product	Manifest	os-arch	amd64	Low
Product	file	name	quarkus-kubernetes-client-internal	High
Product	jar	package name	io	Highest
Product	pom	parent-artifactid	quarkus-kubernetes-client-parent	Medium
Product	jar	package name	kubernetes	Highest
Product	Manifest	Implementation-Title	Quarkus - Kubernetes Client - Runtime - Internal	High
Product	pom	artifactid	quarkus-kubernetes-client-internal	Highest
Product	Manifest	os-name	Linux	Medium
Product	pom	groupid	io.quarkus	Highest
Version	pom	version	1.13.7.Final	Highest
Version	Manifest	Implementation-Version	1.13.7.Final	High

Suppressed Identifiers

cpe:2.3:a:kubernetes:kubernetes:1.13.7:*:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs
cpe:2.3:a:kubernetes:kubernetes:1.13.7:-:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs
cpe:2.3:a:kubernetes:kubernetes:1.13.7:beta.0:*:*:*:*:*:* suppressed (Confidence:Highest)
- Notes: A whole lot of false positives based on K8S's internals that have nothing to do with our CRDs

Suppressed Vulnerabilities

CVE-2018-1002102 suppressed

Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet.

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:N/AC:H/Au:S/C:P/I:N/A:N

CVSSv3:

LOW (2.6)
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/85867
FEDORA - FEDORA-2020-943f4b03d2

Vulnerable Software & Versions: (show all)

CVE-2019-11244 suppressed

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

References:

BID - 108064
CONFIRM - https://security.netapp.com/advisory/ntap-20190509-0002/
MISC - https://github.com/kubernetes/kubernetes/issues/76676
REDHAT - RHSA-2019:3942
REDHAT - RHSA-2020:0020
REDHAT - RHSA-2020:0074

Vulnerable Software & Versions: (show all)

CVE-2019-11246 suppressed

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11247 suppressed

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.5)
Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (8.1)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/80983
CONFIRM - https://security.netapp.com/advisory/ntap-20190919-0003/
MLIST - v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
REDHAT - RHBA-2019:2816
REDHAT - RHBA-2019:2824
REDHAT - RHSA-2019:2690
REDHAT - RHSA-2019:2769

Vulnerable Software & Versions: (show all)

CVE-2019-11248 suppressed

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

CWE-862 Missing Authorization

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSSv3:

HIGH (8.2)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11249 suppressed

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/80984
CONFIRM - https://security.netapp.com/advisory/ntap-20190919-0003/
MLIST - v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
REDHAT - RHBA-2019:2794
REDHAT - RHBA-2019:2816
REDHAT - RHBA-2019:2824
REDHAT - RHSA-2019:3239
REDHAT - RHSA-2019:3811

Vulnerable Software & Versions: (show all)

CVE-2019-11250 suppressed

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

CWE-532 Information Exposure Through Log Files

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/81114
CONFIRM - https://security.netapp.com/advisory/ntap-20190919-0003/
MLIST - [oss-security] 20201016 Kubernetes: Multiple secret leaks when verbose logging is enabled
REDHAT - RHSA-2019:4052
REDHAT - RHSA-2019:4087

Vulnerable Software & Versions: (show all)

CVE-2019-11251 suppressed

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.

CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.7)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-11252 suppressed

The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.

CWE-209 Information Exposure Through an Error Message

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://github.com/kubernetes/kubernetes/pull/88684

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:* versions from (including) 1.0.0; versions up to (including) 1.17.0

CVE-2019-11254 suppressed

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

NVD-CWE-Other

CVSSv2:

Base Score: MEDIUM (4.0)
Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-28491 suppressed

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CONFIRM - N/A
CONFIRM - N/A
CONFIRM - N/A

Vulnerable Software & Versions: (show all)

CVE-2020-8552 suppressed

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

Base Score: MEDIUM (4.0)
Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSSv3:

MEDIUM (4.3)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8554 suppressed

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (5.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

CVE-2020-8555 suppressed

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (6.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/91542
CONFIRM - https://security.netapp.com/advisory/ntap-20200724-0005/
FEDORA - FEDORA-2020-aeea04cd13
MLIST - N/A
MLIST - [oss-security] 20200601 CVE-2020-8555: Kubernetes: Half-Blind SSRF in kube-controller-manager
MLIST - [oss-security] 20210504 [kubernetes] CVE-2020-8562: Bypass of Kubernetes API Server proxy TOCTOU

Vulnerable Software & Versions: (show all)

CVE-2020-8557 suppressed

The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8558 suppressed

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

CWE-287 Improper Authentication

CVSSv2:

Base Score: MEDIUM (5.8)
Vector: /AV:A/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (8.8)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8559 suppressed

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

MEDIUM (6.8)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8562 suppressed

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

LOW (3.1)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8563 suppressed

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.

CWE-532 Information Exposure Through Log Files

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - https://github.com/kubernetes/kubernetes/issues/95621
CONFIRM - https://security.netapp.com/advisory/ntap-20210122-0006/
MLIST - Multiple secret leaks when verbose logging is enabled

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:* versions up to (excluding) 1.19.3

CVE-2021-21290 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295 suppressed

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (2.6)
Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 suppressed

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-2471 suppressed

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

NVD-CWE-noinfo

CVSSv2:

Base Score: HIGH (7.9)
Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

References:

MISC - https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Software & Versions: (show all)

CVE-2021-25735 suppressed

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

CWE-863 Incorrect Authorization

CVSSv2:

Base Score: MEDIUM (5.5)
Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-25741 suppressed

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

CWE-552 Files or Directories Accessible to External Parties

CVSSv2:

Base Score: MEDIUM (5.5)
Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSSv3:

HIGH (8.1)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

CONFIRM - N/A
CONFIRM - https://security.netapp.com/advisory/ntap-20211008-0006/
MLIST - N/A

Vulnerable Software & Versions: (show all)

CVE-2021-25743 suppressed

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.

NVD-CWE-Other

CVSSv2:

Base Score: LOW (2.1)
Vector: /AV:N/AC:H/Au:S/C:N/I:P/A:N

CVSSv3:

LOW (3.0)
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

References:

CONFIRM - N/A
CONFIRM - https://security.netapp.com/advisory/ntap-20220217-0003/

Vulnerable Software & Versions:

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:* versions up to (including) 1.18.0

CVE-2021-28170 suppressed

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

CONFIRM - https://github.com/eclipse-ee4j/el-ri/issues/155
CONFIRM - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Vulnerable Software & Versions: (show all)

CVE-2021-29427 suppressed

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: MEDIUM (6.0)
Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSSv3:

HIGH (7.2)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29428 suppressed

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Base Score: MEDIUM (4.4)
Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

HIGH (7.8)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-29429 suppressed

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CWE-377 Insecure Temporary File

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (1.9)
Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.5)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-3642 suppressed

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CWE-203 Information Exposure Through Discrepancy

Notes: Not much we can do about this one except implementing Quarkus 2 which will require significant effort.

CVSSv2:

Base Score: LOW (3.5)
Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Vulnerable Software & Versions: (show all)

CVE-2021-37136 suppressed

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37137 suppressed

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-37714 suppressed

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3:

HIGH (7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-38153 suppressed

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CWE-203 Information Exposure Through Discrepancy

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.9)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

CONFIRM - N/A
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MLIST - [kafka-dev] 20211007 Re: CVE Back Port?
MLIST - [kafka-dev] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-dev] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.6.3 RC0
MLIST - [kafka-users] 20211012 [VOTE] 2.7.2 RC0
MLIST - [kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0

Vulnerable Software & Versions: (show all)

CVE-2021-43797 suppressed

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

resteasy-client-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-client/3.15.1.Final/resteasy-client-3.15.1.Final.jar
MD5: 59b54410b06cbf2d95a0ce05a22ccbf2
SHA1: ae668cf8c46c5d6a5923097b6573d689ebe17593
SHA256: 41840b1d073ba46a9305cf02ed8ff417cb67314354d9f4c21947f687082e9e42

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	client	Highest
Vendor	file	name	resteasy-client	High
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-client	Low
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	artifactid	resteasy-client	Low
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	jaxrs	Highest
Vendor	jar	package name	resteasy	Highest
Vendor	pom	name	RESTEasy JAX-RS Client	High
Vendor	Manifest	os-name	Linux	Medium
Product	jar	package name	client	Highest
Product	file	name	resteasy-client	High
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-client	Low
Product	Manifest	os-arch	amd64	Low
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	pom	artifactid	resteasy-client	Highest
Product	Manifest	specification-title	RESTEasy JAX-RS Client	Medium
Product	jar	package name	jboss	Highest
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	jaxrs	Highest
Product	jar	package name	resteasy	Highest
Product	Manifest	Implementation-Title	RESTEasy JAX-RS Client	High
Product	pom	name	RESTEasy JAX-RS Client	High
Product	Manifest	os-name	Linux	Medium
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2021-20289 suppressed

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

CWE-209 Information Exposure Through an Error Message

Notes: Not much we can do about this one except for wait for Keycloak 8. We can only update the client if the server is updated.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-20293 suppressed

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Notes: Not much we can do about this one except for wait for Keycloak 8. We can only update the client if the server is updated.

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

resteasy-jackson2-provider-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-jackson2-provider/3.15.1.Final/resteasy-jackson2-provider-3.15.1.Final.jar
MD5: eaf321ba922f881ff3fde06dcc53768f
SHA1: c4939964fbea5ea5e9d3e0c4cf8461de00bdb140
SHA256: 7544b3788bca2277f09145bcbffd22184c133e96b36cfe8956e4fdb51b0941cb

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	pom	name	RESTEasy Jackson 2 Provider	High
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	file	name	resteasy-jackson2-provider	High
Vendor	jar	package name	resteasy	Highest
Vendor	pom	artifactid	resteasy-jackson2-provider	Low
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-jackson2-provider	Low
Vendor	Manifest	os-name	Linux	Medium
Product	pom	artifactid	resteasy-jackson2-provider	Highest
Product	Manifest	os-arch	amd64	Low
Product	pom	name	RESTEasy Jackson 2 Provider	High
Product	Manifest	specification-title	RESTEasy Jackson 2 Provider	Medium
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	jar	package name	jboss	Highest
Product	file	name	resteasy-jackson2-provider	High
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	resteasy	Highest
Product	Manifest	Implementation-Title	RESTEasy Jackson 2 Provider	High
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-jackson2-provider	Low
Product	Manifest	os-name	Linux	Medium
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2021-20289 suppressed

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

CWE-209 Information Exposure Through an Error Message

Notes: Not much we can do about this one except for wait for Keycloak 8. We can only update the client if the server is updated.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-20293 suppressed

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

resteasy-jaxb-provider-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-jaxb-provider/3.15.1.Final/resteasy-jaxb-provider-3.15.1.Final.jar
MD5: 7f0e9a2a4cf4465d7070c2f0231c8c51
SHA1: 6b97aa1caf68999cb638515feec02e5a87f76788
SHA256: 2fd0cd55f92236913ce62403d18be8b4c04cc9ce9a578e40d4f6bfb7182553e8

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	artifactid	resteasy-jaxb-provider	Low
Vendor	file	name	resteasy-jaxb-provider	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	pom	name	RESTEasy JAXB Provider	High
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	resteasy	Highest
Vendor	Manifest	os-name	Linux	Medium
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-jaxb-provider	Low
Product	file	name	resteasy-jaxb-provider	High
Product	Manifest	os-arch	amd64	Low
Product	pom	name	RESTEasy JAXB Provider	High
Product	Manifest	specification-title	RESTEasy JAXB Provider	Medium
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	jar	package name	jboss	Highest
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	resteasy	Highest
Product	pom	artifactid	resteasy-jaxb-provider	Highest
Product	Manifest	os-name	Linux	Medium
Product	Manifest	Implementation-Title	RESTEasy JAXB Provider	High
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-jaxb-provider	Low
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2021-20289 suppressed

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

CWE-209 Information Exposure Through an Error Message

Notes: Not much we can do about this one except for wait for Keycloak 8. We can only update the client if the server is updated.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-20293 suppressed

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

resteasy-jaxrs-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-jaxrs/3.15.1.Final/resteasy-jaxrs-3.15.1.Final.jar
MD5: 0ed93dd155af2ed91968fbfa30897340
SHA1: bc52bae060345e776008103d02289146f208176b
SHA256: 6d1e1155d1ce582c66c0262d4504314bd32ca2328643c49c78e912048da12352

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	name	RESTEasy JAX-RS Implementation	High
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	jaxrs	Highest
Vendor	jar	package name	resteasy	Highest
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-jaxrs	Low
Vendor	pom	artifactid	resteasy-jaxrs	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	file	name	resteasy-jaxrs	High
Product	pom	name	RESTEasy JAX-RS Implementation	High
Product	Manifest	os-arch	amd64	Low
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	pom	artifactid	resteasy-jaxrs	Highest
Product	Manifest	Implementation-Title	RESTEasy JAX-RS Implementation	High
Product	jar	package name	jboss	Highest
Product	jar	package name	jaxrs	Highest
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	resteasy	Highest
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-jaxrs	Low
Product	Manifest	os-name	Linux	Medium
Product	file	name	resteasy-jaxrs	High
Product	Manifest	specification-title	RESTEasy JAX-RS Implementation	Medium
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2021-20289 suppressed

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

CWE-209 Information Exposure Through an Error Message

Notes: Not much we can do about this one except for wait for Keycloak 8. We can only update the client if the server is updated.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-20293 suppressed

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

resteasy-multipart-provider-3.15.1.Final.jar

File Path: /home/jenkins/.mvnrepository/org/jboss/resteasy/resteasy-multipart-provider/3.15.1.Final/resteasy-multipart-provider-3.15.1.Final.jar
MD5: 5b587259661c94cce338354fb1569ead
SHA1: 50d2a0fc2692cc9a4254b337d6a38db96fc2c614
SHA256: 44ba543ae8e7743ea30cefb49fa98351ce337bdc39dd0b36cad78bbe1b5e302d

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	implementation-url	http://rest-easy.org/resteasy-multipart-provider	Low
Vendor	pom	groupid	org.jboss.resteasy	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	file	name	resteasy-multipart-provider	High
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	name	RESTEasy Multipart Provider	High
Vendor	pom	artifactid	resteasy-multipart-provider	Low
Vendor	Manifest	os-arch	amd64	Low
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	hint analyzer	vendor	redhat	Highest
Vendor	pom	parent-artifactid	resteasy-jaxrs-all	Low
Vendor	pom	groupid	jboss.resteasy	Highest
Vendor	pom	parent-groupid	org.jboss.resteasy	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.jboss.resteasy	Medium
Vendor	jar	package name	jboss	Highest
Vendor	jar	package name	resteasy	Highest
Vendor	Manifest	os-name	Linux	Medium
Product	Manifest	implementation-url	http://rest-easy.org/resteasy-multipart-provider	Low
Product	file	name	resteasy-multipart-provider	High
Product	pom	name	RESTEasy Multipart Provider	High
Product	Manifest	os-arch	amd64	Low
Product	Manifest	specification-title	RESTEasy Multipart Provider	Medium
Product	pom	groupid	jboss.resteasy	Highest
Product	pom	parent-groupid	org.jboss.resteasy	Medium
Product	pom	artifactid	resteasy-multipart-provider	Highest
Product	jar	package name	jboss	Highest
Product	pom	parent-artifactid	resteasy-jaxrs-all	Medium
Product	jar	package name	resteasy	Highest
Product	Manifest	Implementation-Title	RESTEasy Multipart Provider	High
Product	Manifest	os-name	Linux	Medium
Version	pom	version	3.15.1.Final	Highest
Version	Manifest	Implementation-Version	3.15.1.Final	High

Suppressed Identifiers

None

Suppressed Vulnerabilities

CVE-2021-20289 suppressed

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

CWE-209 Information Exposure Through an Error Message

Notes: Not much we can do about this one except for wait for Keycloak 8. We can only update the client if the server is updated.

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3:

MEDIUM (5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-20293 suppressed

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSSv3:

MEDIUM (6.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

How to read the report | Suppressing false positives | Getting Help: github issues Sponsor

Project: Entando Kubernetes Custom Model

org.entando:entando-k8s-custom-model:7.0.7

Summary

Dependencies

annotations-17.0.0.jar

Evidence

Identifiers

apache-mime4j-0.6.jar

Evidence

Identifiers

arc-1.13.7.Final.jar

Evidence

Identifiers

automaton-1.11-8.jar

Evidence

Identifiers

bcpkix-jdk15on-1.68.jar

Evidence

Identifiers

bcprov-jdk15on-1.68.jar

Evidence

Identifiers

btf-1.2.jar

Evidence

Identifiers

checker-qual-2.5.2.jar

Evidence

Identifiers

commons-codec-1.14.jar

Evidence

Identifiers

commons-compress-1.21.jar

Evidence

Identifiers

commons-io-2.7.jar

Evidence

Identifiers

commons-lang3-3.9.jar

Evidence

Identifiers

commons-logging-1.2.jar

Evidence

Identifiers

error_prone_annotations-2.2.0.jar

Evidence

Identifiers

failureaccess-1.0.1.jar

Evidence

Identifiers

generex-1.0.2.jar

Evidence

Identifiers

graal-sdk-21.3.1.jar

Evidence

Identifiers

guava-30.1-jre.jar

Evidence

Identifiers

httpclient-4.5.13.jar

Evidence

Identifiers

httpcore-4.4.14.jar

Evidence

Identifiers

istack-commons-runtime-3.0.10.jar

Evidence

Identifiers

j2objc-annotations-1.3.jar

Evidence

Identifiers

jackson-annotations-2.12.6.jar

Evidence

Identifiers

jackson-core-2.12.6.jar

Evidence

Identifiers

jackson-coreutils-1.6.jar

Evidence

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor