Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jakarta.servlet.jsp.jstl v3.0 contains vulnerable shaded JAR for BCEL #258

Open
rwmajor2 opened this issue Jun 16, 2024 · 1 comment
Open

jakarta.servlet.jsp.jstl v3.0 contains vulnerable shaded JAR for BCEL #258

rwmajor2 opened this issue Jun 16, 2024 · 1 comment

Comments

@rwmajor2
Copy link

Is bcel needed to be included in jakarta.servlet.jsp.jstl.jar? I am curious what it is used for and more importantly what version is it? It is showing up on vulnerability scans due to CVEs with bcel, but I can't find out what version it is from this repo.

Thanks.
@pnicolucci
Copy link
Contributor

Hi, @rwmajor2 this is likely due to a dependency on Xalan 2.7.2.

The implementation of Jakarta Tags has now moved to the Eclipse WaSP project.

The first Eclipse WaSP release containing the Jakarta Tags implementation was 3.2.0: https://projects.eclipse.org/projects/ee4j.wasp.

The 3.2.1 version of Eclipse WaSP has been updated to depend on Xalan 2.7.3: eclipse-ee4j/wasp@b518d50.

Feel free to let me know if you have any more questions. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rwmajor2 @pnicolucci