Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

Project: Zephyr - Model

it.tidalwave.northernwind.rca:it-tidalwave-northernwind-rca-model:1.2-ALPHA-2

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
aspectjrt-1.9.6.jarpkg:maven/org.aspectj/aspectjrt@1.9.6 023
guava-14.0.1.jarcpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@14.0.1MEDIUM2Highest21
it-tidalwave-messagebus-3.2-ALPHA-1.jarpkg:maven/it.tidalwave.thesefoolishthings/it-tidalwave-messagebus@3.2-ALPHA-1 023
it-tidalwave-northernwind-core-1.2-ALPHA-5.jarpkg:maven/it.tidalwave.northernwind/it-tidalwave-northernwind-core@1.2-ALPHA-5 025
it-tidalwave-northernwind-model-core-stripped-1.2-ALPHA-2.jarpkg:maven/it.tidalwave.northernwind.rca/it-tidalwave-northernwind-model-core-stripped@1.2-ALPHA-2 027
it-tidalwave-role-3.2-ALPHA-1.jarpkg:maven/it.tidalwave.thesefoolishthings/it-tidalwave-role@3.2-ALPHA-1 023
it-tidalwave-util-3.2-ALPHA-1.jarpkg:maven/it.tidalwave.thesefoolishthings/it-tidalwave-util@3.2-ALPHA-1 023
javax.annotation-api-1.3.2.jarpkg:maven/javax.annotation/javax.annotation-api@1.3.2 039
javax.inject-1.jarpkg:maven/javax.inject/javax.inject@1 019
jcl-over-slf4j-1.7.30.jarpkg:maven/org.slf4j/jcl-over-slf4j@1.7.30 033
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
lombok-1.18.18.jarpkg:maven/org.projectlombok/lombok@1.18.18 024
servlet-api-2.5.jarpkg:maven/javax.servlet/servlet-api@2.5 019
slf4j-api-1.7.30.jarpkg:maven/org.slf4j/slf4j-api@1.7.30 029
spotbugs-annotations-3.1.9.jarpkg:maven/com.github.spotbugs/spotbugs-annotations@3.1.9 021
spring-core-5.3.1.jarcpe:2.3:a:pivotal_software:spring_framework:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:5.3.1:*:*:*:*:*:*:*
pkg:maven/org.springframework/spring-core@5.3.1 0Highest31

Dependencies

aspectjrt-1.9.6.jar

Description:

The runtime needed to execute a program using AspectJ

License:

Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/org/aspectj/aspectjrt/1.9.6/aspectjrt-1.9.6.jar
MD5: 391f9257f19b84b45eb79a1878b9600a
SHA1: 1651849d48659e5703adc2599e694bf67b8c3fc4
SHA256:20c785678cbb4ee045914daf83da25f98a16071177dfa0e3451326723dfb4705
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

guava-14.0.1.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has two code dependencies - javax.annotation
    per the JSR-305 spec and javax.inject per the JSR-330 spec.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/com/google/guava/guava/14.0.1/guava-14.0.1.jar
MD5: 58553f87d83b9f8ec74bd3529083ee2f
SHA1: 69e12f4c6aeac392555f1ea86fab82b5e5e31ad4
SHA256:d69df3331840605ef0e5fe4add60f2d28e870e3820937ea29f713d2035d9ab97
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

it-tidalwave-messagebus-3.2-ALPHA-1.jar

Description:

TheseFoolishThings - MessageBus

File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/it/tidalwave/thesefoolishthings/it-tidalwave-messagebus/3.2-ALPHA-1/it-tidalwave-messagebus-3.2-ALPHA-1.jar
MD5: 5e2b0dbac5b6fbdf1aa65933c015b809
SHA1: 749ca733394102e19dc0ceb3bc5eb3e302623c6e
SHA256:5db16ae030ebf02447a78f125a6b16d3b48272536bb6af43461d6680fb4f9a1c
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

it-tidalwave-northernwind-core-1.2-ALPHA-5.jar

Description:

Contains the interfaces of the Core.

File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/it/tidalwave/northernwind/it-tidalwave-northernwind-core/1.2-ALPHA-5/it-tidalwave-northernwind-core-1.2-ALPHA-5.jar
MD5: a17032ce0088acc9976239f007892790
SHA1: bf85a7558132b07b6c90c600fb6c8112693025ec
SHA256:12e4fe7d964fc881fd5e96bbb66b57f6454d2c1ed82579474fe811af40b6d988
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

it-tidalwave-northernwind-model-core-stripped-1.2-ALPHA-2.jar

Description:

        This module contains a stripped subset of the default core implementation. Classes here should be probably
        put in a public *.spi package in Core.
    

File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/it/tidalwave/northernwind/rca/it-tidalwave-northernwind-model-core-stripped/1.2-ALPHA-2/it-tidalwave-northernwind-model-core-stripped-1.2-ALPHA-2.jar
MD5: 77f288afda17edec073c7a976680ef1b
SHA1: 133533d92d6f3b790ca6ad7cedbd8b870db4b2bc
SHA256:4d3094c1f68d3b5396bde6843041c8588c33dfb47f5392bb2153d22d5157209b
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

it-tidalwave-role-3.2-ALPHA-1.jar

File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/it/tidalwave/thesefoolishthings/it-tidalwave-role/3.2-ALPHA-1/it-tidalwave-role-3.2-ALPHA-1.jar
MD5: 3bfaad4fddd0210a68875b8c2c172aac
SHA1: dc3b5024c9ea315429527c9813e6c4ffdeab956e
SHA256:3ea022e9ca215423c0bd3b874110c9db839defbdd0b9c938ac72897ef15ec36e
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

it-tidalwave-util-3.2-ALPHA-1.jar

File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/it/tidalwave/thesefoolishthings/it-tidalwave-util/3.2-ALPHA-1/it-tidalwave-util-3.2-ALPHA-1.jar
MD5: 9c5e7abd349f6b1e32d09de9853c3683
SHA1: e0e4daed817fa4dbfdb6ada4c5c6939a0ff8741d
SHA256:5010cfc22b22208c81f5465c6b3a4a82432113517239cf22b42d10f67b9ed8ed
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

javax.annotation-api-1.3.2.jar

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.annotation/blob/master/LICENSE
File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/javax/annotation/javax.annotation-api/1.3.2/javax.annotation-api-1.3.2.jar
MD5: 2ab1973eefffaa2aeec47d50b9e40b9d
SHA1: 934c04d3cfef185a8008e7bf34331b79730a9d43
SHA256:e04ba5195bcd555dc95650f7cc614d151e4bcd52d29a10b8aa2197f3ab89ab9b
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

javax.inject-1.jar

Description:

The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

jcl-over-slf4j-1.7.30.jar

Description:

JCL 1.2 implemented over SLF4J

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/org/slf4j/jcl-over-slf4j/1.7.30/jcl-over-slf4j-1.7.30.jar
MD5: 69ad224b2feb6f86554fe8997b9c3d4b
SHA1: cd92524ea19d27e5b94ecd251e1af729cffdfe15
SHA256:71e9ee37b9e4eb7802a2acc5f41728a4cf3915e7483d798db3b4ff2ec8847c50
Referenced In Project/Scope:Zephyr - Model:runtime

Identifiers

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

lombok-1.18.18.jar

Description:

Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!

License:

The MIT License: https://projectlombok.org/LICENSE
File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/org/projectlombok/lombok/1.18.18/lombok-1.18.18.jar
MD5: 6a157cf72924f8d135dcd6c571bf0405
SHA1: 481f5bfed3ae29f656eedfe9e98c8365b8ba5c57
SHA256:601ec46206e0f9cac2c0583b3350e79f095419c395e991c761640f929038e9cc
Referenced In Project/Scope:Zephyr - Model:provided

Identifiers

servlet-api-2.5.jar

File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/javax/servlet/servlet-api/2.5/servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
SHA256:c658ea360a70faeeadb66fb3c90a702e4142a0ab7768f9ae9828678e0d9ad4dc
Referenced In Project/Scope:Zephyr - Model:provided

Identifiers

slf4j-api-1.7.30.jar

Description:

The slf4j API

File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/org/slf4j/slf4j-api/1.7.30/slf4j-api-1.7.30.jar
MD5: f8be00da99bc4ab64c79ab1e2be7cb7c
SHA1: b5a4b6d16ab13e34a88fae84c35cd5d68cac922c
SHA256:cdba07964d1bb40a0761485c6b1e8c2f8fd9eb1d19c53928ac0d7f9510105c57
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

spotbugs-annotations-3.1.9.jar

Description:

Annotations the SpotBugs tool supports

License:

GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/com/github/spotbugs/spotbugs-annotations/3.1.9/spotbugs-annotations-3.1.9.jar
MD5: 56a1a81d69b6a111161bbce0e6dea26a
SHA1: 2ef5127efcc1a899aab8c66d449a631c9a99c469
SHA256:68c7c46b4299e94837e236ae742f399901a950fe910fe3ca710026753b5dd2e1
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers

spring-core-5.3.1.jar

Description:

Spring Core

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /Volumes/Users/fritz/LocalData/Business/Tidalwave/Projects/WorkAreas/tidalwave.bitbucket.io/repository/org/springframework/spring-core/5.3.1/spring-core-5.3.1.jar
MD5: df36706fc74458c9c28e97aca7fae409
SHA1: 47af5b161749cd249fc074b4f140e011a3337efd
SHA256:6ee995055163c59703be237be59f0565acb97c9d42c5d60df2bf3a4b4c6ef6e9
Referenced In Project/Scope:Zephyr - Model:compile

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.