Score 10.0 from security scanner due outdated jar File (Apache Struts End of Life (EOL) Detection)

Chris3 years ago

Hi

I'm using OpenVAS for internal security scans.
I got a 10.0 score (high risk)

The "Apache Struts" version on the remote host has reached the end of life.

CPE:               cpe:/a:apache:struts:1.3.8
Installed version: 1.3.8
Location/URL:      /opt/traccar/lib/struts-core-1.3.8.jar
EOL version:       1
EOL date:          2013-04-05

Kind regards
Chris

Anton Tananaev3 years ago

We don't use it directly, so it must be a transitive dependency. You can try to get gradle dependency graph and see which our dependency uses it.

Chris3 years ago

ok, I'll try
the file is inside the lib directory of the traccar install-directory

Anton Tananaev3 years ago

I understand that, but it doesn't mean it's a direct dependency. It is a transitive dependency, as I said.

Chris3 years ago

to build a gradle or maven dependency graph I'll need the whole project....

I think it's easier you will check the dependency tree. I'm to weak in reverse engineering to get the dependencies out of your jar files

Chris3 years ago

https://de.wikipedia.org/wiki/Struts

Anton Tananaev3 years ago

Looks like it's coming from velocity tools dependency.

+--- org.apache.velocity:velocity-tools:2.0
|    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    +--- commons-digester:commons-digester:1.8
|    |    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    |    \--- commons-logging:commons-logging:1.1 -> 1.2
|    +--- commons-chain:commons-chain:1.1
|    |    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    |    +--- commons-digester:commons-digester:1.6 -> 1.8 (*)
|    |    \--- commons-logging:commons-logging:1.0.3 -> 1.2
|    +--- commons-collections:commons-collections:3.2 -> 3.2.1
|    +--- commons-logging:commons-logging:1.1 -> 1.2
|    +--- commons-validator:commons-validator:1.3.1
|    |    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    |    +--- commons-digester:commons-digester:1.6 -> 1.8 (*)
|    |    \--- commons-logging:commons-logging:1.0.4 -> 1.2
|    +--- dom4j:dom4j:1.1
|    +--- oro:oro:2.0.8
|    +--- sslext:sslext:1.2-0
|    +--- org.apache.struts:struts-core:1.3.8
|    |    +--- antlr:antlr:2.7.2
|    |    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    |    +--- commons-chain:commons-chain:1.1 (*)
|    |    +--- commons-digester:commons-digester:1.8 (*)
|    |    +--- commons-logging:commons-logging:1.0.4 -> 1.2
|    |    +--- commons-validator:commons-validator:1.3.1 (*)
|    |    \--- oro:oro:2.0.8
|    +--- org.apache.struts:struts-taglib:1.3.8
|    |    \--- org.apache.struts:struts-core:1.3.8 (*)
|    +--- org.apache.struts:struts-tiles:1.3.8
|    |    \--- org.apache.struts:struts-core:1.3.8 (*)
|    \--- org.apache.velocity:velocity:1.6.2 -> 1.7 (*)
Chris3 years ago

I found it on https://velocity.apache.org/tools/2.0/dependencies.html#GenericTools

it seems the actual version is 3.1 https://velocity.apache.org/tools/3.1/