You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Francois Marot <fr...@gmail.com> on 2023/09/06 19:04:56 UTC

CVE referencing Tomcat are not also referencing Tomcat-embed

Hello,

I'm in the process of switching from Dependency-check [1] to
Dependency-track [2] to analyse vulnerabilities on my dependencies.
I analyze a classic spring boot webapp depending upon
org.apache.tomcat.embed:tomcat-embed-core. Dependency Check who uses a kind
of fuzzy logic detects (correctly ?) CVEs (such as CVE-2023-28709 or
CVE-2023-41080).
Dependency-track uses exact matching with the artifact identifiers and does
not detect those CVE.
I imagine (not totally sure) that those CVE are also affecting
tomcat-embed-core and not only apache:tomcat, but it seems like they are
not targeting this "by product" of the classic Tomcat.

What is or should be the correct process ? Should the Tomcat team declare
those CVE as also affecting tomcat-embed-core ? Should the CVE people do
the job by themselves ?

I've just found out that I'm not the only one having those questions:
https://stackoverflow.com/questions/74886946/vulnerablities-for-tomcat-embed-core-in-owasp-dependencytrack
but still looking for advice/guidance.

Best regards
Francois

[1] - https://owasp.org/www-project-dependency-check/
[2] - https://dependencytrack.org/

Re: CVE referencing Tomcat are not also referencing Tomcat-embed

Posted by Mark Thomas <ma...@apache.org>.

On 06/09/2023 20:04, Francois Marot wrote:
> Hello,
> 
> I'm in the process of switching from Dependency-check [1] to
> Dependency-track [2] to analyse vulnerabilities on my dependencies.
> I analyze a classic spring boot webapp depending upon
> org.apache.tomcat.embed:tomcat-embed-core. Dependency Check who uses a kind
> of fuzzy logic detects (correctly ?) CVEs (such as CVE-2023-28709 or
> CVE-2023-41080).
> Dependency-track uses exact matching with the artifact identifiers and does
> not detect those CVE.
> I imagine (not totally sure) that those CVE are also affecting
> tomcat-embed-core and not only apache:tomcat, but it seems like they are
> not targeting this "by product" of the classic Tomcat.
> 
> What is or should be the correct process ? Should the Tomcat team declare
> those CVE as also affecting tomcat-embed-core ? Should the CVE people do
> the job by themselves ?

The Tomcat project maps CVEs to Tomcat versions. We do not break it down 
to the component level. You need to raise this with whichever entity is 
mapping the Tomcat CVEs to specific components rather than all 
components for that version. It looks like dependency track should be 
you first point of call.

Mark


> 
> I've just found out that I'm not the only one having those questions:
> https://stackoverflow.com/questions/74886946/vulnerablities-for-tomcat-embed-core-in-owasp-dependencytrack
> but still looking for advice/guidance.
> 
> Best regards
> Francois
> 
> [1] - https://owasp.org/www-project-dependency-check/
> [2] - https://dependencytrack.org/
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org