False positive for commons-io #7673

jankoh · 2024-10-08T13:16:04Z

jankoh
Oct 8, 2024

IDs

CVE-2024-47554

Description

A scan of a containerised java applications having commons-io-2.16.1 as a dependency results is a finding claiming there is a vulnerable commons-io version 2.8.0; the issue being fixed in 2.14.0. Doing a fs scan of the sourcecode (we use gradle lockfiles) does not show this issue.

Here's the output of trivy -f json:

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-10-08T15:14:12.365392431+02:00",
  "ArtifactName": "registry.n4group.eu/team-elster/rv-tool/backend:VER_3_5",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.19.4"
    },
    "ImageID": "sha256:068c6bd762321a7a92e2b54e0d27f3858ac78c268d63d037d825054209488eee",
    "DiffIDs": [
      "sha256:94b0f5987cb71badf41e0e98ad0305e7ae36e2f5a4c92c26f6a7b42eb2303ba2",
      "sha256:a1f950a5054ea8abc6613cea4de982d71f7f6fab543769b568b20ece2e50e4e9",
      "sha256:da4a9f8735bda1c841564a29ea6ce974047608aa4031fe60e09ba25e5ef00032",
      "sha256:17efa9c71e8390b10c5897933a2119b9bfeff4c61e195fb0c6d4a773d23d5d9b",
      "sha256:f1bf4e083069b5866d4047c82f6e86d188821e259454ae3867bd8781e2868be9",
      "sha256:a159145c3b7f9bc7301ef8e1e2bee43a7b1f745f36664b03a74c6372db6ad5b6",
      "sha256:0e6bc27e7814f42697626616f8e1b31fb5fabc6677196357e43d61218dcec162"
    ],
    "RepoTags": [
      "registry.n4group.eu/team-elster/rv-tool/backend:VER_3_5"
    ],
    "RepoDigests": [
      "registry.n4group.eu/team-elster/rv-tool/backend@sha256:e437b3cdf467e407295c8f52a770661e8457a2b3bebb720ab44a18507d4f8764"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "created": "2024-10-04T10:27:45.431318679Z",
      "history": [
        {
          "created": "2024-07-16T22:56:42Z",
          "created_by": "/bin/sh -c #(nop) ADD file:9e193d6fff4bce11c0ee715ad87def9ef40e9608d4be84cf73391edd45b2810e in / "
        },
        {
          "created": "2024-07-16T22:56:42Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
          "empty_layer": true
        },
        {
          "created": "2024-07-16T22:56:42Z",
          "created_by": "ARG version=21.0.4.7.1",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-07-16T22:56:42Z",
          "created_by": "RUN |1 version=21.0.4.7.1 /bin/sh -c wget -O /THIRD-PARTY-LICENSES-20200824.tar.gz https://corretto.aws/downloads/resources/licenses/alpine/THIRD-PARTY-LICENSES-20200824.tar.gz \u0026\u0026     echo \"82f3e50e71b2aee21321b2b33de372feed5befad6ef2196ddec92311bc09becb  /THIRD-PARTY-LICENSES-20200824.tar.gz\" | sha256sum -c - \u0026\u0026     tar x -ovzf THIRD-PARTY-LICENSES-20200824.tar.gz \u0026\u0026     rm -rf THIRD-PARTY-LICENSES-20200824.tar.gz \u0026\u0026     wget -O /etc/apk/keys/amazoncorretto.rsa.pub https://apk.corretto.aws/amazoncorretto.rsa.pub \u0026\u0026     SHA_SUM=\"6cfdf08be09f32ca298e2d5bd4a359ee2b275765c09b56d514624bf831eafb91\" \u0026\u0026     echo \"${SHA_SUM}  /etc/apk/keys/amazoncorretto.rsa.pub\" | sha256sum -c - \u0026\u0026     echo \"https://apk.corretto.aws\" \u003e\u003e /etc/apk/repositories \u0026\u0026     apk add --no-cache amazon-corretto-21=$version-r0 \u0026\u0026     rm -rf /usr/lib/jvm/java-21-amazon-corretto/lib/src.zip # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-07-16T22:56:42Z",
          "created_by": "ENV LANG=C.UTF-8",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-07-16T22:56:42Z",
          "created_by": "ENV JAVA_HOME=/usr/lib/jvm/default-jvm",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-07-16T22:56:42Z",
          "created_by": "ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/default-jvm/bin",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "0001-01-01T00:00:00Z",
          "created_by": "RUN apk -U --no-cache upgrade"
        },
        {
          "created": "0001-01-01T00:00:00Z",
          "created_by": "COPY docker-entrypoint.sh /usr/local/bin/"
        },
        {
          "created": "0001-01-01T00:00:00Z",
          "created_by": "COPY backend.jar /usr/local/rvtool/"
        },
        {
          "created": "0001-01-01T00:00:00Z",
          "created_by": "COPY doc /usr/local/rvtool/documentation/"
        },
        {
          "created": "0001-01-01T00:00:00Z",
          "created_by": "COPY fontconfig.properties /usr/lib/jvm/default-jvm/lib/"
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:94b0f5987cb71badf41e0e98ad0305e7ae36e2f5a4c92c26f6a7b42eb2303ba2",
          "sha256:a1f950a5054ea8abc6613cea4de982d71f7f6fab543769b568b20ece2e50e4e9",
          "sha256:da4a9f8735bda1c841564a29ea6ce974047608aa4031fe60e09ba25e5ef00032",
          "sha256:17efa9c71e8390b10c5897933a2119b9bfeff4c61e195fb0c6d4a773d23d5d9b",
          "sha256:f1bf4e083069b5866d4047c82f6e86d188821e259454ae3867bd8781e2868be9",
          "sha256:a159145c3b7f9bc7301ef8e1e2bee43a7b1f745f36664b03a74c6372db6ad5b6",
          "sha256:0e6bc27e7814f42697626616f8e1b31fb5fabc6677196357e43d61218dcec162"
        ]
      },
      "config": {
        "Entrypoint": [
          "/usr/local/bin/docker-entrypoint.sh"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/default-jvm/bin",
          "LANG=C.UTF-8",
          "JAVA_HOME=/usr/lib/jvm/default-jvm"
        ],
        "User": "1000",
        "WorkingDir": "/usr/local/rvtool"
      }
    }
  },
  "Results": [
    {
      "Target": "registry.n4group.eu/team-elster/rv-tool/backend:VER_3_5 (alpine 3.19.4)",
      "Class": "os-pkgs",
      "Type": "alpine"
    },
    {
      "Target": "Java",
      "Class": "lang-pkgs",
      "Type": "jar",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-47554",
          "PkgName": "commons-io:commons-io",
          "PkgPath": "usr/local/rvtool/backend.jar/BOOT-INF/lib/velocity-engine-core-2.3.jar",
          "PkgIdentifier": {
            "PURL": "pkg:maven/commons-io/[email protected]",
            "UID": "46186da97fec212e"
          },
          "InstalledVersion": "2.8.0",
          "FixedVersion": "2.14.0",
          "Status": "fixed",
          "Layer": {
            "DiffID": "sha256:f1bf4e083069b5866d4047c82f6e86d188821e259454ae3867bd8781e2868be9"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47554",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Maven",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
          },
          "Title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
          "Description": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-400"
          ],
          "VendorSeverity": {
            "ghsa": 3,
            "redhat": 2
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
              "V3Score": 4.3
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2024-47554",
            "https://github.com/apache/commons-io",
            "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
            "https://www.cve.org/CVERecord?id=CVE-2024-47554"
          ],
          "PublishedDate": "2024-10-03T12:15:02.613Z",
          "LastModifiedDate": "2024-10-04T13:50:43.727Z"
        }
      ]
    }
  ]
}

Reproduction Steps

1. Containerise artifact
2. scan container image

Target

Container Image

Scanner

Vulnerability

Target OS

Alpine 3.19

Debug Output

2024-10-08T15:00:14+02:00       DEBUG   No plugins loaded
2024-10-08T15:00:14+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-08T15:00:14+02:00       DEBUG   Cache dir       dir="/home/jkohnert/.cache/trivy"
2024-10-08T15:00:14+02:00       DEBUG   Cache dir       dir="/home/jkohnert/.cache/trivy"
2024-10-08T15:00:14+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-08T15:00:14+02:00       DEBUG   Ignore statuses statuses=[]
2024-10-08T15:00:14+02:00       DEBUG   DB update was skipped because the local DB is the latest
2024-10-08T15:00:14+02:00       DEBUG   DB info schema=2 updated_at=2024-10-08T12:17:42.276076979Z next_update=2024-10-09T12:17:42.276076839Z downloaded_at=2024-10-08T12:51:55.965517056Z
2024-10-08T15:00:14+02:00       DEBUG   [pkg] Package types     types=[os library]
2024-10-08T15:00:14+02:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-10-08T15:00:14+02:00       INFO    [vuln] Vulnerability scanning is enabled
2024-10-08T15:00:14+02:00       INFO    [secret] Secret scanning is enabled
2024-10-08T15:00:14+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-08T15:00:14+02:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-08T15:00:14+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-08T15:00:14+02:00       DEBUG   Initializing scan cache...      type="fs"
2024-10-08T15:00:14+02:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-10-08T15:00:14+02:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-10-08T15:00:14+02:00       DEBUG   [image] Detected image ID       image_id="sha256:068c6bd762321a7a92e2b54e0d27f3858ac78c268d63d037d825054209488eee"
2024-10-08T15:00:14+02:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:94b0f5987cb71badf41e0e98ad0305e7ae36e2f5a4c92c26f6a7b42eb2303ba2 sha256:a1f950a5054ea8abc6613cea4de982d71f7f6fab543769b568b20ece2e50e4e9 sha256:da4a9f8735bda1c841564a29ea6ce974047608aa4031fe60e09ba25e5ef00032 sha256:17efa9c71e8390b10c5897933a2119b9bfeff4c61e195fb0c6d4a773d23d5d9b sha256:f1bf4e083069b5866d4047c82f6e86d188821e259454ae3867bd8781e2868be9 sha256:a159145c3b7f9bc7301ef8e1e2bee43a7b1f745f36664b03a74c6372db6ad5b6 sha256:0e6bc27e7814f42697626616f8e1b31fb5fabc6677196357e43d61218dcec162]
2024-10-08T15:00:14+02:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:94b0f5987cb71badf41e0e98ad0305e7ae36e2f5a4c92c26f6a7b42eb2303ba2]
2024-10-08T15:00:14+02:00       DEBUG   [image] Missing image ID in cache       image_id="sha256:068c6bd762321a7a92e2b54e0d27f3858ac78c268d63d037d825054209488eee"
2024-10-08T15:00:14+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:94b0f5987cb71badf41e0e98ad0305e7ae36e2f5a4c92c26f6a7b42eb2303ba2"
2024-10-08T15:00:14+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:a1f950a5054ea8abc6613cea4de982d71f7f6fab543769b568b20ece2e50e4e9"
2024-10-08T15:00:14+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:da4a9f8735bda1c841564a29ea6ce974047608aa4031fe60e09ba25e5ef00032"
2024-10-08T15:00:14+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:f1bf4e083069b5866d4047c82f6e86d188821e259454ae3867bd8781e2868be9"
2024-10-08T15:00:14+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:17efa9c71e8390b10c5897933a2119b9bfeff4c61e195fb0c6d4a773d23d5d9b"
2024-10-08T15:00:18+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:a159145c3b7f9bc7301ef8e1e2bee43a7b1f745f36664b03a74c6372db6ad5b6"
2024-10-08T15:00:18+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:0e6bc27e7814f42697626616f8e1b31fb5fabc6677196357e43d61218dcec162"
2024-10-08T15:00:18+02:00       DEBUG   [javadb] Java DB update was skipped because the local Java DB is the latest
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/common-0.0.1-SNAPSHOT-plain.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] No such POM in the central repositories   file="common-0.0.1-SNAPSHOT-plain.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jobrunr-spring-boot-3-starter-7.2.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/kotlinx-coroutines-core-jvm-1.8.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jobrunr-7.2.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-dataformat-csv-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/flyway-database-postgresql-10.18.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/flyway-core-10.18.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-dataformat-toml-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-boot-actuator-autoconfigure-3.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/springdoc-openapi-starter-webmvc-ui-2.6.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/springdoc-openapi-starter-webmvc-api-2.6.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/springdoc-openapi-starter-common-2.6.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/swagger-core-jakarta-2.2.22.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-datatype-jsr310-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jasper-reports-starter-6.21.0.0-plain.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] No such POM in the central repositories   file="jasper-reports-starter-6.21.0.0-plain.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jasperreports-functions-6.21.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jasperreports-6.21.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jasperreports-metadata-6.21.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-datatype-jdk8-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-module-parameter-names-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-dataformat-xml-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-dataformat-yaml-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-databind-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/swagger-models-jakarta-2.2.22.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-annotations-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-core-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jackson-module-kotlin-2.17.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/kotlin-reflect-2.0.20.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/kotlin-stdlib-2.0.20.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-data-commons-3.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-ldap-core-3.2.6.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-security-saml2-service-provider-6.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-saml-impl-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-saml-api-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-soap-impl-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-profile-api-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-soap-api-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-xmlsec-impl-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-xmlsec-api-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-security-impl-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-security-api-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-messaging-api-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-core-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/opensaml-storage-api-4.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/java-support-8.4.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/guava-33.3.0-jre.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/xmlsec-4.0.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/bcpkix-jdk18on-1.78.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/bcutil-jdk18on-1.78.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/cryptacular-1.2.5.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/bcprov-jdk18on-1.78.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-session-jdbc-3.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/s3-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/location-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-cloud-aws-starter-3.1.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/micrometer-registry-prometheus-1.13.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/micrometer-registry-cloudwatch2-1.13.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/poi-ooxml-5.3.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/poi-5.3.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-compress-1.27.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-io-2.16.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/hibernate-validator-8.0.1.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jakarta.validation-api-3.1.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/mapstruct-1.6.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jooq-3.19.11.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/postgresql-42.7.4.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/annotations-23.0.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-cloud-aws-autoconfigure-3.1.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-boot-autoconfigure-3.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-boot-actuator-3.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-boot-3.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jsoup-1.18.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/micrometer-jakarta9-1.13.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-security-web-6.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-webmvc-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-webflux-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-web-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-context-support-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-security-config-6.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-security-core-6.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-context-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/micrometer-core-1.13.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/micrometer-observation-1.13.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-aop-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/aspectjweaver-1.9.22.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-jdbc-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-tx-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jakarta.mail-2.0.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/thymeleaf-spring6-3.1.2.RELEASE.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/tomcat-embed-el-10.1.28.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-beans-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-cloud-aws-core-3.1.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-expression-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-core-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/aws-xml-protocol-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/aws-json-protocol-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/cloudwatch-2.25.70.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/aws-query-protocol-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/protocol-core-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/aws-core-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/auth-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/regions-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/sdk-core-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/arns-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/profiles-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/crt-core-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/http-auth-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/http-auth-aws-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/http-auth-spi-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/identity-spi-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/retries-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/retries-spi-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/apache-client-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-nio-client-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/http-client-spi-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/metrics-spi-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/json-utils-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/utils-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/log4j-over-slf4j-2.0.16.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/HikariCP-5.1.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/thymeleaf-3.1.2.RELEASE.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/metrics-core-4.2.25.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/velocity-engine-core-2.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/logback-classic-1.5.7.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/log4j-to-slf4j-2.23.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jul-to-slf4j-2.0.16.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/slf4j-api-2.0.16.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/failureaccess-1.0.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jsr305-3.0.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/checker-qual-3.43.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/error_prone_annotations-2.28.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/httpclient-4.5.14.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-codec-1.16.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/woodstox-core-6.7.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-session-core-3.3.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/checksums-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/checksums-spi-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/endpoints-spi-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/http-auth-aws-eventstream-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/annotations-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/prometheus-metrics-core-1.2.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/prometheus-metrics-tracer-common-1.2.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/prometheus-metrics-exposition-formats-1.2.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/swagger-ui-5.17.14.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-collections4-4.4.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-math3-3.6.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/SparseBitSet-1.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/poi-ooxml-lite-5.3.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/xmlbeans-5.2.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/log4j-api-2.23.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-lang3-3.14.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/curvesapi-1.08.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jasperreports-fonts-6.21.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/r2dbc-spi-1.0.0.RELEASE.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jakarta.annotation-api-2.1.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/snakeyaml-2.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/micrometer-commons-1.13.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/angus-activation-2.0.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jakarta.xml.bind-api-4.0.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jakarta.activation-api-2.1.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jboss-logging-3.5.3.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/classmate-1.7.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/tomcat-embed-websocket-10.1.28.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/tomcat-embed-core-10.1.28.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/reactor-netty-http-1.1.22.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/reactor-netty-core-1.1.22.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/reactor-core-3.6.9.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-jcl-6.1.13.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/stax2-api-4.2.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/httpcore-4.4.16.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/asm-9.7.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-codec-http2-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-handler-proxy-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-codec-http-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-resolver-dns-native-macos-4.1.112.Final-osx-x86_64.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-resolver-dns-classes-macos-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-resolver-dns-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-handler-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-codec-dns-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-codec-socks-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-codec-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-transport-native-epoll-4.1.112.Final-linux-x86_64.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-transport-classes-epoll-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-transport-native-unix-common-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-transport-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-buffer-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-resolver-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/netty-common-4.1.112.Final.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/prometheus-metrics-config-1.2.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/prometheus-metrics-model-1.2.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/prometheus-metrics-shaded-protobuf-1.2.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/reactive-streams-1.0.4.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-security-crypto-6.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/logback-core-1.5.7.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/eventstream-1.0.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/third-party-jackson-core-2.28.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/HdrHistogram-2.2.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/LatencyUtils-2.0.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-digester-2.1.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-beanutils-1.9.4.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-logging-1.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/openpdf-1.3.30.jaspersoft.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jfreechart-1.0.19.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/jcommon-1.0.23.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/ecj-3.21.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] No such POM in the central repositories   file="ecj-3.21.0.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/attoparser-2.0.7.RELEASE.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/unbescape-1.1.6.RELEASE.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/commons-collections-3.2.2.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/swagger-annotations-jakarta-2.2.22.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] Parsing Java artifacts... file_path="usr/local/rvtool/backend.jar/BOOT-INF/lib/spring-boot-jarmode-tools-3.3.3.jar"
2024-10-08T15:00:19+02:00       DEBUG   [jar] No such POM in the central repositories   file="backend.jar"
2024-10-08T15:00:32+02:00       DEBUG   No secrets found in container image config
2024-10-08T15:00:32+02:00       INFO    Detected OS     family="alpine" version="3.19.4"
2024-10-08T15:00:32+02:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.19" repository="3.19" pkg_num=17
2024-10-08T15:00:32+02:00       INFO    Number of language-specific files       num=1
2024-10-08T15:00:32+02:00       INFO    [jar] Detecting vulnerabilities...
2024-10-08T15:00:32+02:00       DEBUG   [jar] Scanning packages for vulnerabilities     file_path=""
2024-10-08T15:00:32+02:00       DEBUG   Found an ignore file    file_path=".trivyignore"
2024-10-08T15:00:32+02:00       DEBUG   [vex] VEX filtering is disabled

registry.n4group.eu/team-elster/rv-tool/backend:VER_3_5 (alpine 3.19.4)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2024-10-08T15:00:32+02:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ commons-io:commons-io (backend.jar) │ CVE-2024-47554 │ HIGH     │ fixed  │ 2.8.0             │ 2.14.0        │ apache-commons-io: Possible denial of service attack on │
│                                     │                │          │        │                   │               │ untrusted input to XmlStreamReader                      │
│                                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-47554              │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

Version

Version: 0.56.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-08 12:17:42.276076979 +0000 UTC
  NextUpdate: 2024-10-09 12:17:42.276076839 +0000 UTC
  DownloadedAt: 2024-10-08 12:51:55.965517056 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-10-08 03:42:09.032838816 +0000 UTC
  NextUpdate: 2024-10-11 03:42:09.032838325 +0000 UTC
  DownloadedAt: 2024-10-08 07:46:31.681491055 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

kekore · 2024-10-08T18:40:29Z

kekore
Oct 8, 2024

Bump. Having the same false positive. It got thoroughly checked that the image has commons-io version 2.15.1 and no sign of anything with 2.8.0, however the report says the same thing as author's - 2.8.0.

0 replies

jpcmonster · 2024-10-08T19:57:34Z

jpcmonster
Oct 8, 2024

We are seeing an FP as well, but our tooling is not Trivy, so I suspect the problem is upstream somewhere - like a bad CPE. In our case 2.16.1 is present while 2.11.0 is reported.

0 replies

knqyf263 · 2024-10-09T11:19:18Z

knqyf263
Oct 9, 2024
Maintainer

Trivy relies on pom.properties for JAR scanning. In fact, velocity-engine-core-2.3.jar has pom.properties for commons-io/[email protected].

$ cat META-INF/maven/commons-io/commons-io/pom.properties
artifactId=commons-io
groupId=commons-io
version=2.8.0

Also, a DEPENDENCIES file inside the JAR file says Apache Velocity is using commons-io:commons-io:jar:2.8.0.

$ cat META-INF/DEPENDENCIES
// ------------------------------------------------------------------
// Transitive dependencies of this project determined from the
// maven pom organized by organization.
// ------------------------------------------------------------------

Apache Velocity - Engine


From: 'QOS.ch' (http://www.qos.ch)
  - SLF4J API Module (http://www.slf4j.org) org.slf4j:slf4j-api:jar:1.7.30
    License: MIT License  (http://www.opensource.org/licenses/mit-license.php)

From: 'The Apache Software Foundation' (https://www.apache.org/)
  - Apache Commons IO (https://commons.apache.org/proper/commons-io/) commons-io:commons-io:jar:2.8.0
    License: Apache License, Version 2.0  (https://www.apache.org/licenses/LICENSE-2.0.txt)
  - Apache Commons Lang (https://commons.apache.org/proper/commons-lang/) org.apache.commons:commons-lang3:jar:3.11
    License: Apache License, Version 2.0  (https://www.apache.org/licenses/LICENSE-2.0.txt)

3 replies

jankoh Oct 9, 2024
Author

Thanks for pointing this out, I must have missed that in the docs. I'll recheck as soon as I'm able to.

didxga Oct 10, 2024

Problem solved after upgrading velocity-engine-core to 2.4

knqyf263 Oct 10, 2024
Maintainer

The JAR file path is shown in the JSON report @jankoh shared. It would be appreciated if you look at the report next time.

jankoh · 2024-10-14T15:42:14Z

jankoh
Oct 14, 2024
Author

I confirm upgrading velocity-engine-core to 2.4 fixes the problem. My main source of confusion was, that we did neither see a finding using trivy fs nor got a commons-io in version 2.8.0 using gradle dependencies. Looking at the depenency graph, only velocity-engine-core shows up; without any visible dependency to commons-io 2.8.0. I should have put a closer look to the json output (we normally use the HTML output for review, and work from there).

So all is fine, trivy is not in fault, I'm closing the report.

Thanks again for the help!

Best, Jan

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

False positive for commons-io #7673

{{title}}

Replies: 4 comments 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

False positive for commons-io #7673

jankoh Oct 8, 2024

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 4 comments · 3 replies

kekore Oct 8, 2024

jpcmonster Oct 8, 2024

knqyf263 Oct 9, 2024 Maintainer

jankoh Oct 9, 2024 Author

didxga Oct 10, 2024

knqyf263 Oct 10, 2024 Maintainer

jankoh Oct 14, 2024 Author

jankoh
Oct 8, 2024

Replies: 4 comments 3 replies

kekore
Oct 8, 2024

jpcmonster
Oct 8, 2024

knqyf263
Oct 9, 2024
Maintainer

jankoh Oct 9, 2024
Author

knqyf263 Oct 10, 2024
Maintainer

jankoh
Oct 14, 2024
Author