NiFi packages contain other project names, which can cause incorrect identification ^pkg:maven/org\.apache\.nifi.*$ ^cpe:.*$ CVE-2022-45868 requires running H2 from a command not applicable to project references ^pkg:maven/com\.h2database/h2@2.*$ CVE-2022-45868 CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later ^pkg:maven/org\.springframework/spring\-web@.*$ CVE-2016-1000027 CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later ^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$ CVE-2020-5408 CVE-2017-10355 does not apply to Xerces 2.12.2 ^pkg:maven/xerces/xercesImpl@.*$ CVE-2017-10355 CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid ^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$ CVE-2020-13955 CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries ^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$ CVE-2007-6465 CVE-2022-31159 applies to AWS S3 library not the SWF libraries ^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$ CVE-2022-31159 Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin ^pkg:maven/org\.elasticsearch\.plugin/.*?@7.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-core ^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch ^pkg:maven/org\.elasticsearch/elasticsearch@7.*$ ^cpe:/a:elastic.*$ CVE-2021-22145 applies to Elasticsearch Server not client libraries ^pkg:maven/org\.elasticsearch/elasticsearch@.*$ CVE-2021-22145 Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries ^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client ^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$ ^cpe:/a:elastic.*$ Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer ^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$ ^cpe:/a:elastic.*$ CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library ^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$ CVE-2022-30187 CVE-2022-39135 applies to Apache Calcite core not the Calcite Druid library ^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$ CVE-2022-39135 CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library ^pkg:maven/org\.apache\.ftpserver/.*$ CVE-2010-1151 CVE-2018-14335 applies to H2 running with a web server console enabled ^pkg:maven/com\.h2database/h2@.*$ CVE-2018-14335 CVE-2023-25613 applies to an LDAP backend class for Apache Kerby not the Token Provider library ^pkg:maven/org\.apache\.kerby/token\-provider@.*$ CVE-2023-25613 The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities ^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$ cpe:/a:apache:tomcat Google BigQuery Storage is not the same as the gGRPC framework library ^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$ cpe:/a:grpc:grpc Google PubSubLite is not the same as the gRPC framework library ^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$ cpe:/a:grpc:grpc CVE-2020-9040 applies to Couchbase Server not the client library ^pkg:maven/com\.couchbase\.client/core\-io@.*$ CVE-2020-9040 CVE-2022-41881 applies to HA Proxy components in Netty which are not used in Couchbase or other components ^pkg:maven/io\.netty/.*$ CVE-2022-41881 CVE-2021-34538 applies to Apache Hive server not the Storage API library ^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$ CVE-2021-34538 Hadoop vulnerabilities do not apply to HBase Hadoop2 compatibility library ^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$ cpe:/a:apache:hadoop The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ CVE-2023-35116 CVE-2023-25194 applies to Kafka Connect workers not client libraries ^pkg:maven/org\.apache\.kafka/kafka.*?@.*$ CVE-2023-25194 CVE-2022-34917 applies to Kafka brokers not client libraries ^pkg:maven/org\.apache\.kafka/kafka.*?@.*$ CVE-2022-34917 CVE-2023-25613 applies to the LDAP Identity Backend for Kerby Server which is not used in runtime NiFi configurations ^pkg:maven/org\.apache\.kerby/kerb.*?@.*$ CVE-2023-25613 CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients ^pkg:maven/io\.netty/netty.*?@.*$ CVE-2022-24823 CVE-2022-41915 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients ^pkg:maven/io\.netty/netty.*?@.*$ CVE-2022-41915 CVE-2023-34462 applies to Netty servers using SniHandler not Netty 4.1 shaded for Couchbase and HBase 2 ^pkg:maven/io\.netty/netty.*$ CVE-2023-34462 The Square Wire framework is not the same as the Wire secure communication application ^pkg:maven/com\.squareup\.wire/.*$ cpe:/a:wire:wire CVE-2023-44487 applies to Solr Server not Solr client libraries ^pkg:maven/org\.apache\.solr/solr\-solrj@.*$ CVE-2023-44487 Avro project vulnerabilities do not apply to Parquet Avro ^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$ cpe:/a:avro_project:avro CVE-2023-4759 is resolved in 6.7.0 which is already upgraded in nifi-registry ^pkg:maven/org\.eclipse\.jgit/.*$ CVE-2023-4759 CVE-2023-4586 is resolved in Netty 4.1.100 which is already upgraded ^pkg:maven/io\.netty/netty.*$ CVE-2023-4586 CVE-2023-35887 applies to MINA SSHD not MINA core libraries ^pkg:maven/org\.apache\.mina/mina\-core@.*$ CVE-2023-35887 CVE-2016-5397 applies to Apache Thrift Go not Java ^pkg:maven/org\.apache\.thrift/libthrift@.*$ CVE-2016-5397 CVE-2019-0210 applies to Apache Thrift Go server not Java ^pkg:maven/org\.apache\.thrift/libthrift@.*$ CVE-2019-0210 CVE-2018-11798 applies Apache Thrift Node.js not Java ^pkg:maven/org\.apache\.thrift/libthrift@.*$ CVE-2018-11798 CVE-2019-11939 applies to Thrift Servers in Go not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-11939 CVE-2019-3552 applies to Thrift Servers in CPP not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3552 CVE-2019-3553 applies to Thrift Servers in CPP not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3553 CVE-2019-3558 applies to Thrift Servers in Python not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3558 CVE-2019-3564 applies to Thrift Servers in Go not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3564 CVE-2019-3565 applies to Thrift Servers in CPP not Java ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3565 CVE-2021-24028 applies to Facebook Thrift CPP ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2021-24028 CVE-2019-11938 applies to Facebook Thrift Servers ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-11938 CVE-2019-3559 applies to Facebook Thrift Servers ^pkg:maven/org\.apache\.thrift/libfb303@.*$ CVE-2019-3559 CVE-2023-36479 was resolved in Jetty 10.0.16 ^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@.*$ CVE-2023-36479 The jetty-servlet-api is versioned according to the Java Servlet API version not the Jetty version ^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$ cpe:/a:eclipse:jetty CVE-2023-31419 applies to Elasticsearch Server not client libraries ^pkg:maven/org\.elasticsearch/elasticsearch@.*$ CVE-2023-31419 CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java ^pkg:maven/org\.apache\.avro/.*$ CVE-2023-37475 CVE-2023-45860 is resolved in Hazelcast 5.3.5 ^pkg:maven/com\.hazelcast/hazelcast@.*$ CVE-2023-45860 CVE-2023-36414 applies to Azure Identity for .NET not Java ^pkg:maven/com\.azure/azure\-identity@.*$ CVE-2023-36414 CVE-2023-36415 applies to Azure Identity for Python not Java ^pkg:maven/com\.azure/azure\-identity@.*$ CVE-2023-36415 CVE-2020-13949 applies to Thrift and not to Hive ^pkg:maven/org\.apache\.hive.*$ CVE-2020-13949 CVE-2023-44487 applies to netty-codec-http2 as a Server ^pkg:maven/io\.netty/netty.*$ CVE-2023-44487 Parquet MR vulnerabilities do not apply to other Parquet libraries ^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$ cpe:/a:apache:parquet-mr Apache Hadoop vulnerabilities do not apply to Parquet Hadoop Bundle library ^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$ cpe:/a:apache:hadoop CVE-2017-7525 applies to Jackson 2 not Jackson 1 ^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$ CVE-2017-7525 CVE-2019-11358 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2019-11358 CVE-2020-11022 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-11022 CVE-2020-11023 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-11023 CVE-2020-23064 applies to bundled copies of jQuery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-23064 CVE-2011-4969 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2011-4969 CVE-2012-6708 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2012-6708 CVE-2015-9251 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2015-9251 CVE-2020-7656 applies to bundled copies of jQUery not used in the project ^pkg:javascript/jquery@.*$ CVE-2020-7656 jQuery vulnerability warning for historical versions ^pkg:javascript/jquery@.*$ jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates CVE-2020-28458 applies to bundled copies of jQuery datatables not used in the project ^pkg:javascript/jquery\.datatables@.*$ CVE-2020-28458 CVE-2021-23445 applies to bundled copies of jQuery datatables not used in the project ^pkg:javascript/jquery\.datatables@.*$ CVE-2021-23445 CVE-2023-44487 references gRPC for Go ^pkg:maven/io\.grpc/grpc.*$ CVE-2023-44487 Guava temporary directory file creation is not used ^pkg:maven/com\.google\.guava/guava@.*$ CVE-2023-2976 Guava temporary directory file creation is not used ^pkg:maven/com\.google\.guava/guava@.*$ CVE-2020-8908 CVE-2021-44521 applies to Apache Cassandra Server ^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$ CVE-2021-44521 CVE-2020-17516 applies to Apache Cassandra Server ^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$ CVE-2020-17516 CVE-2019-2684 applies to Apache Cassandra Server ^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$ CVE-2019-2684 CVE-2020-13946 applies to Apache Cassandra Server ^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$ CVE-2020-13946 Bundled versions of jQuery DataTables are not used ^pkg:javascript/jquery\.datatables@.*$ prototype pollution Bundled versions of jQuery DataTables are not used ^pkg:javascript/jquery\.datatables@.*$ possible XSS Picocli misidentified as LINE library from Android so CVE-2015-0897 does not apply ^pkg:maven/info\.picocli/picocli@.*$ CVE-2015-0897 CVE-2023-36052 applies to Azure CLI not Azure Java libraries ^pkg:maven/com\.azure/.*$ CVE-2023-36052 is newer than com.amazonaws.ion:ion-java and does not share the same vulnerabilities ^pkg:maven/software\.amazon\.ion/ion\-java@.*$ cpe:/a:amazon:ion JSON Path 2.9.0 resolves CVE-2023-51074 ^pkg:maven/com\.jayway\.jsonpath/json\-path@2.9.0$ CVE-2023-51074