Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: ctlog

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence Count
guava-16.0.1.jar   0 16
protobuf-java-3.2.0.jar   0 18
json-simple-1.1.1.jar com.googlecode.json-simple:json-simple:1.1.1   0 15
commons-codec-1.8.jar commons-codec:commons-codec:1.8   0 24
commons-logging-1.1.3.jar commons-logging:commons-logging:1.1.3   0 24
httpclient-4.3.3.jar cpe:/a:apache:httpclient:4.3.3 org.apache.httpcomponents:httpclient:4.3.3 Medium 2 HIGHEST 22
httpcore-4.3.2.jar org.apache.httpcomponents:httpcore:4.3.2   0 22
bcpkix-jdk15on-1.49.jar org.bouncycastle:bcpkix-jdk15on:1.49   0 21
bcprov-jdk15on-1.49.jar cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.49
org.bouncycastle:bcprov-jdk15on:1.49 Medium 1 LOW 21
hamcrest-core-1.3.jar org.hamcrest:hamcrest-core:1.3   0 17



Description:  Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.

File Path: /home/capitol/.m2/repository/com/google/guava/guava/16.0.1/guava-16.0.1.jar
MD5: a68693df58191585d9af914cfbe6067a
SHA1: 5fa98cd1a63c99a44dd8d3b77e4762b066a5d0c5
Referenced In Project/Scope: ctlog:compile



Description:  Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

File Path: /home/capitol/.m2/repository/com/google/protobuf/protobuf-java/3.2.0/protobuf-java-3.2.0.jar
MD5: 7e1df419eb1c8f993f221c49386c6b8b
SHA1: 62ccf171a106ff6791507f2d5364c275f9a3131d
Referenced In Project/Scope: ctlog:compile



Description: A simple Java toolkit for JSON


The Apache Software License, Version 2.0:
File Path: /home/capitol/.m2/repository/com/googlecode/json-simple/json-simple/1.1.1/json-simple-1.1.1.jar
MD5: 5cc2c478d73e8454b4c369cee66c5bc7
SHA1: c9ad4a0850ab676c5c64461a05ca524cdfff59f1
Referenced In Project/Scope: ctlog:compile



Description:  The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

File Path: /home/capitol/.m2/repository/commons-codec/commons-codec/1.8/commons-codec-1.8.jar
MD5: b87aa66fe75685c82d082e750ab51b2e
SHA1: af3be3f74d25fc5163b54f56a0d394b462dafafd
Referenced In Project/Scope: ctlog:compile



Description: Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.

File Path: /home/capitol/.m2/repository/commons-logging/commons-logging/1.1.3/commons-logging-1.1.3.jar
MD5: 92eb5aabc1b47287de53d45c086a435c
SHA1: f6f66e966c70a83ffbdb6f17a0919eaf7c8aca7f
Referenced In Project/Scope: ctlog:compile



Description:  HttpComponents Client

File Path: /home/capitol/.m2/repository/org/apache/httpcomponents/httpclient/4.3.3/httpclient-4.3.3.jar
MD5: 88cc3123fce88d61b7c2cdbfc33542c5
SHA1: 18f4247ff4572a074444572cee34647c43e7c9c7
Referenced In Project/Scope: ctlog:compile



Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

http/conn/ssl/ in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

Vulnerable Software & Versions:


Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo," string in the O field.

Vulnerable Software & Versions: (show all)


Description:  HttpComponents Core (blocking I/O)

File Path: /home/capitol/.m2/repository/org/apache/httpcomponents/httpcore/4.3.2/httpcore-4.3.2.jar
MD5: ee3d34dce4a30c7d3002cadf8c9172c1
SHA1: 31fbbff1ddbf98f3aa7377c94d33b0447c646b6e
Referenced In Project/Scope: ctlog:compile



Description: The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.7. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.


Bouncy Castle Licence:
File Path: /home/capitol/.m2/repository/org/bouncycastle/bcpkix-jdk15on/1.49/bcpkix-jdk15on-1.49.jar
MD5: cb025ef84fb991e14fdf62f6bef7be53
SHA1: 924cc7ad2f589630c97b918f044296ebf1bb6855
Referenced In Project/Scope: ctlog:compile



Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7.


Bouncy Castle Licence:
File Path: /home/capitol/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.49/bcprov-jdk15on-1.49.jar
MD5: 20f367d41a546f2c844314da5d97ea12
SHA1: f5155f04330459104b79923274db5060c1057b99
Referenced In Project/Scope: ctlog:compile


  • cpe: cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.49   Confidence:LOW   
  • cpe: cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.49   Confidence:LOW   
  • maven: org.bouncycastle:bcprov-jdk15on:1.49   Confidence:HIGHEST


Description:  This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.

File Path: /home/capitol/.m2/repository/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
Referenced In Project/Scope: ctlog:compile


This report contains data retrieved from the National Vulnerability Database.