chore(findings): blackduck/blackduck/blackduck-bomengine
Summary
blackduck/blackduck/blackduck-bomengine has 222 new findings discovered during continuous monitoring.
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=blackduck/blackduck/blackduck-bomengine&tag=2025.7.0_ubi9.6&branch=master
EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.
KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.
| id | source | severity | package | impact | workaround | epss_score | kev |
|---|---|---|---|---|---|---|---|
| CVE-2024-38816 | Twistlock CVE | High | spring-webmvc-5.3.34 | 0.93813 | false | ||
| CVE-2024-38819 | Twistlock CVE | High | spring-webmvc-5.3.34 | 0.71765 | false | ||
| CVE-2016-1000027 | Twistlock CVE | Critical | spring-web-5.3.34 | 0.66439 | false | ||
| CVE-2024-38821 | Twistlock CVE | Critical | spring-security-web-5.8.5 | 0.10078 | false | ||
| CVE-2025-31650 | Twistlock CVE | High | tomcat-embed-core-9.0.100 | 0.07476 | false | ||
| CVE-2025-31650 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.07476 | false | ||
| CVE-2025-31650 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.07476 | false | ||
| CVE-2025-31650 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.07476 | false | ||
| CVE-2025-31650 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.07476 | false | ||
| CVE-2017-6519 | Twistlock CVE | Low | avahi-0.8-23.el9 | 0.01477 | false | ||
| CVE-2017-6519 | Anchore CVE | Low | avahi-libs-0.8-23.el9 | 0.01477 | false | ||
| CVE-2024-38820 | Twistlock CVE | Medium | spring-context-5.3.34 | 0.00832 | false | ||
| CVE-2024-38820 | Twistlock CVE | Medium | spring-web-5.3.34 | 0.00832 | false | ||
| CVE-2024-38820 | Twistlock CVE | Medium | spring-core-5.3.34 | 0.00832 | false | ||
| CVE-2024-38820 | Anchore CVE | Medium | spring-core-5.3.34 | 0.00832 | false | ||
| CVE-2024-38808 | Twistlock CVE | Medium | spring-expression-5.3.34 | 0.00809 | false | ||
| CVE-2024-38808 | Twistlock CVE | Low | spring-core-5.3.34 | 0.00809 | false | ||
| CVE-2024-38808 | Twistlock CVE | Low | spring-web-5.3.34 | 0.00809 | false | ||
| CVE-2024-38808 | Anchore CVE | Medium | spring-core-5.3.34 | 0.00809 | false | ||
| CVE-2023-46120 | Twistlock CVE | Medium | com.rabbitmq_amqp-client-5.14.3 | 0.00738 | false | ||
| CVE-2022-22969 | Twistlock CVE | Medium | org.springframework.security.oauth_spring-security-oauth2-2.5.0.RELEASE | 0.00665 | false | ||
| CVE-2024-26308 | Twistlock CVE | Medium | org.apache.commons_commons-compress-1.21 | 0.00448 | false | ||
| CVE-2024-29857 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.67.0 | 0.00337 | false | ||
| CVE-2024-38828 | Twistlock CVE | Medium | spring-webmvc-5.3.34 | 0.00329 | false | ||
| CVE-2023-33201 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.67.0 | 0.00318 | false | ||
| CVE-2025-50151 | Anchore CVE | High | jena-base-5.2.0 | 0.00284 | false | ||
| CVE-2025-50151 | Anchore CVE | High | jena-core-5.2.0 | 0.00284 | false | ||
| CVE-2025-50151 | Anchore CVE | High | jena-iri-5.2.0 | 0.00284 | false | ||
| CVE-2025-50151 | Anchore CVE | High | jena-arq-5.2.0 | 0.00284 | false | ||
| CVE-2024-22257 | Twistlock CVE | High | spring-security-core-5.8.5 | 0.00264 | false | ||
| CVE-2025-48989 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00196 | false | ||
| CVE-2025-48989 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.00196 | false | ||
| CVE-2025-48989 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.00196 | false | ||
| CVE-2025-48989 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.00196 | false | ||
| CVE-2025-48989 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.00196 | false | ||
| CVE-2025-46392 | Twistlock CVE | Low | commons-configuration_commons-configuration-1.8 | 0.00181 | false | ||
| CVE-2024-47554 | Twistlock CVE | Low | commons-io_commons-io-2.8.0 | 0.00173 | false | ||
| CVE-2025-55752 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00171 | false | ||
| CVE-2025-55752 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.00171 | false | ||
| CVE-2025-55752 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.00171 | false | ||
| CVE-2025-55752 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.00171 | false | ||
| CVE-2025-55752 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.00171 | false | ||
| CVE-2025-61795 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00169 | false | ||
| CVE-2025-61795 | Anchore CVE | Medium | tomcat-embed-websocket-9.0.100 | 0.00169 | false | ||
| CVE-2025-61795 | Anchore CVE | Medium | tomcat-embed-el-9.0.100 | 0.00169 | false | ||
| CVE-2025-61795 | Anchore CVE | Medium | tomcat-juli-9.0.100 | 0.00169 | false | ||
| CVE-2025-61795 | Anchore CVE | Medium | tomcat-jdbc-9.0.100 | 0.00169 | false | ||
| CVE-2025-49656 | Anchore CVE | High | jena-iri-5.2.0 | 0.00169 | false | ||
| CVE-2025-49656 | Anchore CVE | High | jena-arq-5.2.0 | 0.00169 | false | ||
| CVE-2025-49656 | Anchore CVE | High | jena-core-5.2.0 | 0.00169 | false | ||
| CVE-2025-49656 | Anchore CVE | High | jena-base-5.2.0 | 0.00169 | false | ||
| CVE-2023-44483 | Twistlock CVE | Medium | org.apache.santuario_xmlsec-2.2.3 | 0.00169 | false | ||
| CVE-2025-48976 | Twistlock CVE | Low | commons-fileupload_commons-fileupload-1.5 | 0.00168 | false | ||
| CVE-2023-33202 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.67.0 | 0.00159 | false | ||
| CVE-2025-53506 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00144 | false | ||
| CVE-2025-53506 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.00144 | false | ||
| CVE-2025-53506 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.00144 | false | ||
| CVE-2025-53506 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.00144 | false | ||
| CVE-2025-53506 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.00144 | false | ||
| CVE-2025-53506 | Anchore CVE | High | tomcat-embed-core-9.0.100 | 0.00144 | false | ||
| CVE-2025-52434 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00141 | false | ||
| CVE-2025-52434 | Anchore CVE | High | tomcat-embed-core-9.0.100 | 0.00141 | false | ||
| CVE-2025-52434 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.00141 | false | ||
| CVE-2025-52434 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.00141 | false | ||
| CVE-2025-52434 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.00141 | false | ||
| CVE-2025-52434 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.00141 | false | ||
| CVE-2024-38827 | Twistlock CVE | Medium | spring-security-core-5.8.5 | 0.00141 | false | ||
| CVE-2025-48988 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00124 | false | ||
| CVE-2025-48988 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.00124 | false | ||
| CVE-2025-48988 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.00124 | false | ||
| CVE-2025-48988 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.00124 | false | ||
| CVE-2025-48988 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.00124 | false | ||
| CVE-2024-38829 | Twistlock CVE | Medium | spring-ldap-core-2.4.1 | 0.00117 | false | ||
| CVE-2025-52520 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00107 | false | ||
| CVE-2025-52520 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.00107 | false | ||
| CVE-2025-52520 | Anchore CVE | High | tomcat-embed-core-9.0.100 | 0.00107 | false | ||
| CVE-2025-52520 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.00107 | false | ||
| CVE-2025-52520 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.00107 | false | ||
| CVE-2025-52520 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.00107 | false | ||
| CVE-2024-38809 | Twistlock CVE | Medium | spring-web-5.3.34 | 0.00107 | false | ||
| CVE-2024-30171 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.67.0 | 0.00100 | false | ||
| CVE-2025-30698 | Anchore CVE | Medium | java-11-openjdk-headless-1:11.0.25.0.9-7.el9 | 0.00092 | false | ||
| CVE-2025-30698 | Twistlock CVE | Medium | java-11-openjdk-1:11.0.25.0.9-7.el9 | 0.00092 | false | ||
| CVE-2025-49125 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00091 | false | ||
| CVE-2025-49125 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.00091 | false | ||
| CVE-2025-49125 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.00091 | false | ||
| CVE-2025-49125 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.00091 | false | ||
| CVE-2025-49125 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.00091 | false | ||
| CVE-2025-22228 | Twistlock CVE | High | spring-security-crypto-5.8.5 | 0.00091 | false | ||
| CVE-2025-8916 | Twistlock CVE | Medium | org.bouncycastle_bcpkix-jdk15on-1.67.00.0 | 0.00087 | false | ||
| CVE-2025-22235 | Twistlock CVE | High | spring-boot-2.7.18 | 0.00087 | false | ||
| CVE-2025-21502 | Anchore CVE | Medium | java-11-openjdk-headless-1:11.0.25.0.9-7.el9 | 0.00083 | false | ||
| CVE-2025-21502 | Twistlock CVE | Medium | java-11-openjdk-1:11.0.25.0.9-7.el9 | 0.00083 | false | ||
| CVE-2025-41249 | Twistlock CVE | High | spring-core-5.3.34 | 0.00080 | false | ||
| CVE-2025-21587 | Anchore CVE | Medium | java-11-openjdk-headless-1:11.0.25.0.9-7.el9 | 0.00079 | false | ||
| CVE-2025-21587 | Twistlock CVE | Medium | java-11-openjdk-1:11.0.25.0.9-7.el9 | 0.00079 | false | ||
| CVE-2025-55754 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00076 | false | ||
| CVE-2021-25317 | Twistlock CVE | Low | cups-1:2.3.3op2-34.el9_7 | 0.00076 | false | ||
| CVE-2021-25317 | Anchore CVE | Low | cups-libs-1:2.3.3op2-34.el9_7 | 0.00076 | false | ||
| CVE-2025-30204 | Twistlock CVE | High | github.com/golang-jwt/jwt/v5-v5.2.1 | 0.00072 | false | ||
| CVE-2025-64518 | Twistlock CVE | High | org.cyclonedx_cyclonedx-core-java-9.0.4 | 0.00069 | false | ||
| CVE-2025-66516 | Twistlock CVE | Critical | org.apache.tika_tika-core-1.28.4 | 0.00063 | false | ||
| CVE-2025-41242 | Twistlock CVE | Medium | spring-webmvc-5.3.34 | 0.00058 | false | ||
| CVE-2025-31651 | Twistlock CVE | Critical | tomcat-embed-core-9.0.100 | 0.00058 | false | ||
| CVE-2025-31651 | Anchore CVE | Critical | tomcat-jdbc-9.0.100 | 0.00058 | false | ||
| CVE-2025-31651 | Anchore CVE | Critical | tomcat-embed-el-9.0.100 | 0.00058 | false | ||
| CVE-2025-31651 | Anchore CVE | Critical | tomcat-juli-9.0.100 | 0.00058 | false | ||
| CVE-2025-31651 | Anchore CVE | Critical | tomcat-embed-websocket-9.0.100 | 0.00058 | false | ||
| CVE-2025-10543 | Twistlock CVE | Medium | github.com/eclipse/paho.mqtt.golang-v1.3.5 | 0.00055 | false | ||
| CVE-2025-30691 | Anchore CVE | Medium | java-11-openjdk-headless-1:11.0.25.0.9-7.el9 | 0.00047 | false | ||
| CVE-2025-30691 | Twistlock CVE | Medium | java-11-openjdk-1:11.0.25.0.9-7.el9 | 0.00047 | false | ||
| CVE-2023-34042 | Twistlock CVE | Medium | spring-security-core-5.8.5 | 0.00045 | false | ||
| CVE-2023-34042 | Anchore CVE | Medium | spring-security-core-5.8.5 | 0.00045 | false | ||
| CVE-2023-4504 | Twistlock CVE | Medium | cups-1:2.3.3op2-34.el9_7 | 0.00038 | false | ||
| CVE-2023-4504 | Anchore CVE | Medium | cups-libs-1:2.3.3op2-34.el9_7 | 0.00038 | false | ||
| CVE-2025-58185 | Anchore CVE | Medium | stdlib-go1.23.8 | 0.00033 | false | ||
| CVE-2025-9403 | Twistlock CVE | Low | jq-1.6-19.el9 | 0.00031 | false | ||
| CVE-2025-9403 | Anchore CVE | Low | jq-1.6-19.el9 | 0.00031 | false | ||
| CVE-2025-58186 | Anchore CVE | Medium | stdlib-go1.23.8 | 0.00029 | false | ||
| CVE-2024-51744 | Twistlock CVE | Low | github.com/golang-jwt/jwt/v4-v4.5.0 | 0.00027 | false | ||
| CVE-2025-61725 | Anchore CVE | High | stdlib-go1.23.8 | 0.00026 | false | ||
| CVE-2025-61723 | Anchore CVE | High | stdlib-go1.23.8 | 0.00026 | false | ||
| CVE-2025-61724 | Anchore CVE | Medium | stdlib-go1.23.8 | 0.00025 | false | ||
| CVE-2025-49124 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00025 | false | ||
| CVE-2025-49124 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.00025 | false | ||
| CVE-2025-49124 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.00025 | false | ||
| CVE-2025-49124 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.00025 | false | ||
| CVE-2025-49124 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.00025 | false | ||
| CVE-2025-47912 | Anchore CVE | Medium | stdlib-go1.23.8 | 0.00025 | false | ||
| CVE-2025-54988 | Twistlock CVE | Low | org.apache.tika_tika-core-1.28.4 | 0.00024 | false | ||
| CVE-2025-54988 | Anchore CVE | Critical | tika-core-1.28.4 | 0.00024 | false | ||
| CVE-2025-47907 | Anchore CVE | High | stdlib-go1.23.8 | 0.00024 | false | ||
| CVE-2025-46701 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00024 | false | ||
| CVE-2025-46701 | Anchore CVE | High | tomcat-juli-9.0.100 | 0.00024 | false | ||
| CVE-2025-46701 | Anchore CVE | High | tomcat-embed-websocket-9.0.100 | 0.00024 | false | ||
| CVE-2025-46701 | Anchore CVE | High | tomcat-jdbc-9.0.100 | 0.00024 | false | ||
| CVE-2025-46701 | Anchore CVE | High | tomcat-embed-el-9.0.100 | 0.00024 | false | ||
| CVE-2025-61727 | Anchore CVE | Medium | stdlib-go1.23.8 | 0.00021 | false | ||
| CVE-2025-22233 | Twistlock CVE | Low | spring-context-5.3.34 | 0.00021 | false | ||
| CVE-2025-47906 | Anchore CVE | Medium | stdlib-go1.23.8 | 0.00020 | false | ||
| CVE-2025-58189 | Anchore CVE | Medium | stdlib-go1.23.8 | 0.00019 | false | ||
| CVE-2024-25710 | Twistlock CVE | Medium | org.apache.commons_commons-compress-1.21 | 0.00018 | false | ||
| CVE-2025-61915 | Twistlock CVE | Medium | cups-1:2.3.3op2-34.el9_7 | 0.00017 | false | ||
| CVE-2025-61915 | Anchore CVE | Medium | cups-libs-1:2.3.3op2-34.el9_7 | 0.00017 | false | ||
| CVE-2025-61729 | Anchore CVE | High | stdlib-go1.23.8 | 0.00016 | false | ||
| CVE-2025-49112 | Anchore CVE | Low | bucket4j-redis-8.6.0 | 0.00016 | false | ||
| CVE-2025-58187 | Anchore CVE | High | stdlib-go1.23.8 | 0.00015 | false | ||
| CVE-2025-55668 | Twistlock CVE | Low | tomcat-embed-core-9.0.100 | 0.00015 | false | ||
| CVE-2025-55668 | Anchore CVE | Medium | tomcat-jdbc-9.0.100 | 0.00015 | false | ||
| CVE-2025-55668 | Anchore CVE | Medium | tomcat-embed-core-9.0.100 | 0.00015 | false | ||
| CVE-2025-55668 | Anchore CVE | Medium | tomcat-embed-el-9.0.100 | 0.00015 | false | ||
| CVE-2025-55668 | Anchore CVE | Medium | tomcat-embed-websocket-9.0.100 | 0.00015 | false | ||
| CVE-2025-55668 | Anchore CVE | Medium | tomcat-juli-9.0.100 | 0.00015 | false | ||
| CVE-2025-58188 | Anchore CVE | High | stdlib-go1.23.8 | 0.00014 | false | ||
| CVE-2025-58183 | Anchore CVE | Medium | stdlib-go1.23.8 | 0.00014 | false | ||
| CVE-2025-48924 | Twistlock CVE | Medium | commons-lang_commons-lang-2.6 | 0.00014 | false | ||
| CVE-2025-48924 | Twistlock CVE | Medium | org.apache.commons_commons-lang3-3.17.0 | 0.00014 | false | ||
| CVE-2025-58436 | Twistlock CVE | Medium | cups-1:2.3.3op2-34.el9_7 | 0.00012 | false | ||
| CVE-2025-58436 | Anchore CVE | Medium | cups-libs-1:2.3.3op2-34.el9_7 | 0.00012 | false | ||
| CVE-2025-4673 | Anchore CVE | Medium | stdlib-go1.23.8 | 0.00010 | false | ||
| CVE-2025-54410 | Twistlock CVE | Low | github.com/docker/docker-v27.3.1 | 0.00007 | false | ||
| CVE-2025-4674 | Anchore CVE | High | stdlib-go1.23.8 | 0.00005 | false | ||
| CVE-2023-2004 | Anchore CVE | Low | java-11-openjdk-headless-1:11.0.25.0.9-7.el9 | N/A | false | ||
| CVE-2022-3857 | Anchore CVE | Low | java-11-openjdk-headless-1:11.0.25.0.9-7.el9 | N/A | false | ||
| PRISMA-2021-0055 | Twistlock CVE | Low | commons-codec_commons-codec-1.11 | N/A | N/A | ||
| GO-2025-3900 | Twistlock CVE | Medium | github.com/go-viper/mapstructure/v2-v2.2.1 | N/A | N/A | ||
| GO-2025-3787 | Twistlock CVE | Medium | github.com/go-viper/mapstructure/v2-v2.2.1 | N/A | N/A | ||
| GHSA-xfrj-6vvc-3xm2 | Anchore CVE | Medium | xmlsec-2.2.3 | N/A | N/A | ||
| GHSA-wmwf-9ccg-fff5 | Anchore CVE | High | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-wjxj-5m7g-mg7q | Anchore CVE | Medium | bcprov-jdk15on-1.67 | N/A | N/A | ||
| GHSA-wc4r-xq3c-5cf3 | Anchore CVE | Medium | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-w3c8-7r8f-9jp8 | Anchore CVE | Medium | spring-webmvc-5.3.34 | N/A | N/A | ||
| GHSA-vv7r-c36w-3prj | Anchore CVE | High | commons-fileupload-1.5 | N/A | N/A | ||
| GHSA-vfww-5hm6-hx2j | Anchore CVE | Low | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-v435-xc8x-wvr9 | Anchore CVE | Medium | bcprov-jdk15on-1.67 | N/A | N/A | ||
| GHSA-rc42-6c7j-7h5r | Anchore CVE | High | spring-boot-2.7.18 | N/A | N/A | ||
| GHSA-r936-gwx5-v52f | Anchore CVE | Medium | spring-webmvc-5.3.34 | N/A | N/A | ||
| GHSA-q3v6-hm2v-pw99 | Anchore CVE | Medium | spring-security-core-5.8.5 | N/A | N/A | ||
| GHSA-pvp8-3xj6-8c6x | Anchore CVE | Low | commons-configuration-1.8 | N/A | N/A | ||
| GHSA-mm8h-8587-p46h | Anchore CVE | Medium | amqp-client-5.14.3 | N/A | N/A | ||
| GHSA-mh63-6h87-95cp | Anchore CVE | High | github.com/golang-jwt/jwt/v5-v5.2.1 | N/A | N/A | ||
| GHSA-mh63-6h87-95cp | Anchore CVE | High | github.com/golang-jwt/jwt/v4-v4.5.0 | N/A | N/A | ||
| GHSA-mg83-c7gq-rv5c | Anchore CVE | High | spring-security-crypto-5.8.5 | N/A | N/A | ||
| GHSA-jmp9-x22r-554x | Anchore CVE | High | spring-core-5.3.34 | N/A | N/A | ||
| GHSA-j5w8-q4qc-rx2x | Anchore CVE | Medium | golang.org/x/crypto-v0.36.0 | N/A | N/A | ||
| GHSA-j288-q9x7-2f5v | Anchore CVE | Medium | commons-lang-2.6 | N/A | N/A | ||
| GHSA-j288-q9x7-2f5v | Anchore CVE | Medium | commons-lang3-3.17.0 | N/A | N/A | ||
| GHSA-hr8g-6v94-x4m9 | Anchore CVE | Medium | bcprov-jdk15on-1.67 | N/A | N/A | ||
| GHSA-hgrr-935x-pq79 | Anchore CVE | Low | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-h3gc-qfqq-6h8f | Anchore CVE | High | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-h2fw-rfh5-95r3 | Anchore CVE | Low | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-gqp3-2cvr-x8m3 | Anchore CVE | High | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-g5vr-rgqm-vf78 | Anchore CVE | High | spring-webmvc-5.3.34 | N/A | N/A | ||
| GHSA-fv92-fjc5-jj9h | Anchore CVE | Medium | github.com/go-viper/mapstructure/v2-v2.2.1 | N/A | N/A | ||
| GHSA-ff77-26x5-69cr | Anchore CVE | Low | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-f6x5-jh6r-wrfv | Anchore CVE | Medium | golang.org/x/crypto-v0.36.0 | N/A | N/A | ||
| GHSA-f58c-gq56-vjjf | Anchore CVE | Critical | tika-core-1.28.4 | N/A | N/A | ||
| GHSA-f3jh-qvm4-mg39 | Anchore CVE | High | spring-security-core-5.8.5 | N/A | N/A | ||
| GHSA-cx7f-g6mp-7hqm | Anchore CVE | High | spring-webmvc-5.3.34 | N/A | N/A | ||
| GHSA-c4q5-6c82-3qpw | Anchore CVE | Critical | spring-security-web-5.8.5 | N/A | N/A | ||
| GHSA-c2cp-3xj9-97w9 | Anchore CVE | Medium | spring-security-oauth2-2.5.0.RELEASE | N/A | N/A | ||
| GHSA-9cmq-m9j5-mvww | Anchore CVE | Medium | spring-expression-5.3.34 | N/A | N/A | ||
| GHSA-8xfc-gm6g-vgpv | Anchore CVE | Medium | bcprov-jdk15on-1.67 | N/A | N/A | ||
| GHSA-78wr-2p64-hpwj | Anchore CVE | High | commons-io-2.8.0 | N/A | N/A | ||
| GHSA-6v2p-p543-phr9 | Anchore CVE | High | golang.org/x/oauth2-v0.24.0 | N/A | N/A | ||
| GHSA-6fhj-vr9j-g45r | Anchore CVE | High | cyclonedx-core-java-9.0.4 | N/A | N/A | ||
| GHSA-4wp7-92pw-q264 | Anchore CVE | Low | spring-context-5.3.34 | N/A | N/A | ||
| GHSA-4vq8-7jfc-9cvp | Anchore CVE | Low | github.com/docker/docker-v27.3.1+incompatible | N/A | N/A | ||
| GHSA-4gc7-5j7h-4qph | Anchore CVE | Medium | spring-web-5.3.34 | N/A | N/A | ||
| GHSA-4gc7-5j7h-4qph | Anchore CVE | Medium | spring-context-5.3.34 | N/A | N/A | ||
| GHSA-4g9r-vxhx-9pgx | Anchore CVE | Medium | commons-compress-1.21 | N/A | N/A | ||
| GHSA-4cx2-fc23-5wg6 | Anchore CVE | Medium | bcpkix-jdk15on-1.67 | N/A | N/A | ||
| GHSA-42wg-hm62-jcwg | Anchore CVE | Medium | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-4265-ccf5-phj5 | Anchore CVE | Medium | commons-compress-1.21 | N/A | N/A | ||
| GHSA-3p2h-wqq4-wf4h | Anchore CVE | Medium | tomcat-embed-core-9.0.100 | N/A | N/A | ||
| GHSA-32fw-gq77-f2f2 | Anchore CVE | Medium | github.com/eclipse/paho.mqtt.golang-v1.3.5 | N/A | N/A | ||
| GHSA-3295-h9qx-r82x | Anchore CVE | Medium | acegi-security-1.0.7 | N/A | N/A | ||
| GHSA-2rmj-mq67-h97g | Anchore CVE | Medium | spring-web-5.3.34 | N/A | N/A | ||
| GHSA-29wx-vh33-7x7r | Anchore CVE | Low | github.com/golang-jwt/jwt/v4-v4.5.0 | N/A | N/A | ||
| GHSA-2464-8j7c-4cjm | Anchore CVE | Medium | github.com/go-viper/mapstructure/v2-v2.2.1 | N/A | N/A | ||
| CCE-83911-8 | OSCAP Compliance | Medium | N/A | N/A | |||
| CCE-83623-9 | OSCAP Compliance | Medium | N/A | N/A |
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=blackduck/blackduck/blackduck-bomengine&tag=2025.7.0_ubi9.6&branch=master
Tasks
Contributor:
-
Apply the StatusReview label to this issue for a merge request reviewand wait for feedback
OR
-
Provide justifications for findings in the VAT (docs) -
Apply the StatusVerification label to this issue for a VAT justifications reviewand wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
RevieworVerificationlabel will be removed and the issue will be sent back toTo-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theRevieworVerificationlabel.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.
Edited by CHORE_TOKEN