This is a pretty-printed snippet of the JSON report, with the problematic section. The problem is in line 346, where there is a comma, but instead of content the parenthesis is closed:
{
"isVirtual": false,
"fileName": "vertx-core-4.3.8.jar",
"filePath": "\/home\/foo\/.m2\/repository\/io\/vertx\/vertx-core\/4.3.8\/vertx-core-4.3.8.jar",
"md5": "974f379634453e426fc7de0277ec8eb4",
"sha1": "95b0dff1fe86ef87a91a163e9fdda3c3709275ff",
"sha256": "9f62024fde0c306082733b550b173fce7408b6bd33512c1d70ca11000c59b00c",
"license": "The Apache Software License, Version 2.0: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt\nEclipse Public License - v 2.0: http:\/\/www.eclipse.org\/legal\/epl-v20.html",
"projectReferences": [
"project:compile",
"project:compile",
"project:compile",
"project:compile"
],
"includedBy": [
{
"reference": "pkg:maven\/project\/[email protected]"
},
{
"reference": "pkg:maven\/project\/[email protected]"
},
{
"reference": "pkg:maven\/project\/[email protected]"
},
{
"reference": "pkg:maven\/project\/[email protected]"
}
],
"evidenceCollected": {
"vendorEvidence": [
{
"type": "vendor",
"confidence": "HIGH",
"source": "file",
"name": "name",
"value": "vertx-core"
},
{
"type": "vendor",
"confidence": "HIGHEST",
"source": "jar",
"name": "package name",
"value": "core"
},
{
"type": "vendor",
"confidence": "HIGHEST",
"source": "jar",
"name": "package name",
"value": "io"
},
{
"type": "vendor",
"confidence": "HIGHEST",
"source": "jar",
"name": "package name",
"value": "vertx"
},
{
"type": "vendor",
"confidence": "MEDIUM",
"source": "Manifest",
"name": "automatic-module-name",
"value": "io.vertx.core"
},
{
"type": "vendor",
"confidence": "LOW",
"source": "Manifest",
"name": "implementation-url",
"value": "http:\/\/nexus.sonatype.org\/oss-repository-hosting.html\/vertx-parent\/vertx-core"
},
{
"type": "vendor",
"confidence": "HIGH",
"source": "Manifest",
"name": "Implementation-Vendor",
"value": "Eclipse"
},
{
"type": "vendor",
"confidence": "MEDIUM",
"source": "Manifest",
"name": "Implementation-Vendor-Id",
"value": "io.vertx"
},
{
"type": "vendor",
"confidence": "LOW",
"source": "Manifest",
"name": "maven-artifact-id",
"value": "vertx-core"
},
{
"type": "vendor",
"confidence": "LOW",
"source": "Manifest",
"name": "multi-release",
"value": "true"
},
{
"type": "vendor",
"confidence": "LOW",
"source": "Manifest",
"name": "specification-vendor",
"value": "Eclipse"
},
{
"type": "vendor",
"confidence": "HIGHEST",
"source": "pom",
"name": "artifactid",
"value": "vertx-core"
},
{
"type": "vendor",
"confidence": "LOW",
"source": "pom",
"name": "artifactid",
"value": "vertx-core"
},
{
"type": "vendor",
"confidence": "HIGHEST",
"source": "pom",
"name": "groupid",
"value": "io.vertx"
},
{
"type": "vendor",
"confidence": "HIGH",
"source": "pom",
"name": "name",
"value": "Vert.x Core"
},
{
"type": "vendor",
"confidence": "LOW",
"source": "pom",
"name": "parent-artifactid",
"value": "vertx-parent"
}
],
"productEvidence": [
{
"type": "product",
"confidence": "HIGH",
"source": "file",
"name": "name",
"value": "vertx-core"
},
{
"type": "product",
"confidence": "HIGHEST",
"source": "jar",
"name": "package name",
"value": "core"
},
{
"type": "product",
"confidence": "HIGHEST",
"source": "jar",
"name": "package name",
"value": "http"
},
{
"type": "product",
"confidence": "HIGHEST",
"source": "jar",
"name": "package name",
"value": "io"
},
{
"type": "product",
"confidence": "HIGHEST",
"source": "jar",
"name": "package name",
"value": "vertx"
},
{
"type": "product",
"confidence": "MEDIUM",
"source": "Manifest",
"name": "automatic-module-name",
"value": "io.vertx.core"
},
{
"type": "product",
"confidence": "HIGH",
"source": "Manifest",
"name": "Implementation-Title",
"value": "Vert.x Core"
},
{
"type": "product",
"confidence": "LOW",
"source": "Manifest",
"name": "implementation-url",
"value": "http:\/\/nexus.sonatype.org\/oss-repository-hosting.html\/vertx-parent\/vertx-core"
},
{
"type": "product",
"confidence": "LOW",
"source": "Manifest",
"name": "maven-artifact-id",
"value": "vertx-core"
},
{
"type": "product",
"confidence": "LOW",
"source": "Manifest",
"name": "multi-release",
"value": "true"
},
{
"type": "product",
"confidence": "MEDIUM",
"source": "Manifest",
"name": "specification-title",
"value": "Vert.x Core"
},
{
"type": "product",
"confidence": "HIGHEST",
"source": "pom",
"name": "artifactid",
"value": "vertx-core"
},
{
"type": "product",
"confidence": "HIGHEST",
"source": "pom",
"name": "groupid",
"value": "io.vertx"
},
{
"type": "product",
"confidence": "HIGH",
"source": "pom",
"name": "name",
"value": "Vert.x Core"
},
{
"type": "product",
"confidence": "MEDIUM",
"source": "pom",
"name": "parent-artifactid",
"value": "vertx-parent"
}
],
"versionEvidence": [
{
"type": "version",
"confidence": "HIGH",
"source": "file",
"name": "version",
"value": "4.3.8"
},
{
"type": "version",
"confidence": "HIGH",
"source": "Manifest",
"name": "Implementation-Version",
"value": "4.3.8"
},
{
"type": "version",
"confidence": "MEDIUM",
"source": "Manifest",
"name": "maven-version",
"value": "4.3.8"
},
{
"type": "version",
"confidence": "LOW",
"source": "pom",
"name": "parent-version",
"value": "4.3.8"
},
{
"type": "version",
"confidence": "HIGHEST",
"source": "pom",
"name": "version",
"value": "4.3.8"
}
]
},
"packages": [
{
"id": "pkg:maven\/io.vertx\/[email protected]",
"confidence": "HIGH",
"url": "https:\/\/ossindex.sonatype.org\/component\/pkg:maven\/io.vertx\/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=12.0.0"
}
],
"vulnerabilityIds": [
{
"id": "cpe:2.3:a:eclipse:vert.x:4.3.8:*:*:*:*:*:*:*",
"confidence": "HIGH",
"url": "https:\/\/nvd.nist.gov\/vuln\/search\/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aeclipse&cpe_product=cpe%3A%2F%3Aeclipse%3Avert.x&cpe_version=cpe%3A%2F%3Aeclipse%3Avert.x%3A4.3.8"
}
],
"vulnerabilities": [
{
"source": "NVD",
"name": "CVE-2024-8391",
"severity": "MEDIUM",
"cvssv3": {
"baseScore": 7.5,
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseSeverity": "HIGH",
"exploitabilityScore": "3.9",
"impactScore": "3.6",
"version": "3.1"
},
"cvssv4": {
"source": "[email protected]",
"type": "Secondary",
"version": "4.0",
"vectorString": "CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:N\/VI:N\/VA:L\/SC:N\/SI:N\/SA:N\/E:X\/CR:X\/IR:X\/AR:X\/MAV:X\/MAC:X\/MAT:X\/MPR:X\/MUI:X\/MVC:X\/MVI:X\/MVA:X\/MSC:X\/MSI:X\/MSA:X\/S:X\/AU:X\/R:N\/V:X\/RE:X\/U:X",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"exploitMaturity": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"safety": "NOT_DEFINED",
"automatable": "NOT_DEFINED",
"recovery": "NOT_DEFINED",
"valueDensity": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
},
"cwes": [
"CWE-770"
],
"description": "In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00A0\n\n\n\n\nThis is fixed in the 4.5.10 version.\u00A0\n\n\n\n\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)",
"notes": "",
"references": [
{
"source": "[email protected]",
"url": "https:\/\/gitlab.eclipse.org\/security\/cve-assignement\/-\/issues\/31",
"name": "ISSUE_TRACKING,VENDOR_ADVISORY"
},
{
"source": "[email protected]",
"url": "https:\/\/github.com\/eclipse-vertx\/vertx-grpc\/issues\/113",
"name": "ISSUE_TRACKING"
}
],
"vulnerableSoftware": [
{
"software": {
"id": "cpe:2.3:a:eclipse:vert.x:*:*:*:*:*:*:*:*",
"vulnerabilityIdMatched": "true",
"versionStartIncluding": "4.3.0",
"versionEndExcluding": "4.5.10"
}
}
]
},
{
"source": "OSSINDEX",
"name": "CVE-2024-1300",
"severity": "MEDIUM",
"cvssv3": {
"baseScore": 5.300000190734863,
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "LOW",
"baseSeverity": "MEDIUM",
"version": "3.1"
},
"cwes": [
"CWE-401"
],
"description": "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.\n\nSonatype's research suggests that this CVE's details differ from those defined at NVD. See https:\/\/ossindex.sonatype.org\/vulnerability\/CVE-2024-1300 for details",
"notes": "",
"references": [
{
"source": "OSSINDEX",
"url": "https:\/\/ossindex.sonatype.org\/vulnerability\/CVE-2024-1300?component-type=maven&component-name=io.vertx%2Fvertx-core&utm_source=dependency-check&utm_medium=integration&utm_content=12.0.0",
"name": "[CVE-2024-1300] CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak')"
},
{
"source": "OSSIndex",
"url": "http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2024-1300",
"name": "http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2024-1300"
},
{
"source": "OSSIndex",
"url": "https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2263139",
"name": "https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2263139"
}
],
"vulnerableSoftware": [
{
"software": {
"id": "cpe:2.3:a:io.vertx:vertx-core:4.3.8:*:*:*:*:*:*:*",
"vulnerabilityIdMatched": "true"
}
}
]
}
]
}
14:52:40 [INFO] --- dependency-check:12.0.1:aggregate (default-cli) @ project ---
14:52:47 [INFO] Found snapshot reactor project in aggregate for project:prs-api:3.1.1-SNAPSHOT - creating a virtual dependency as the snapshot found in the repository may contain outdated dependencies.
14:52:47 [INFO] Found snapshot reactor project in aggregate for project:prs-wsdl:3.1.1-SNAPSHOT - creating a virtual dependency as the snapshot found in the repository may contain outdated dependencies.
14:52:47 [INFO] Found snapshot reactor project in aggregate for project:prs-api:3.1.1-SNAPSHOT - creating a virtual dependency as the snapshot found in the repository may contain outdated dependencies.
14:52:47 [INFO] Found snapshot reactor project in aggregate for project:prs-wsdl:3.1.1-SNAPSHOT - creating a virtual dependency as the snapshot found in the repository may contain outdated dependencies.
14:52:47 [INFO]
14:52:47
14:52:47 Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
14:52:47
14:52:47
14:52:47 About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
14:52:47 False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html
14:52:47
14:52:47 💖 Sponsor: https://github.com/sponsors/jeremylong
14:52:47
14:52:47
14:52:47 [INFO] Analysis Started
14:52:48 [INFO] Finished Archive Analyzer (1 seconds)
14:52:48 [INFO] Finished File Name Analyzer (0 seconds)
14:52:49 [INFO] Finished Jar Analyzer (1 seconds)
14:52:49 [ERROR] ----------------------------------------------------
14:52:49 [ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration.
14:52:49 [ERROR] The dotnet 8.0 core runtime or SDK is required to analyze assemblies
14:52:49 [ERROR] ----------------------------------------------------
14:52:49 [INFO] Finished Dependency Merging Analyzer (0 seconds)
14:52:49 [INFO] Finished Hint Analyzer (0 seconds)
14:52:49 [INFO] Finished Version Filter Analyzer (0 seconds)
14:52:51 [INFO] Created CPE Index (1 seconds)
14:52:51 [WARNING] Hosted Suppressions file is empty or missing - attempting to force the update
14:52:51 [WARNING] Empty Hosted Suppression file after update, results may contain false positives already resolved by the DependencyCheck project due to failed download of the hosted suppression file
14:52:54 [INFO] Finished CPE Analyzer (4 seconds)
14:52:54 [INFO] Finished False Positive Analyzer (0 seconds)
14:52:54 [INFO] Finished NVD CVE Analyzer (0 seconds)
14:52:56 [INFO] Finished Sonatype OSS Index Analyzer (1 seconds)
14:52:56 [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
14:52:56 [INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
14:52:56 [INFO] Finished Dependency Bundling Analyzer (0 seconds)
14:52:56 [INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
14:52:56 [INFO] Analysis Complete (9 seconds)
14:52:56 [INFO] Writing XML report to: /home/jenkins/agent/workspace/project_default/target/dependency-check-report.xml
14:52:56 [INFO] Writing HTML report to: /home/jenkins/agent/workspace/project_default/target/dependency-check-report.html
14:52:57 [INFO] Writing JSON report to: /home/jenkins/agent/workspace/project_default/target/dependency-check-report.json
14:52:57 [INFO] Writing CSV report to: /home/jenkins/agent/workspace/project_default/target/dependency-check-report.csv
14:52:57 [INFO] Writing SARIF report to: /home/jenkins/agent/workspace/project_default/target/dependency-check-report.sarif
14:52:57 [INFO] Writing JENKINS report to: /home/jenkins/agent/workspace/project_default/target/dependency-check-jenkins.html
14:52:57 [INFO] Writing JUNIT report to: /home/jenkins/agent/workspace/project_default/target/dependency-check-junit.xml
14:52:57 [INFO] Writing GITLAB report to: /home/jenkins/agent/workspace/project_default/target/dependency-check-gitlab.json
14:52:57 [WARNING]
14:52:57
14:52:57 One or more dependencies were identified with known vulnerabilities in project:
14:52:57
14:52:57 bcprov-jdk18on-1.77.jar (pkg:maven/org.bouncycastle/[email protected], cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.77:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.77:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.77:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.77:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.77:*:*:*:*:*:*:*) : CVE-2024-34447, CVE-2024-29857, CVE-2024-30171, CVE-2024-30172
14:52:57 bootstrap-5.3.3.jar (pkg:maven/org.webjars/[email protected]) : CVE-2024-6484
14:52:57 commons-io-2.11.0.jar (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.11.0:*:*:*:*:*:*:*) : CVE-2024-47554
14:52:57 cxf-core-4.0.4.jar (pkg:maven/org.apache.cxf/[email protected], cpe:2.3:a:apache:cxf:4.0.4:*:*:*:*:*:*:*) : CVE-2024-29736, CVE-2025-23184, CVE-2024-32007, CVE-2024-41172
14:52:57 cxf-rt-wsdl-4.0.4.jar (pkg:maven/org.apache.cxf/[email protected], cpe:2.3:a:apache:cxf:4.0.4:*:*:*:*:*:*:*) : CVE-2024-29736, CVE-2024-32007, CVE-2024-41172
14:52:57 jackson-databind-2.15.4.jar (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.15.4:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-modules-java8:2.15.4:*:*:*:*:*:*:*) : CVE-2023-35116
14:52:57 javax.json-1.1.4.jar (pkg:maven/org.glassfish/[email protected]) : CVE-2023-7272
14:52:57 opensaml-governikus-extension-1.1.0.jar (pkg:maven/de.governikus.opensaml.extension/[email protected], cpe:2.3:a:shibboleth:opensaml:1.1.0:*:*:*:*:*:*:*) : CVE-2017-16853, CVE-2013-6440
14:52:57 spring-core-6.0.18.jar (pkg:maven/org.springframework/[email protected], cpe:2.3:a:pivotal_software:spring_framework:6.0.18:*:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:6.0.18:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:6.0.18:*:*:*:*:*:*:*) : CVE-2024-38820
14:52:57 spring-security-web-6.1.8.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:6.1.8:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_security:6.1.8:*:*:*:*:*:*:*, cpe:2.3:a:web_project:web:6.1.8:*:*:*:*:*:*:*) : CVE-2024-38821
14:52:57 spring-web-6.0.18.jar (pkg:maven/org.springframework/[email protected], cpe:2.3:a:pivotal_software:spring_framework:6.0.18:*:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:6.0.18:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:6.0.18:*:*:*:*:*:*:*, cpe:2.3:a:web_project:web:6.0.18:*:*:*:*:*:*:*) : CVE-2024-38809, CVE-2024-22262, CVE-2024-38820
14:52:57 spring-webmvc-6.0.18.jar (pkg:maven/org.springframework/[email protected], cpe:2.3:a:pivotal_software:spring_framework:6.0.18:*:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:6.0.18:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:6.0.18:*:*:*:*:*:*:*, cpe:2.3:a:web_project:web:6.0.18:*:*:*:*:*:*:*) : CVE-2024-38816, CVE-2024-38820
14:52:57 thymeleaf-expression-processor-3.1.1.jar (pkg:maven/nz.net.ultraq.thymeleaf/[email protected], cpe:2.3:a:thymeleaf:thymeleaf:3.1.1:*:*:*:*:*:*:*) : CVE-2023-38286
14:52:57 velocity-engine-core-2.3.jar/META-INF/maven/commons-io/commons-io/pom.xml (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.8.0:*:*:*:*:*:*:*) : CVE-2024-47554
14:52:57 vertx-core-4.3.8.jar (pkg:maven/io.vertx/[email protected], cpe:2.3:a:eclipse:vert.x:4.3.8:*:*:*:*:*:*:*) : CVE-2024-8391, CVE-2024-1300
14:52:57
14:52:57
14:52:57 See the dependency-check report for more details.
Describe the bug
The JSON report contains invalid JSON data.
This is a pretty-printed snippet of the JSON report, with the problematic section. The problem is in line 346, where there is a comma, but instead of content the parenthesis is closed:
Version of dependency-check used
12.0.0 and 12.0.1 with the maven plugin
Log file
To Reproduce
Unsure how to reproduce, will investigate if necessary.
Expected behavior
The JSON report should contain valid JSON.
Additional context
The problematic section is in the cssv4-element, and the complete JSON report contains only one cvssv4 section. I guess that there is a bug with the cssv4 generation?