From 2699668c07d0b02fe877c4668893772b31459030 Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Mon, 27 Feb 2023 15:09:47 +0530
Subject: [PATCH 01/10] Fix. Veracode reader condition check

---
 .../score/parsers/VeracodeReader.java         |    3 +-
 .../score/parsers/VeracodeReaderTest.java     |   23 +
 .../testfiles/Benchmark_Veracode.xml          | 1366 +++++++++++++++++
 3 files changed, 1391 insertions(+), 1 deletion(-)
 create mode 100644 plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VeracodeReaderTest.java
 create mode 100644 plugin/src/test/resources/testfiles/Benchmark_Veracode.xml

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java
index c052ccc7..5b58f4d7 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java
@@ -40,7 +40,8 @@ public class VeracodeReader extends Reader {
     @Override
     public boolean canRead(ResultFile resultFile) {
         return resultFile.filename().endsWith(".xml")
-                && resultFile.line(1).startsWith("<detailedreport");
+                && (resultFile.line(1).startsWith("<detailedreport")
+                        || resultFile.line(2).startsWith("<detailedreport"));
     }
 
     @Override
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VeracodeReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VeracodeReaderTest.java
new file mode 100644
index 00000000..f869d0d7
--- /dev/null
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VeracodeReaderTest.java
@@ -0,0 +1,23 @@
+package org.owasp.benchmarkutils.score.parsers;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestHelper;
+
+class VeracodeReaderTest extends ReaderTestBase {
+
+    private ResultFile resultFile;
+
+    @BeforeEach
+    void setUp() {
+        resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Veracode.xml");
+        BenchmarkScore.TESTCASENAME = "BenchmarkTest";
+    }
+
+    @Test
+    void onlyVeracodeReportCanReadAsTrue() {
+        assertOnlyMatcherClassIs(this.resultFile, VeracodeReader.class);
+    }
+}
diff --git a/plugin/src/test/resources/testfiles/Benchmark_Veracode.xml b/plugin/src/test/resources/testfiles/Benchmark_Veracode.xml
new file mode 100644
index 00000000..c0e0f513
--- /dev/null
+++ b/plugin/src/test/resources/testfiles/Benchmark_Veracode.xml
@@ -0,0 +1,1366 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<detailedreport xmlns:xsi="http&#x3a;&#x2f;&#x2f;www.w3.org&#x2f;2001&#x2f;XMLSchema-instance" xmlns="https&#x3a;&#x2f;&#x2f;www.veracode.com&#x2f;schema&#x2f;reports&#x2f;export&#x2f;1.0" xsi:schemaLocation="https&#x3a;&#x2f;&#x2f;www.veracode.com&#x2f;schema&#x2f;reports&#x2f;export&#x2f;1.0 https&#x3a;&#x2f;&#x2f;analysiscenter.veracode.com&#x2f;resource&#x2f;detailedreport.xsd">
+    <severity level="5">
+        <category categoryid="18" categoryname="Command or Argument Injection" pcirelated="true">
+            <desc>
+                <para text="Command or argument injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically construct and execute a command.  In the case of OS command injection, an attacker may be able to either alter the command executed by the application or append additional commands.  In the case of argument injection, the attacker may influence the behavior of the program in other ways, for example, changing the destination of an outbound network request or injecting additional commands into an argument or parameter. The command is typically executed with the privileges of the executing process and gives an attacker a privilege or capability that he would not otherwise have." />
+            </desc>
+            <recommendations>
+                <para text="Careful handling of all untrusted data is critical in preventing injection attacks.   Using one or more of the following techniques provides defense-in-depth and minimizes the likelihood of an vulnerability.">
+                    <bulletitem text="If possible, use library calls rather than external processes to recreate the desired functionality." />
+                    <bulletitem text="Validate user-supplied input using positive filters &#x28;white lists&#x29; to ensure that it conforms to the expected format, using centralized data validation routines when possible. " />
+                    <bulletitem text="Select safe API routines.  Some APIs that execute system commands take an array of strings as input rather than a single string, which protects against some forms of command injection by ensuring that a user-supplied argument cannot be interpreted as part of the command." />
+                </para>
+            </recommendations>
+            <cwe cweid="78" cwename="Improper Neutralization of Special Elements used in an OS Command &#x28;&#x27;OS Command Injection&#x27;&#x29;" pcirelated="true" owasp="1347" sans="864" certc="1165" certcpp="875" certjava="1134">
+                <description>
+                    <text text="This call contains a command injection flaw.  The argument to the function is constructed using untrusted input.  If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process.  The level of exposure depends on the effectiveness of input validation routines, if any." />
+                </description>
+                <staticflaws>
+                    <flaw severity="5" categoryname="Improper Neutralization of Special Elements used in an OS Command &#x28;&#x27;OS Command Injection&#x27;&#x29;" count="1" issueid="213" module="benchmark.war" type="java.lang.ProcessBuilder.start"
+                        description="This call to java.lang.ProcessBuilder.start&#x28;&#x29; contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. start&#x28;&#x29; was called on the pb object, which contains tainted data. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getHeader.&#xd;&#xa;&#xd;&#xa;Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a &#x22;safe&#x22; version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.&#xd;&#xa;&#xd;&#xa;References&#x3a; &#xd;&#xa;CWE &#x28;https&#x3a;&#x2f;&#x2f;cwe.mitre.org&#x2f;data&#x2f;definitions&#x2f;78.html&#x29; &#xd;&#xa;OWASP &#x28;https&#x3a;&#x2f;&#x2f;owasp.org&#x2f;www-community&#x2f;attacks&#x2f;Command_Injection&#x29;&#xd;&#xa;&#xd;&#xa;"
+                        note="" cweid="78" remediationeffort="3" exploitLevel="2" categoryid="18" pcirelated="true" date_first_occurrence="2023-02-13 13&#x3a;42&#x3a;32 UTC" remediation_status="New" cia_impact="ccp" grace_period_expires="2023-02-13 15&#x3a;19&#x3a;13 UTC" affects_policy_compliance="true" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="BenchmarkTest00006.java" line="69" sourcefilepath="org&#x2f;owasp&#x2f;benchmark&#x2f;testcode&#x2f;" scope="org.owasp.benchmark.testcode.BenchmarkTest00006" functionprototype="void doPost&#x28;javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse&#x29;" functionrelativelocation="83">
+                        <exploitability_adjustments>
+                            <exploitability_adjustment score_adjustment="1">
+                                <note>This source of the tainted data is an external web request.</note>
+                            </exploitability_adjustment>
+                        </exploitability_adjustments>
+                    </flaw>
+                    <flaw severity="5" categoryname="Improper Neutralization of Special Elements used in an OS Command &#x28;&#x27;OS Command Injection&#x27;&#x29;" count="1" issueid="212" module="benchmark.war" type="java.lang.Runtime.exec"
+                        description="This call to java.lang.Runtime.exec&#x28;&#x29; contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec&#x28;&#x29; contains tainted data from the variable args. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getHeader.&#xd;&#xa;&#xd;&#xa;Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a &#x22;safe&#x22; version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.&#xd;&#xa;&#xd;&#xa;References&#x3a; &#xd;&#xa;CWE &#x28;https&#x3a;&#x2f;&#x2f;cwe.mitre.org&#x2f;data&#x2f;definitions&#x2f;78.html&#x29; &#xd;&#xa;OWASP &#x28;https&#x3a;&#x2f;&#x2f;owasp.org&#x2f;www-community&#x2f;attacks&#x2f;Command_Injection&#x29;&#xd;&#xa;&#xd;&#xa;"
+                        note="" cweid="78" remediationeffort="3" exploitLevel="2" categoryid="18" pcirelated="true" date_first_occurrence="2023-02-13 13&#x3a;42&#x3a;32 UTC" remediation_status="New" cia_impact="ccp" grace_period_expires="2023-02-13 15&#x3a;19&#x3a;13 UTC" affects_policy_compliance="true" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="BenchmarkTest00007.java" line="61" sourcefilepath="org&#x2f;owasp&#x2f;benchmark&#x2f;testcode&#x2f;" scope="org.owasp.benchmark.testcode.BenchmarkTest00007" functionprototype="void doPost&#x28;javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse&#x29;" functionrelativelocation="65">
+                        <exploitability_adjustments>
+                            <exploitability_adjustment score_adjustment="1">
+                                <note>This source of the tainted data is an external web request.</note>
+                            </exploitability_adjustment>
+                        </exploitability_adjustments>
+                    </flaw>
+                </staticflaws>
+            </cwe>
+        </category>
+    </severity>
+    <severity level="4">
+        <category categoryid="19" categoryname="SQL Injection" pcirelated="true">
+            <desc>
+                <para text="SQL injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically construct a SQL query.  This allows an attacker to manipulate database queries in order to access, modify, or delete arbitrary data.  Depending on the platform, database type, and configuration, it may also be possible to execute administrative operations on the database, access the filesystem, or execute arbitrary system commands.  SQL injection attacks can also be used to subvert authentication and authorization schemes, which would enable an attacker to gain privileged access to restricted portions of the application." />
+            </desc>
+            <recommendations>
+                <para text="Several techniques can be used to prevent SQL injection attacks. These techniques complement each other and address security at different points in the application. Using multiple techniques provides defense-in-depth and minimizes the likelihood of a SQL injection vulnerability.">
+                    <bulletitem text="Use parameterized prepared statements rather than dynamically constructing SQL queries.  This will prevent the database from interpreting the contents of bind variables as part of the query and is the most effective defense against SQL injection." />
+                    <bulletitem text="Validate user-supplied input using positive filters &#x28;white lists&#x29; to ensure that it conforms to the expected format, using centralized data validation routines when possible. " />
+                    <bulletitem text="Normalize all user-supplied data before applying filters or regular expressions, or submitting the data to a database. This means that all URL-encoded &#x28;&#x25;xx&#x29;, HTML-encoded &#x28;&#x26;&#x23;xx&#x3b;&#x29;, or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters." />
+                    <bulletitem text="When using database abstraction libraries such as Hibernate, do not assume that all methods exposed by the API will automatically prevent SQL injection attacks.  Most libraries contain methods that pass arbitrary queries to the database in an unsafe manner." />
+                </para>
+            </recommendations>
+            <cwe cweid="89" cwename="Improper Neutralization of Special Elements used in an SQL Command &#x28;&#x27;SQL Injection&#x27;&#x29;" pcirelated="true" owasp="1347" sans="864">
+                <description>
+                    <text text="This database query contains a SQL injection flaw.  The function call constructs a dynamic SQL query using a variable derived from untrusted input.  An attacker could exploit this flaw to execute arbitrary SQL queries against the database." />
+                </description>
+                <staticflaws>
+                    <flaw severity="4" categoryname="Improper Neutralization of Special Elements used in an SQL Command &#x28;&#x27;SQL Injection&#x27;&#x29;" count="1" issueid="642" module="benchmark.war" type="java.sql.PreparedStatement.executeQuery"
+                        description="This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery&#x28;&#x29; constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery&#x28;&#x29; was called on the statement object, which contains tainted data. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getHeader.&#xd;&#xa;&#xd;&#xa;Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.&#xd;&#xa;&#xd;&#xa;References&#x3a; &#xd;&#xa;CWE &#x28;https&#x3a;&#x2f;&#x2f;cwe.mitre.org&#x2f;data&#x2f;definitions&#x2f;89.html&#x29; &#xd;&#xa;OWASP &#x28;https&#x3a;&#x2f;&#x2f;owasp.org&#x2f;www-community&#x2f;attacks&#x2f;SQL_Injection&#x29;&#xd;&#xa;&#xd;&#xa;"
+                        note="" cweid="89" remediationeffort="3" exploitLevel="2" categoryid="19" pcirelated="true" date_first_occurrence="2023-02-13 13&#x3a;42&#x3a;32 UTC" remediation_status="New" cia_impact="ppp" grace_period_expires="2023-02-13 15&#x3a;19&#x3a;13 UTC" affects_policy_compliance="true" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="BenchmarkTest00008.java" line="58" sourcefilepath="org&#x2f;owasp&#x2f;benchmark&#x2f;testcode&#x2f;" scope="org.owasp.benchmark.testcode.BenchmarkTest00008" functionprototype="void doPost&#x28;javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse&#x29;" functionrelativelocation="76">
+                        <exploitability_adjustments>
+                            <exploitability_adjustment score_adjustment="1">
+                                <note>This source of the tainted data is an external web request.</note>
+                            </exploitability_adjustment>
+                        </exploitability_adjustments>
+                    </flaw>
+                </staticflaws>
+            </cwe>
+        </category>
+    </severity>
+    <severity level="3" />
+    <severity level="2" />
+    <severity level="1" />
+    <severity level="0" />
+    <flaw-status new="4" reopen="0" open="0" fixed="0" total="4" not_mitigated="4" sev-1-change="0" sev-2-change="0" sev-3-change="0" sev-4-change="2" sev-5-change="2" />
+    <customfields>
+        <customfield name="Custom 1" value="" />
+        <customfield name="Custom 2" value="" />
+        <customfield name="Custom 3" value="" />
+        <customfield name="Custom 4" value="" />
+        <customfield name="Custom 5" value="" />
+        <customfield name="Custom 6" value="" />
+        <customfield name="Custom 7" value="" />
+        <customfield name="Custom 8" value="" />
+        <customfield name="Custom 9" value="" />
+        <customfield name="Custom 10" value="" />
+    </customfields>
+    <software_composition_analysis third_party_components="97" violate_policy="false" components_violated_policy="0">
+        <vulnerable_components>
+            <component component_id="0215b350-9987-4844-a39d-5ac23cdf25bc" file_name="batik-constants-1.14.jar" sha1="371acf696982f1c8e2689f5899b4e8453ccd74ff" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-constants" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-constants&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-constants-1.14.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="03e20677-040d-4661-8a23-67fb40fcd836" file_name="neko-htmlunit-2.24.jar" sha1="db21c784490b068c91eded812a68c199362872e9" vulnerabilities="1" max_cvss_score="5.0" version="2.24" library="HtmlUnit NekoHtml" library_id="maven&#x3a;net.sourceforge.htmlunit&#x3a;neko-htmlunit&#x3a;2.24&#x3a;" vendor="net.sourceforge.htmlunit" description="HtmlUnit adaptation of NekoHtml.&#xa;        It has the same functionality but exposing HTMLElements to be overridden." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;neko-htmlunit-2.24.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2022-29546" cvss_score="5.0" severity="3" cwe_id="" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="neko-htmlunit is vulnerable to denial of service. An attacker can crash the application through the out of memory exception in the &#x60;scanPI&#x60; function of &#x60;HTMLScanner.java&#x60; by providing a specifically crafted processing instruction." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="0a0c75bd-9fe0-4c13-a2a7-429f284cad67" file_name="shared-ldap-0.9.19.jar" sha1="6f97c0fb69d79d0a52246987163d9b7d0ec02423" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Common LDAP packages used by clients and servers." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="0b2a75d4-9901-41c2-92b8-3aeb652d004d" file_name="commons-collections-3.2.2.jar" sha1="8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5" vulnerabilities="0" max_cvss_score="" version="3.2.2" library="Apache Commons Collections" library_id="maven&#x3a;commons-collections&#x3a;commons-collections&#x3a;3.2.2&#x3a;" vendor="commons-collections" description="Types that extend and augment the Java Collections Framework." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-collections-3.2.2.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="0b844337-0619-4c97-9d8c-05211344c808" file_name="commons-lang-2.6.jar" sha1="0ce1edb914c94ebc388f086c6827e8bdeec71ac2" vulnerabilities="0" max_cvss_score="" version="2.6" library="Commons Lang" library_id="maven&#x3a;commons-lang&#x3a;commons-lang&#x3a;2.6&#x3a;" vendor="commons-lang" description="Commons Lang, a package of Java utility classes for the&#xa;        classes that are in java.lang&#x27;s hierarchy, or are considered to be so&#xa;        standard as to justify existence in java.lang." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-lang-2.6.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="0c55a308-9a12-4955-9b77-0c559560bf79" file_name="shared-asn1-codec-0.9.19.jar" sha1="e2db04aa62b7a963f2ccdcfd4f53fc4461bc3481" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared ASN.1 Codec" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-asn1-codec&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-asn1-codec-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="0ebf669d-3c5b-4031-8488-8c1519f2ceb8" file_name="commons-logging-1.2.jar" sha1="4bfc12adfe4842bf07b657f0369c4cb522955686" vulnerabilities="0" max_cvss_score="" version="1.2" library="Apache Commons Logging" library_id="maven&#x3a;commons-logging&#x3a;commons-logging&#x3a;1.2&#x3a;" vendor="commons-logging" description="Apache Commons Logging is a thin adapter allowing configurable bridging to other,&#xa;    well known logging systems." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-logging-1.2.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="0ec94587-a6bf-46f3-8038-fb15b9eb27c1" file_name="apacheds-jdbm-1.5.7.jar" sha1="0d3bc445bfceba7daa51bd193185375341f56cb3" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS JDBM implementation" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-jdbm&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="specific JDBM Implementation" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-jdbm-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="0ed4bbff-1bd6-47b8-be32-129fd1b9b4fb" file_name="dom4j-1.6.1.jar" sha1="5d3ccc056b6f056dbf0dddfdf43894b9065a8f94" vulnerabilities="3" max_cvss_score="7.5" version="1.6.1" library="dom4j" library_id="maven&#x3a;dom4j&#x3a;dom4j&#x3a;1.6.1&#x3a;" vendor="dom4j" description="dom4j&#x3a; the flexible XML framework for Java" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;dom4j-1.6.1.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="BSD 2-Clause &#x22;Simplified&#x22; License" spdx_id="BSD-2-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-2-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2018-1000632" cvss_score="5.0" severity="3" cwe_id="CWE-91" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="dom4j is vulnerable to XML External Entity &#x28;XXE&#x29; attacks. The library does not properly validate the attributes that can be inserted by the user, allowing a malicious user to conduct an XXE attack." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                    <vulnerability cve_id="CVE-2020-10683" cvss_score="7.5" severity="4" cwe_id="CWE-611" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="dom4j is vulnerable to XML external entity attacks. The default &#x60;SaxReader&#x28;&#x29;&#x60; does not disable external DTDs and External Entities by default, allowing an attacker to access local or internal network resources, or perform requests on behalf of the server." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                    <vulnerability cve_id="SRCCLR-SID-4943" cvss_score="6.8" severity="4" cwe_id="" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="dom4j is vulnerable to XML External Entity Injection. The library by default uses the &#x60;SAXReader&#x60; to parse documents without using the &#x60;setFeature&#x60; function in it to disable doctype and entities, allowing a malicious user to pass a document to execute an XML Injection attack." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="12e41b23-a654-4e42-b84d-c76027780d55" file_name="javassist-3.12.0.GA.jar" sha1="88b21d1ef06323beff58664cffa62848c033ecd2" vulnerabilities="0" max_cvss_score="" version="3.12.0.GA" library="Javassist" library_id="maven&#x3a;javassist&#x3a;javassist&#x3a;3.12.0.GA&#x3a;" vendor="javassist" description="Javassist &#x28;JAVA programming ASSISTant&#x29; makes Java bytecode manipulation&#xa;     simple.  It is a class library for editing bytecodes in Java." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;javassist-3.12.0.GA.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="GNU Lesser General Public License v2.1 only" spdx_id="LGPL-2.1-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-2.1-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="154b4a55-fb02-491d-9a82-e4a08ae9175b" file_name="xmlpull-xpp3-3.0.0.20130526.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="3.0.0.20130526" library="xmlpull-xpp3" library_id="maven&#x3a;net.sf.sociaal&#x3a;xmlpull-xpp3&#x3a;3.0.0.20130526&#x3a;" vendor="net.sf.sociaal" description="jME3 Vector Math" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xpp3-1.1.4c.jar&#x3a;xmlpull-xpp3-3.0.0.20130526.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="1617cbc7-c61a-4b5a-ab08-dde6e603951d" file_name="commons-io-2.6.jar" sha1="815893df5f31da2ece4040fe0a12fd44b577afaf" vulnerabilities="1" max_cvss_score="5.8" version="2.6" library="Apache Commons IO" library_id="maven&#x3a;commons-io&#x3a;commons-io&#x3a;2.6&#x3a;" vendor="commons-io" description="The Apache Commons IO library contains utility classes, stream implementations, file filters,&#xa;file comparators, endian transformation classes, and much more." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-io-2.6.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2021-29425" cvss_score="5.8" severity="3" cwe_id="CWE-22" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="commons-io is vulnerable to directory traversal. Invoking the method &#x60;FileNameUtils.normalize&#x60; with a malicious input string would potentially allow access to files within the parent directory." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="176c342e-02c3-4ad4-a883-3c4d9ccb24ee" file_name="shared-ldap-schema-0.9.19.jar" sha1="ad9e6c541dbbc259263ef8c6f81b68cce88b816e" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP Schema" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-schema&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Jar bundled LDIF files containing schema data using the Apache Directory&#xa;    specific meta schema for describing schema information using LDAP.  This&#xa;    jar can be used by clients as well as by ApacheDS&#x27; schema partition." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-schema-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="1b9e7711-aae5-4a86-8e09-b11ee11d7b16" file_name="xpp3-1.1.4c.jar" sha1="9b988ea84b9e4e9f1874e390ce099b8ac12cfff5" vulnerabilities="0" max_cvss_score="" version="1.1.4c" library="MXP1&#x3a; Xml Pull Parser 3rd Edition &#x28;XPP3&#x29;" library_id="maven&#x3a;xpp3&#x3a;xpp3&#x3a;1.1.4c&#x3a;" vendor="xpp3" description="MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4&#x2b;." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xpp3-1.1.4c.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 1.1" spdx_id="Apache-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-1.1.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="Public Domain Per Creative Commons" spdx_id="CC-PDDC" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CC-PDDC.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="Indiana University Extreme&#x21; Lab Software License" spdx_id="IUEL" license_url="https&#x3a;&#x2f;&#x2f;raw.githubusercontent.com&#x2f;x-stream&#x2f;mxparser&#x2f;master&#x2f;LICENSE.txt" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="1d0e47b6-1c0a-4b68-829f-fc95f1c3d782" file_name="shared-ldap-schema-loader-0.9.19.jar" sha1="82d8a22e58ec93fe3a582b5d573c724ebe91eac1" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP Schema Loader" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-schema-loader&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Initial schema loader used during server bootstrapping and client startup&#xa;    to populate hence why it&#x27;s located in shared." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-schema-loader-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="1db13660-bc19-4cb9-97e4-6ca97dd870e7" file_name="xmlgraphics-commons-2.6.jar" sha1="8779b8d8f426f24fdb4a512f8bc4248cb3775bd2" vulnerabilities="0" max_cvss_score="" version="2.6" library="Apache XML Graphics Commons" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;xmlgraphics-commons&#x3a;2.6&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xmlgraphics-commons-2.6.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="1e2bf166-2013-46d8-bc1e-b1c831d6bc8f" file_name="commons-pool-1.5.4.jar" sha1="75b6e20c596ed2945a259cea26d7fadd298398e6" vulnerabilities="0" max_cvss_score="" version="1.5.4" library="Commons Pool" library_id="maven&#x3a;commons-pool&#x3a;commons-pool&#x3a;1.5.4&#x3a;" vendor="commons-pool" description="Commons Object Pooling Library" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-pool-1.5.4.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="26477a44-7421-4b2b-a9b0-c9941b6ea1d1" file_name="spring-core-4.3.30.RELEASE.jar" sha1="b255bb7389e582d24574f75bc0c880ffb8103dfa" vulnerabilities="1" max_cvss_score="4.0" version="4.3.30.RELEASE" library="Spring Core" library_id="maven&#x3a;org.springframework&#x3a;spring-core&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-core-4.3.30.RELEASE.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2021-22096" cvss_score="4.0" severity="2" cwe_id="" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="Spring Framework is vulnerable to privilege escalation. The vulnerability exists due to lack of secure validations of user input which allows a malicious user to inject additional log files. " severity_desc="Low" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="2b03258c-e348-4223-a122-732b88d87adb" file_name="spring-web-4.3.30.RELEASE.jar" sha1="9b7860a324f4b2f2bc31bcdd99c7ee51fe32e0c8" vulnerabilities="1" max_cvss_score="7.5" version="4.3.30.RELEASE" library="Spring Web" library_id="maven&#x3a;org.springframework&#x3a;spring-web&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-web-4.3.30.RELEASE.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2016-1000027" cvss_score="7.5" severity="4" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" cve_summary="spring-web is vulnerable to remote code execution &#x28;RCE&#x29;. When it is used with external endpoints regardless of endpoints being authenticated or not, the function &#x60;HttpInvokerServiceExporter&#x3a; readRemoteInvocation&#x60; allows deserialization of untrusted object if the endpoints are exposed to untrusted clients. It depends on the implementation within a product to mandate an authentication and to protect an application from an authenticated deserialization. The vendor has claimed the behavior to be as intended. The documentation has been enhanced to describe precautions for this vulnerability." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="2f3b0e69-d778-496c-9522-bed71375c5db" file_name="httpcore5-h2-5.1.5.jar" sha1="624660339afd5006d427457e6b10b10b32fd86f1" vulnerabilities="0" max_cvss_score="" version="5.1.5" library="Apache HttpComponents Core HTTP&#x2f;2" library_id="maven&#x3a;org.apache.httpcomponents.core5&#x3a;httpcore5-h2&#x3a;5.1.5&#x3a;" vendor="org.apache.httpcomponents.core5" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;httpcore5-h2-5.1.5.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="3348ec3b-b8c1-4a03-bff3-8d2630f5d6e3" file_name="commons-fileupload-1.3.3.jar" sha1="04ff14d809195b711fd6bcc87e6777f886730ca1" vulnerabilities="0" max_cvss_score="" version="1.3.3" library="Apache Commons FileUpload" library_id="maven&#x3a;commons-fileupload&#x3a;commons-fileupload&#x3a;1.3.3&#x3a;" vendor="commons-fileupload" description="The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart&#xa;    file upload functionality to servlets and web applications." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-fileupload-1.3.3.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="3878c34b-bd52-4e89-a174-3893497faf8b" file_name="batik-i18n-1.14.jar" sha1="a4e7b0cda9132904f21b25ab29a0b73e1867e7fd" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-i18n" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-i18n&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-i18n-1.14.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="3adbf5c8-fae1-42fe-b1f2-72a0cffe6722" file_name="shared-ldap-constants-0.9.19.jar" sha1="a652b5344c22f7cdc77197f8254e491d8157bc30" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared Ldap Constants" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-constants&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Common LDAP constants used by clients and servers." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-constants-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="3b2463eb-bd8e-4200-8f19-d459488a6bb2" file_name="hibernate-jpa-2.0-api-1.0.1.Final.jar" sha1="3306a165afa81938fc3d8a0948e891de9f6b192b" vulnerabilities="0" max_cvss_score="" version="1.0.1.Final" library="JPA 2.0 API" library_id="maven&#x3a;org.hibernate.javax.persistence&#x3a;hibernate-jpa-2.0-api&#x3a;1.0.1.Final&#x3a;" vendor="org.hibernate.javax.persistence" description="Hibernate definition of the Java Persistence 2.0 &#x28;JSR 317&#x29; API." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hibernate-jpa-2.0-api-1.0.1.Final.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="GNU Lesser General Public License v2.1 only" spdx_id="LGPL-2.1-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-2.1-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="3c3bf3aa-68e9-4c08-b46a-d16e64494c80" file_name="batik-shared-resources-1.14.jar" sha1="42e9d6345952575e8b2f4ee26108b2811c334305" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-shared-resources" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-shared-resources&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-shared-resources-1.14.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="3cde053b-89c6-47f8-ad83-e51dd076f5b1" file_name="bcprov-jdk15to18-1.70.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="1.70" library="Bouncy Castle Provider" library_id="maven&#x3a;org.bouncycastle&#x3a;bcprov-jdk15to18&#x3a;1.70&#x3a;" vendor="org.bouncycastle" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;bcprov-jdk15on-1.70.jar&#x3a;bcprov-jdk15to18-1.70.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="MIT License" spdx_id="MIT" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;MIT.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="3d45c6e2-3766-4a88-b05c-33034152997f" file_name="apacheds-ldif-partition-1.5.7.jar" sha1="b67dd85fd9ed3c09850e6f163f6d6073409e2911" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS LDIF Partition" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-ldif-partition&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="A partition that backs it&#x27;s entries and indices in AvlTrees within memory." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-ldif-partition-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="3eddf03e-a6ea-485d-babd-bb7c757486ba" file_name="commons-collections4-4.2.jar" sha1="54ebea0a5b653d3c680131e73fe807bb8f78c4ed" vulnerabilities="0" max_cvss_score="" version="4.2" library="Apache Commons Collections" library_id="maven&#x3a;org.apache.commons&#x3a;commons-collections4&#x3a;4.2&#x3a;" vendor="org.apache.commons" description="The Apache Commons Collections package contains types that extend and augment the Java Collections Framework." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-collections4-4.2.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="444d38ed-40a2-49ed-b2c0-7df7a94cfd94" file_name="apacheds-xdbm-tools-1.5.7.jar" sha1="d0be502da7eab2a37ed57674adddcd65740fcaf5" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Generalized &#x28;X&#x29; DBM Tools" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-xdbm-tools&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Several kinds of two column key&#x2f;value data structures, in memory and on  &#xa;    disk which sort keys can can be used to implement xdbm partitions.  JDBM&#xa;    is one example.  These partition use the same database structure or scheme&#xa;    for maintaining LDAP entries and facilitating search operations on them.&#xa;    This module contains common tools that could be used to manage aspects  &#xa;    common to all xdbm implementations." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-xdbm-tools-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="464ca421-9218-4035-a496-164e6fd2ecb8" file_name="xml-apis-1.4.01.jar" sha1="3789d9fada2d3d458c4ba2de349d48780f381ee3" vulnerabilities="0" max_cvss_score="" version="1.4.01" library="XML Commons External Components XML APIs" library_id="maven&#x3a;xml-apis&#x3a;xml-apis&#x3a;1.4.01&#x3a;" vendor="xml-apis" description="xml-commons provides an Apache-hosted set of DOM, SAX, and &#xa;    JAXP interfaces for use in other xml-based projects. Our hope is that we &#xa;    can standardize on both a common version and packaging scheme for these &#xa;    critical XML standards interfaces to make the lives of both our developers &#xa;    and users easier. The External Components portion of xml-commons contains &#xa;    interfaces that are defined by external standards organizations. For DOM, &#xa;    that&#x27;s the W3C&#x3b; for SAX it&#x27;s David Megginson and sax.sourceforge.net&#x3b; for &#xa;    JAXP it&#x27;s Sun."
+                added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xml-apis-1.4.01.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="The SAX License" spdx_id="sax" license_url="http&#x3a;&#x2f;&#x2f;www.saxproject.org&#x2f;copying.html" risk_rating="0" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="W3C Software Notice and License &#x28;2002-12-31&#x29;" spdx_id="W3C" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;W3C.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="48201550-6cc5-461f-827b-637b0bd3456d" file_name="httpclient5-5.1.4.jar" sha1="208f9eed6d6ab709e2ae7a75b457ef60c0baefa5" vulnerabilities="0" max_cvss_score="" version="5.1.4" library="Apache HttpClient" library_id="maven&#x3a;org.apache.httpcomponents.client5&#x3a;httpclient5&#x3a;5.1.4&#x3a;" vendor="org.apache.httpcomponents.client5" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;httpclient5-5.1.4.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="4a1d9c80-c444-4ca2-8b4b-28082330c673" file_name="batik-util-1.14.jar" sha1="7ca55c864e5ddd690ba07f44e3ba8e68e9048a02" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-util" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-util&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-util-1.14.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="50905064-9c91-4881-9d86-6d8b78141983" file_name="reload4j-1.2.19.jar" sha1="4eae9978468c5e885a6fb44df7e2bbc07a20e6ce" vulnerabilities="0" max_cvss_score="" version="1.2.19" library="reload4j" library_id="maven&#x3a;ch.qos.reload4j&#x3a;reload4j&#x3a;1.2.19&#x3a;" vendor="ch.qos.reload4j" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;reload4j-1.2.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="59df56ca-c68a-4631-a8ee-6b1d14a3ef72" file_name="spring-tx-4.3.30.RELEASE.jar" sha1="0d8ba2d96a3767ec1ec4ae732ab833eaf4c16f92" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE" library="Spring Transaction" library_id="maven&#x3a;org.springframework&#x3a;spring-tx&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-tx-4.3.30.RELEASE.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="5a304710-09eb-4365-a255-2a99c10117aa" file_name="org.apache.servicemix.bundles.spring-aop-4.3.30.RELEASE_1.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE_1" library="org.apache.servicemix.bundles.spring-aop" library_id="maven&#x3a;org.apache.servicemix.bundles&#x3a;org.apache.servicemix.bundles.spring-aop&#x3a;4.3.30.RELEASE_1&#x3a;" vendor="org.apache.servicemix.bundles" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-aop-4.3.30.RELEASE.jar&#x3a;org.apache.servicemix.bundles.spring-aop-4.3.30.RELEASE_1.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="61476789-43ab-4c5e-a708-ba25acfd6524" file_name="asm-3.1.jar" sha1="c157def142714c544bdea2e6144645702adf7097" vulnerabilities="0" max_cvss_score="" version="3.1" library="ASM Core" library_id="maven&#x3a;asm&#x3a;asm&#x3a;3.1&#x3a;" vendor="asm" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;asm-3.1.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="6223718d-86ce-4198-bbc2-e49138e3e4b6" file_name="apacheds-avl-partition-1.5.7.jar" sha1="c237b89e58e06f048a9bd7e30b4364e2a76b14fb" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Avl Partition" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-avl-partition&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="A partition that backs it&#x27;s entries and indices in AvlTrees within memory." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-avl-partition-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="625545c7-8bc6-4279-9935-1dd9426a186b" file_name="apacheds-core-1.5.7.jar" sha1="fd6138cd10c3e3717d58bd84b841883b01486684" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Server&#x27;s core contains the JNDI provider, interceptors, schema, and&#xa;     database subsystems.  The core is the heart of the server without protocols&#xa;     enabled." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="63763b35-8114-4303-9668-9965245c7869" file_name="jersey-core-1.19.4.jar" sha1="21c5319c82ca29705715b315553a16f11b16655e" vulnerabilities="0" max_cvss_score="" version="1.19.4" library="jersey-core" library_id="maven&#x3a;com.sun.jersey&#x3a;jersey-core&#x3a;1.19.4&#x3a;" vendor="com.sun.jersey" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jersey-core-1.19.4.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Common Development and Distribution License 1.1&#x28;CDDL-1.1&#x29;" spdx_id="CDDL-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.1.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="GNU General Public License with Classpath Exceptions version 2.0" spdx_id="GPL-2.0-with-classpath-exception" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;GPL-2.0-with-classpath-exception.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="64dbc9d1-d92d-4d6c-b66d-b461627aa3b4" file_name="xml-apis-ext-1.3.04.jar" sha1="41a8b86b358e87f3f13cf46069721719105aff66" vulnerabilities="0" max_cvss_score="" version="1.3.04" library="XML Commons External Components XML APIs Extensions" library_id="maven&#x3a;xml-apis&#x3a;xml-apis-ext&#x3a;1.3.04&#x3a;" vendor="xml-apis" description="xml-commons provides an Apache-hosted set of DOM, SAX, and &#xa;    JAXP interfaces for use in other xml-based projects. Our hope is that we &#xa;    can standardize on both a common version and packaging scheme for these &#xa;    critical XML standards interfaces to make the lives of both our developers &#xa;    and users easier. The External Components portion of xml-commons contains &#xa;    interfaces that are defined by external standards organizations. For DOM, &#xa;    that&#x27;s the W3C&#x3b; for SAX it&#x27;s David Megginson and sax.sourceforge.net&#x3b; for &#xa;    JAXP it&#x27;s Sun."
+                added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xml-apis-ext-1.3.04.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="6dd2f6e8-4176-4dc5-a9c2-c940e2b272ab" file_name="shared-ldap-schema-manager-0.9.19.jar" sha1="af9286c5793881b0952eb96937dbbc960068583c" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP Schema Manager" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-schema-manager&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="SchemaManager implementation bundle." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-schema-manager-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="6f522c81-a30a-44b4-96f0-9838c176291d" file_name="xercesImpl-2.12.2.wso2v1.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="2.12.2.wso2v1" library="WSO2 Carbon Orbit - xercesImpl Library" library_id="maven&#x3a;org.wso2.orbit.xerces&#x3a;xercesImpl&#x3a;2.12.2.wso2v1&#x3a;" vendor="org.wso2.orbit.xerces" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xercesImpl-2.12.2.jar&#x3a;xercesImpl-2.12.2.wso2v1.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="73b29880-4766-4e58-9659-a666320f0406" file_name="xom-1.2.10.jar" sha1="4165e25bef19aad134f6498cc277110b9bc5e52b" vulnerabilities="0" max_cvss_score="" version="1.2.10" library="XOM" library_id="maven&#x3a;com.io7m.xom&#x3a;xom&#x3a;1.2.10&#x3a;" vendor="com.io7m.xom" description="The XOM Dual Streaming&#x2f;Tree API for Processing XML" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xom-1.2.10.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="GNU Lesser General Public License v2.1 only" spdx_id="LGPL-2.1-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-2.1-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="GNU Lesser General Public License v2.1 or later" spdx_id="LGPL-2.1-or-later" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-2.1-or-later.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="73f04942-ebd2-448f-bc00-3ad0e20687fc" file_name="apacheds-jdbm-partition-1.5.7.jar" sha1="cce63f267d285bc023742e808b25e4680d525dc8" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS JDBM Partition" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-jdbm-partition&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="JDBM BTree backed partition implementation." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-jdbm-partition-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="75a0548c-6c6d-4966-b589-b6681b31c2ab" file_name="apacheds-xdbm-base-1.5.7.jar" sha1="355caab0b9ab51c303aecb12dcd9b731d64aecef" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS XDBM Base" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-xdbm-base&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Base XDBM &#x28;btree based&#x29; entry store interfaces." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-xdbm-base-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="777376d9-270a-4f74-a01f-76398bbcb32c" file_name="shared-cursor-0.9.19.jar" sha1="fd9e4f305ce2b1e2336333dd89f2d938fe3b8299" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared Cursor" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-cursor&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Shared Cursor interfaces." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-cursor-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="7b39c7a3-2a65-4071-a76b-b9ebd1ef6bcf" file_name="shared-dsml-parser-0.9.19.jar" sha1="08d87c4a4d3f3781af96e56d6cb48d83ea793788" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared DSML Parser" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-dsml-parser&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-dsml-parser-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="7bd808cd-a21b-49ca-9947-d9ce25e703c0" file_name="hibernate-commons-annotations-3.2.0.Final.jar" sha1="ce990611448fc2865469e3b68d2fe76b050e3c4f" vulnerabilities="0" max_cvss_score="" version="3.2.0.Final" library="Hibernate Commons Annotations" library_id="maven&#x3a;org.hibernate&#x3a;hibernate-commons-annotations&#x3a;3.2.0.Final&#x3a;" vendor="org.hibernate" description="Common reflection code used in support of annotation processing" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hibernate-commons-annotations-3.2.0.Final.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="GNU Lesser General Public License v3.0 only" spdx_id="LGPL-3.0-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-3.0-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="7e19961d-7cb4-438f-8401-eaacb1ba4c97" file_name="apacheds-core-constants-1.5.7.jar" sha1="be79a639e71ee4e471174027b8bf3659b13000da" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core Constants" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-constants&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Contains classes that store interfaces with various constants in ApacheDS." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-constants-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="8002cc8a-fcfd-4909-9ef5-69a84c906da9" file_name="apacheds-jdbm-store-1.5.7.jar" sha1="c9d158fbb13ca60803b30ab5487543bb3a2b3faa" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS JDBM Store" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-jdbm-store&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="A JDBM entry store which does not have any dependency on core interfaces.&#xa;    The JDBM partition will use this store and build on it to adapt this to &#xa;    server specific partition interfaces.&#xa;    Having this separate module without dependencies on core interfaces makes&#xa;    it easier to avoid cyclic dependencies between modules.  This is especially&#xa;    important for use within the bootstrap plugin which needs to build the&#xa;    schema partition used for bootstrapping the server." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC"
+                component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-jdbm-store-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="819b1e28-faec-4545-8bc1-7d2b5066ed2c" file_name="batik-css-1.14.jar" sha1="3118d46f4879ec08c6c6471c7c0825652ed659ee" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-css" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-css&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-css-1.14.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="826b2871-f15d-41df-a36d-377927a46037" file_name="esapi-2.3.0.0.jar" sha1="237683050eebe9696e1568c8e2009edc072b75f7" vulnerabilities="0" max_cvss_score="" version="2.3.0.0" library="ESAPI" library_id="maven&#x3a;org.owasp.esapi&#x3a;esapi&#x3a;2.3.0.0&#x3a;" vendor="org.owasp.esapi" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;esapi-2.3.0.0.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="Creative Commons Attribution Share-Alike 3.0 &#x28;CC-BY-SA&#x29;" spdx_id="CC-BY-SA-3.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CC-BY-SA-3.0.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="8339ff6e-bcdc-4a5b-b206-a72a4ed8a55c" file_name="commons-dbcp-1.4.jar" sha1="30be73c965cc990b153a100aaaaafcf239f82d39" vulnerabilities="0" max_cvss_score="" version="1.4" library="Commons DBCP" library_id="maven&#x3a;commons-dbcp&#x3a;commons-dbcp&#x3a;1.4&#x3a;" vendor="commons-dbcp" description="Commons Database Connection Pooling" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-dbcp-1.4.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="8c59a8d5-2111-45f4-8ab5-735819ae9722" file_name="shared-i18n-0.9.19.jar" sha1="f4f9013c168628c1309b61b481af2d34b8971993" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared I18n" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-i18n&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Internationalization of errors and other messages" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-i18n-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="8d3852c8-aaee-4bc0-b4f1-564b79c98fac" file_name="apacheds-utils-1.5.7.jar" sha1="7f2e8a37b5feca127b92917fa2c2e7b66af5f833" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Utils" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-utils&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Contains utility classes for ApacheDS." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-utils-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="8d487a80-00aa-4bfe-b0bd-e7c9156a2c8c" file_name="apacheds-core-api-1.5.7.jar" sha1="1c103b7827827935046a29dc9939f386b8c136cd" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core API" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-api&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Contains interfaces and helper classes that are part of the ApacheDS Core API." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-api-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="8d9a63d8-808b-4233-9e54-279d0f51826f" file_name="log4j-1.2.17.jar" sha1="5af35056b4d257e4b64b9e8069c0746e8b08629f" vulnerabilities="6" max_cvss_score="9.0" version="1.2.17" library="Apache Log4j" library_id="maven&#x3a;log4j&#x3a;log4j&#x3a;1.2.17&#x3a;" vendor="log4j" description="Apache Log4j 1.2" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;log4j-1.2.17.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2019-17571" cvss_score="7.5" severity="4" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in &#x60;TcpSocketServer&#x60; and &#x60;UdpSocketServer&#x60; when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                    <vulnerability cve_id="CVE-2020-9493" cvss_score="6.8" severity="4" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability. " severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                    <vulnerability cve_id="CVE-2021-4104" cvss_score="6.0" severity="3" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="JMSAppender in log4j is vulnerable to deserialization of untrusted object. When an application is configured to use JMSAppender with the setting TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example &#x22;ldap&#x3a;&#x2f;&#x2f;host&#x3a;port&#x2f;a&#x22;, an attacker is able to execute code on the server as in Log4j 2.x CVE-2021-44228. However, this vulnerability is only depending on configuration. Note&#x3a; This CVE is for Log4j 1.x and its corresponding flaw information for Log4j 2.x is in CVE-2021-44228." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                    <vulnerability cve_id="CVE-2022-23302" cvss_score="6.0" severity="3" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="JMSSink in log4j is vulnerable to deserialization of untrusted object. The insecure use of JNDI in JMSSink allows an attacker to send malicious object in LDAP store if it is accessible by an attacker or is configured to use an untrusted site, leading to a remote code execution.  Note&#x3a; this vulnerability only affects the applications specifically configured to use JMSSink, which is not the default. " severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                    <vulnerability cve_id="CVE-2022-23305" cvss_score="6.8" severity="4" cwe_id="CWE-89" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="JDBCAppender in Log4j is vulnerable to SQL injection attacks. An attacker is able to execute arbitrary SQL commands via entering crafted strings into input fields and headers where the values to be inserted are converters from &#x60;PatternLayout&#x60;" severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                    <vulnerability cve_id="CVE-2022-23307" cvss_score="9.0" severity="5" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system. " severity_desc="Very High" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="8f196a52-7ab4-4345-9b91-469b14c5695f" file_name="spring-aop-4.3.30.RELEASE.jar" sha1="0b2a6f86ea659114df66cc5d5763667c96336efd" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE" library="Spring AOP" library_id="maven&#x3a;org.springframework&#x3a;spring-aop&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-aop-4.3.30.RELEASE.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="912a780c-0c8a-459b-98ea-35d5baeb8eef" file_name="slf4j-api-1.7.36.jar" sha1="6c62681a2f655b49963a5983b8b0950a6120ae14" vulnerabilities="0" max_cvss_score="" version="1.7.36" library="SLF4J API Module" library_id="maven&#x3a;org.slf4j&#x3a;slf4j-api&#x3a;1.7.36&#x3a;" vendor="org.slf4j" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;slf4j-api-1.7.36.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="MIT License" spdx_id="MIT" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;MIT.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="939ba91a-2f38-4ff1-b91a-c10beb11b4f0" file_name="hibernate-entitymanager-3.6.10.Final.jar" sha1="c74f1e1bf4fb6b8eaa7e501e6ccba9e055e52974" vulnerabilities="0" max_cvss_score="" version="3.6.10.Final" library="Hibernate ORM - hibernate-entitymanager" library_id="maven&#x3a;org.hibernate&#x3a;hibernate-entitymanager&#x3a;3.6.10.Final&#x3a;" vendor="org.hibernate" description="Hibernate Entity Manager" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hibernate-entitymanager-3.6.10.Final.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="GNU Lesser General Public License v3.0 only" spdx_id="LGPL-3.0-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-3.0-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="945978f1-0eb1-422e-92c6-c1827cd383c1" file_name="antlr-2.7.7.jar" sha1="83cd2cd674a217ade95a4bb83a8a14f351f48bd0" vulnerabilities="0" max_cvss_score="" version="2.7.7" library="antlr" library_id="maven&#x3a;antlr&#x3a;antlr&#x3a;2.7.7&#x3a;" vendor="antlr" description="A framework for constructing recognizers, compilers,&#xa;    and translators from grammatical descriptions containing&#xa;    Java, C&#x23;, C&#x2b;&#x2b;, or Python actions." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;antlr-2.7.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="98decff6-dc4a-4483-a05d-1d5189601816" file_name="shared-ldap-schema-dao-0.9.19.jar" sha1="b0103b559d251b8c46976cf0448771e396133a32" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP Schema DAO" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-schema-dao&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="File based schema data access object for managing schema data." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-schema-dao-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="9946bb08-5abd-4142-870f-cac59abe9c52" file_name="bcprov-jdk15on-1.70.jar" sha1="4636a0d01f74acaf28082fb62b317f1080118371" vulnerabilities="0" max_cvss_score="" version="1.70" library="Bouncy Castle Provider" library_id="maven&#x3a;org.bouncycastle&#x3a;bcprov-jdk15on&#x3a;1.70&#x3a;" vendor="org.bouncycastle" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;bcprov-jdk15on-1.70.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="MIT License" spdx_id="MIT" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;MIT.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="9e03e147-fdbe-4ea4-a093-67e71f077c23" file_name="bsh-2.0b6.jar" sha1="fb418f9b33a0b951e9a2978b4b6ee93b2707e72f" vulnerabilities="0" max_cvss_score="" version="2.0b6" library="BeanShell" library_id="maven&#x3a;org.apache-extras.beanshell&#x3a;bsh&#x3a;2.0b6&#x3a;" vendor="org.apache-extras.beanshell" description="BeanShell is a small, free, embeddable Java source interpreter&#xa;    with object scripting language features, written in Java. BeanShell&#xa;    dynamically executes standard Java syntax and extends it with common&#xa;    scripting conveniences such as loose types, commands, and method closures&#xa;    like those in Perl and JavaScript." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;bsh-2.0b6.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="a0f4f79d-c987-47a4-8b84-48770bf6a7e0" file_name="jta-1.1.jar" sha1="2ca09f0b36ca7d71b762e14ea2ff09d5eac57558" vulnerabilities="0" max_cvss_score="" version="1.1" library="Java Transaction API" library_id="maven&#x3a;javax.transaction&#x3a;jta&#x3a;1.1&#x3a;" vendor="javax.transaction" description="The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jta-1.1.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Common Development and Distribution License 1.1&#x28;CDDL-1.1&#x29;" spdx_id="CDDL-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.1.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="a3f25e49-47fe-4925-9907-c66b2cc563b1" file_name="apacheds-protocol-shared-1.5.7.jar" sha1="0fdcf26426d16aa46e899e5157ae357728926f00" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Protocol Shared" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-protocol-shared&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Shared library that is used by all protocol providers in ApacheDS" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-protocol-shared-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="ab96e19a-3ec6-4279-a9b7-dd9ce8579df2" file_name="antisamy-1.6.7.jar" sha1="bedd31a4447b56e1527b0faf79bb6bb25b311fb8" vulnerabilities="0" max_cvss_score="" version="1.6.7" library="OWASP AntiSamy" library_id="maven&#x3a;org.owasp.antisamy&#x3a;antisamy&#x3a;1.6.7&#x3a;" vendor="org.owasp.antisamy" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;antisamy-1.6.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="ac00db7a-2351-4aca-a738-45b14329ed0b" file_name="shared-asn1-0.9.19.jar" sha1="964da9c7f8d5efbd51c352f9a7db86988a4b3e05" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared ASN.1" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-asn1&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-asn1-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="acc08ba8-4a4e-4c8d-abcb-42f3d5d331ca" file_name="shared-ldap-jndi-0.9.19.jar" sha1="57c84b9a2705c7edd4416e4ef9b0c3a670fb7911" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared JNDI" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-jndi&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Shared libraries for client side JNDI handling that may be used &#xa;    both in the server and in studio." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-jndi-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="b258391f-e79c-4726-9d41-785c54164e2e" file_name="jersey-servlet-1.19.4.jar" sha1="fbdcb39db6a6976944a621fe11bf1d2ff048d7c2" vulnerabilities="0" max_cvss_score="" version="1.19.4" library="jersey-servlet" library_id="maven&#x3a;com.sun.jersey&#x3a;jersey-servlet&#x3a;1.19.4&#x3a;" vendor="com.sun.jersey" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jersey-servlet-1.19.4.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Common Development and Distribution License 1.1&#x28;CDDL-1.1&#x29;" spdx_id="CDDL-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.1.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="GNU General Public License with Classpath Exceptions version 2.0" spdx_id="GPL-2.0-with-classpath-exception" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;GPL-2.0-with-classpath-exception.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="b33b5e73-8db2-4abf-a201-48ca4c5b792b" file_name="apacheds-i18n-1.5.7.jar" sha1="69f6788a1b011cfff5039cd96ff447a89cdb4921" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS I18n" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-i18n&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Internationalization of errors and other messages" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-i18n-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="bbd977ba-9228-42c2-98a1-70df5e2a5b8e" file_name="apacheds-protocol-ldap-1.5.7.jar" sha1="f5e28caca2a05a18cd2ea8aa219d913295615208" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Protocol Ldap" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-protocol-ldap&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="The LDAPv3 protocol provider for ApacheDS" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-protocol-ldap-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="c094f7d8-e24d-4582-bd46-c0164fa6ac7b" file_name="spring-webmvc-4.3.30.RELEASE.jar" sha1="6bbc129acbda0a7e511438899adfe8544598a6bb" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE" library="Spring Web MVC" library_id="maven&#x3a;org.springframework&#x3a;spring-webmvc&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-webmvc-4.3.30.RELEASE.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="c2a521b2-7fb8-441b-8d64-c3fb407a2d76" file_name="cglib-2.2.jar" sha1="97d03461dc1c04ffc636dcb2579aae7724a78ef2" vulnerabilities="0" max_cvss_score="" version="2.2" library="cglib" library_id="maven&#x3a;cglib&#x3a;cglib&#x3a;2.2&#x3a;" vendor="cglib" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;cglib-2.2.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="c3de8821-d704-4389-8979-0a0a659f1600" file_name="apacheds-kerberos-shared-1.5.7.jar" sha1="fb1418a011ab6583b3f35259666825586f47a616" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Protocol Kerberos Shared" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-kerberos-shared&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="The Kerberos protocol provider for ApacheDS" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-kerberos-shared-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="c442c0df-b399-4bb5-885b-77fc88d2e01b" file_name="spring-context-4.3.30.RELEASE.jar" sha1="6a66a573322d555fb97ce44419f032d266f94cc4" vulnerabilities="1" max_cvss_score="5.0" version="4.3.30.RELEASE" library="Spring Context" library_id="maven&#x3a;org.springframework&#x3a;spring-context&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-context-4.3.30.RELEASE.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2022-22968" cvss_score="5.0" severity="3" cwe_id="CWE-178" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="spring-context is vulnerable to binding rules bypass. The vulnerability exists due to a lack of sanitization of HTTP request parameters allowing an attacker to bypass the &#x60;disallowedFields&#x60; and bind maliciously crafted HTTP request parameters. &#xa;" severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="c9f52235-a8a3-4c92-b75e-0522005cf1fd" file_name="shared-ldap-converter-0.9.19.jar" sha1="e792c73263fcc6280731941a2c4b0c1d0b562671" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared Ldap Converters" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-converter&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Common LDAP converters &#x3a; LDIF, DSML, CSV, etc" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-converter-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="ca67467b-9379-4173-af76-e08aba6c906b" file_name="jersey-server-1.19.4.jar" sha1="44df9a1310c1278b62658509aca3ca53978e8822" vulnerabilities="0" max_cvss_score="" version="1.19.4" library="jersey-server" library_id="maven&#x3a;com.sun.jersey&#x3a;jersey-server&#x3a;1.19.4&#x3a;" vendor="com.sun.jersey" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jersey-server-1.19.4.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Common Development and Distribution License 1.1&#x28;CDDL-1.1&#x29;" spdx_id="CDDL-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.1.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="GNU General Public License with Classpath Exceptions version 2.0" spdx_id="GPL-2.0-with-classpath-exception" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;GPL-2.0-with-classpath-exception.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="ccda7650-d805-48b5-9e62-31071b76d4e5" file_name="httpcore5-5.1.5.jar" sha1="df9da3a1fa2351c4790245400ed28d78a8ddd3fc" vulnerabilities="0" max_cvss_score="" version="5.1.5" library="Apache HttpComponents Core HTTP&#x2f;1.1" library_id="maven&#x3a;org.apache.httpcomponents.core5&#x3a;httpcore5&#x3a;5.1.5&#x3a;" vendor="org.apache.httpcomponents.core5" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;httpcore5-5.1.5.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="ce62e6c0-b44e-48eb-bc0c-badc4164f346" file_name="commons-configuration-1.10.jar" sha1="2b36e4adfb66d966c5aef2d73deb6be716389dc9" vulnerabilities="0" max_cvss_score="" version="1.10" library="Apache Commons Configuration" library_id="maven&#x3a;commons-configuration&#x3a;commons-configuration&#x3a;1.10&#x3a;" vendor="commons-configuration" description="Tools to assist in the reading of configuration&#x2f;preferences files in various formats." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-configuration-1.10.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="cff049d1-6b71-4c9e-a9a7-40ecf9387118" file_name="apacheds-core-entry-1.5.7.jar" sha1="2cbfadb432776e8e6c203685f0693dc54828be33" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core Entry" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-entry&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Server side LDAP entry classes." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-entry-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="d2f901e9-b6cc-4fb2-b51e-43c1f00d2f91" file_name="spring-expression-4.3.30.RELEASE.jar" sha1="6ce0709c6899dde41a7213ccccfe2535e34c80fe" vulnerabilities="1" max_cvss_score="4.0" version="4.3.30.RELEASE" library="Spring Expression Language &#x28;SpEL&#x29;" library_id="maven&#x3a;org.springframework&#x3a;spring-expression&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-expression-4.3.30.RELEASE.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2022-22950" cvss_score="4.0" severity="2" cwe_id="CWE-770" first_found_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" cve_summary="Spring Expression is vulnerable to denial of service. The vulnerability exists due to the creation of large array in a SpEL and sending meaningless error messages to the user which allows an attacker to send crafted SpEL expressions that leads to an out ouf bound error causing an application crash. " severity_desc="Low" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="d5302b9e-8ffe-4dc8-90be-754e012a4553" file_name="commons-codec-1.15.jar" sha1="49d94806b6e3dc933dacbd8acb0fdbab8ebd1e5d" vulnerabilities="0" max_cvss_score="" version="1.15" library="Apache Commons Codec" library_id="maven&#x3a;commons-codec&#x3a;commons-codec&#x3a;1.15&#x3a;" vendor="commons-codec" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-codec-1.15.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="d9b02ab5-6bf5-4420-87e4-f8303961dedd" file_name="hibernate-core-3.6.10.Final.jar" sha1="6b36a1eef76cbccc2757f22a795b5e12ab56b3d5" vulnerabilities="2" max_cvss_score="5.8" version="3.6.10.Final" library="hibernate-core - relocation" library_id="maven&#x3a;org.hibernate&#x3a;hibernate-core&#x3a;3.6.10.Final&#x3a;" vendor="org.hibernate" description="The core functionality of Hibernate" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hibernate-core-3.6.10.Final.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="GNU Lesser General Public License v3.0 only" spdx_id="LGPL-3.0-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-3.0-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2019-14900" cvss_score="4.0" severity="2" cwe_id="CWE-89" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="hibernate-core is vulnerable to SQL injection. The vulnerability exists in Hibernate ORM." severity_desc="Low" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                    <vulnerability cve_id="CVE-2020-25638" cvss_score="5.8" severity="3" cwe_id="CWE-89" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="hibernate-core is vulnerable to SQL injection. The vulnerability exists when both hibernate.use_sql_comments and JPQL String literals are used." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="da326e99-f038-409b-adce-d0558fa2c3ce" file_name="hsqldb-2.3.6.jar" sha1="d4adfef3f017dd71fe789067cc6b7c39f31f2a3a" vulnerabilities="1" max_cvss_score="7.5" version="2.3.6" library="HyperSQL Database" library_id="maven&#x3a;org.hsqldb&#x3a;hsqldb&#x3a;2.3.6&#x3a;" vendor="org.hsqldb" description="HSQLDB - Lightweight 100&#x25; Java SQL Database Engine" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hsqldb-2.3.6.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="HSQLDB - COPYRIGHTS AND LICENSES &#x28;based on BSD License&#x29;&#x28;HSQLDB&#x29;" spdx_id="HSQLDB" license_url="http&#x3a;&#x2f;&#x2f;hsqldb.org&#x2f;web&#x2f;hsqlLicense.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2022-41853" cvss_score="7.5" severity="4" cwe_id="" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="duplicate of https&#x3a;&#x2f;&#x2f;research.prod.srcclr.io&#x2f;artifacts&#x2f;37492&#xa;&#xa;HyperSQL Database is vulnerable to remote code execution. The vulnerability exists in the &#x60;supportsJavaMethod&#x60; function of &#x60;HsqlDatabaseProperties.java&#x60; due to the untrusted input process allowing an attacker to execute remote codes in the system." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="dc3163d5-1961-4c9a-a505-7746eacbda58" file_name="apacheds-core-avl-1.5.7.jar" sha1="5ce1450389a7837c82b5b6f7402259643205a1ff" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core AVL" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-avl&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="A linked in memory AVL tree implementation with Cursor." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-avl-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="deb18769-a6b0-41c0-ba95-834a855bc932" file_name="commons-beanutils-1.9.4.jar" sha1="d52b9abcd97f38c81342bb7e7ae1eee9b73cba51" vulnerabilities="0" max_cvss_score="" version="1.9.4" library="Apache Commons BeanUtils" library_id="maven&#x3a;commons-beanutils&#x3a;commons-beanutils&#x3a;1.9.4&#x3a;" vendor="commons-beanutils" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-beanutils-1.9.4.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="e2becfec-20eb-4b61-ae97-c581c9e643f0" file_name="apacheds-core-jndi-1.5.7.jar" sha1="ff9a051d9a4bf99ff66fd3cb7a8251b6e2b1db74" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core JNDI" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-jndi&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Contains a JNDI provider implementation which wraps the core so existing &#xa;     applications based on JNDI can use the server embedded transparently. &#xa;     Remote and local runtime operations will appear and feel exactly the same&#xa;     with a performance boost when local.  All operations via this JNDI provider&#xa;     bypass the LDAP stack to perform ooerations directly on the ApacheDS core." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-jndi-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="e35db03b-cfd8-4608-9359-114bd62f49be" file_name="spring-beans-4.3.30.RELEASE.jar" sha1="fd6d361c817081ef9d2101e912b2cd9825c9f02a" vulnerabilities="2" max_cvss_score="7.5" version="4.3.30.RELEASE" library="Spring Beans" library_id="maven&#x3a;org.springframework&#x3a;spring-beans&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-beans-4.3.30.RELEASE.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities>
+                    <vulnerability cve_id="CVE-2022-22965" cvss_score="7.5" severity="4" cwe_id="CWE-94" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="spring-beans is vulnerable to remote code execution. Using Spring Parameter Binding with non-basic parameter types, such as POJOs, allows an unauthenticated attacker to execute arbitrary code on the target system by writing or uploading arbitrary files &#x28;e.g .jsp files&#x29; to a location that can be loaded by the application server. &#xa;&#xa;Initial analysis at time of writing shows that exploitation of the vulnerability is only possible with JRE 9 and above, and Apache Tomcat 9 and above, and that the vulnerability requires the usage of Spring parameter binding with non-basic parameter types such as POJOs." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                    <vulnerability cve_id="CVE-2022-22970" cvss_score="3.5" severity="2" cwe_id="CWE-770" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="spring-beans is vulnerable to denial of service. An attacker can crash the application through a model object when it sets a multipart file or javax.servlet.Part of a field" severity_desc="Low" mitigation="false" vulnerability_affects_policy_compliance="false">
+                        <mitigations />
+                    </vulnerability>
+                </vulnerabilities>
+                <violated_policy_rules />
+            </component>
+            <component component_id="e65cab18-d336-4914-b6e8-ed27fa1ff4b0" file_name="apacheds-xdbm-search-1.5.7.jar" sha1="db55aa2b5f89732d6b54beb7d281cdd4b7fcc38e" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Generalized &#x28;X&#x29; DBM Search Engine" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-xdbm-search&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Search engine implementation generalized for XDBM entry store scheme." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-xdbm-search-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="e8960e5c-e197-409e-82c4-983f2e37f584" file_name="mina-core-2.0.0-RC1.jar" sha1="909120cba20f2965f036e9ca8a9ace5d222c6f6a" vulnerabilities="0" max_cvss_score="" version="2.0.0-RC1" library="Apache MINA Core" library_id="maven&#x3a;org.apache.mina&#x3a;mina-core&#x3a;2.0.0-RC1&#x3a;" vendor="org.apache.mina" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;mina-core-2.0.0-RC1.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="eb401f05-9552-4b26-b3d6-184e326230d3" file_name="xercesImpl-2.12.2.jar" sha1="f051f988aa2c9b4d25d05f95742ab0cc3ed789e2" vulnerabilities="0" max_cvss_score="" version="2.12.2" library="Xerces2-j" library_id="maven&#x3a;xerces&#x3a;xercesImpl&#x3a;2.12.2&#x3a;" vendor="xerces" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xercesImpl-2.12.2.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="ec37de29-eaaa-4ad8-bfb3-521e9f16d20f" file_name="slf4j-reload4j-1.7.36.jar" sha1="db708f7d959dee1857ac524636e85ecf2e1781c1" vulnerabilities="0" max_cvss_score="" version="1.7.36" library="SLF4J Reload4j Binding" library_id="maven&#x3a;org.slf4j&#x3a;slf4j-reload4j&#x3a;1.7.36&#x3a;" vendor="org.slf4j" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;slf4j-reload4j-1.7.36.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="MIT License" spdx_id="MIT" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;MIT.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="ec4c0d0e-9172-40f3-8660-c2f5e54bb5c2" file_name="spring-jdbc-4.3.30.RELEASE.jar" sha1="0e64cae71ea1e368bb6713fb89e96d0c38705c47" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE" library="Spring JDBC" library_id="maven&#x3a;org.springframework&#x3a;spring-jdbc&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-jdbc-4.3.30.RELEASE.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="f00631e8-97c7-4af6-89d4-42f4a1e70a8b" file_name="apacheds-core-mock-1.5.7.jar" sha1="25bdadcc53553dbf6366cc67c143320960982956" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core Mock" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-mock&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Some commonly used mock objects that have more than bare minimum of functionality." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-mock-1.5.7.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="f83a2005-aad9-4a04-bd1d-615f0a6a7cbb" file_name="shared-ldif-0.9.19.jar" sha1="6f1b77705294a502d771c7d98d57460dcba8e420" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDIF" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldif&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Common LDIF packages used by clients and servers." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldif-0.9.19.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+            <component component_id="feda6e6b-ae6e-44ff-80ee-f1f5ce7ceb5f" file_name="jsr311-api-1.1.1.jar" sha1="59033da2a1afd56af1ac576750a8d0b1830d59e6" vulnerabilities="0" max_cvss_score="" version="1.1.1" library="jsr311-api" library_id="maven&#x3a;javax.ws.rs&#x3a;jsr311-api&#x3a;1.1.1&#x3a;" vendor="javax.ws.rs" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
+                <file_paths>
+                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jsr311-api-1.1.1.jar" />
+                </file_paths>
+                <licenses>
+                    <license name="Common Development and Distribution License 1.0" spdx_id="CDDL-1.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.0.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                    <license name="CeCILL Free Software License Agreement v1.0" spdx_id="CECILL-1.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CECILL-1.0.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
+                        <mitigations />
+                    </license>
+                </licenses>
+                <vulnerabilities />
+                <violated_policy_rules />
+            </component>
+        </vulnerable_components>
+    </software_composition_analysis>
+</detailedreport>

From 8e5395d7ac5e36a0615790e2a4740ed312d03d3a Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Mon, 27 Feb 2023 17:26:59 +0530
Subject: [PATCH 02/10] Fix. Reduce Veracode test file

---
 .../testfiles/Benchmark_Veracode.xml          | 1431 +----------------
 1 file changed, 69 insertions(+), 1362 deletions(-)

diff --git a/plugin/src/test/resources/testfiles/Benchmark_Veracode.xml b/plugin/src/test/resources/testfiles/Benchmark_Veracode.xml
index c0e0f513..983987f4 100644
--- a/plugin/src/test/resources/testfiles/Benchmark_Veracode.xml
+++ b/plugin/src/test/resources/testfiles/Benchmark_Veracode.xml
@@ -1,1366 +1,73 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <detailedreport xmlns:xsi="http&#x3a;&#x2f;&#x2f;www.w3.org&#x2f;2001&#x2f;XMLSchema-instance" xmlns="https&#x3a;&#x2f;&#x2f;www.veracode.com&#x2f;schema&#x2f;reports&#x2f;export&#x2f;1.0" xsi:schemaLocation="https&#x3a;&#x2f;&#x2f;www.veracode.com&#x2f;schema&#x2f;reports&#x2f;export&#x2f;1.0 https&#x3a;&#x2f;&#x2f;analysiscenter.veracode.com&#x2f;resource&#x2f;detailedreport.xsd">
-    <severity level="5">
-        <category categoryid="18" categoryname="Command or Argument Injection" pcirelated="true">
-            <desc>
-                <para text="Command or argument injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically construct and execute a command.  In the case of OS command injection, an attacker may be able to either alter the command executed by the application or append additional commands.  In the case of argument injection, the attacker may influence the behavior of the program in other ways, for example, changing the destination of an outbound network request or injecting additional commands into an argument or parameter. The command is typically executed with the privileges of the executing process and gives an attacker a privilege or capability that he would not otherwise have." />
-            </desc>
-            <recommendations>
-                <para text="Careful handling of all untrusted data is critical in preventing injection attacks.   Using one or more of the following techniques provides defense-in-depth and minimizes the likelihood of an vulnerability.">
-                    <bulletitem text="If possible, use library calls rather than external processes to recreate the desired functionality." />
-                    <bulletitem text="Validate user-supplied input using positive filters &#x28;white lists&#x29; to ensure that it conforms to the expected format, using centralized data validation routines when possible. " />
-                    <bulletitem text="Select safe API routines.  Some APIs that execute system commands take an array of strings as input rather than a single string, which protects against some forms of command injection by ensuring that a user-supplied argument cannot be interpreted as part of the command." />
-                </para>
-            </recommendations>
-            <cwe cweid="78" cwename="Improper Neutralization of Special Elements used in an OS Command &#x28;&#x27;OS Command Injection&#x27;&#x29;" pcirelated="true" owasp="1347" sans="864" certc="1165" certcpp="875" certjava="1134">
-                <description>
-                    <text text="This call contains a command injection flaw.  The argument to the function is constructed using untrusted input.  If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process.  The level of exposure depends on the effectiveness of input validation routines, if any." />
-                </description>
-                <staticflaws>
-                    <flaw severity="5" categoryname="Improper Neutralization of Special Elements used in an OS Command &#x28;&#x27;OS Command Injection&#x27;&#x29;" count="1" issueid="213" module="benchmark.war" type="java.lang.ProcessBuilder.start"
-                        description="This call to java.lang.ProcessBuilder.start&#x28;&#x29; contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. start&#x28;&#x29; was called on the pb object, which contains tainted data. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getHeader.&#xd;&#xa;&#xd;&#xa;Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a &#x22;safe&#x22; version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.&#xd;&#xa;&#xd;&#xa;References&#x3a; &#xd;&#xa;CWE &#x28;https&#x3a;&#x2f;&#x2f;cwe.mitre.org&#x2f;data&#x2f;definitions&#x2f;78.html&#x29; &#xd;&#xa;OWASP &#x28;https&#x3a;&#x2f;&#x2f;owasp.org&#x2f;www-community&#x2f;attacks&#x2f;Command_Injection&#x29;&#xd;&#xa;&#xd;&#xa;"
-                        note="" cweid="78" remediationeffort="3" exploitLevel="2" categoryid="18" pcirelated="true" date_first_occurrence="2023-02-13 13&#x3a;42&#x3a;32 UTC" remediation_status="New" cia_impact="ccp" grace_period_expires="2023-02-13 15&#x3a;19&#x3a;13 UTC" affects_policy_compliance="true" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="BenchmarkTest00006.java" line="69" sourcefilepath="org&#x2f;owasp&#x2f;benchmark&#x2f;testcode&#x2f;" scope="org.owasp.benchmark.testcode.BenchmarkTest00006" functionprototype="void doPost&#x28;javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse&#x29;" functionrelativelocation="83">
-                        <exploitability_adjustments>
-                            <exploitability_adjustment score_adjustment="1">
-                                <note>This source of the tainted data is an external web request.</note>
-                            </exploitability_adjustment>
-                        </exploitability_adjustments>
-                    </flaw>
-                    <flaw severity="5" categoryname="Improper Neutralization of Special Elements used in an OS Command &#x28;&#x27;OS Command Injection&#x27;&#x29;" count="1" issueid="212" module="benchmark.war" type="java.lang.Runtime.exec"
-                        description="This call to java.lang.Runtime.exec&#x28;&#x29; contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec&#x28;&#x29; contains tainted data from the variable args. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getHeader.&#xd;&#xa;&#xd;&#xa;Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a &#x22;safe&#x22; version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.&#xd;&#xa;&#xd;&#xa;References&#x3a; &#xd;&#xa;CWE &#x28;https&#x3a;&#x2f;&#x2f;cwe.mitre.org&#x2f;data&#x2f;definitions&#x2f;78.html&#x29; &#xd;&#xa;OWASP &#x28;https&#x3a;&#x2f;&#x2f;owasp.org&#x2f;www-community&#x2f;attacks&#x2f;Command_Injection&#x29;&#xd;&#xa;&#xd;&#xa;"
-                        note="" cweid="78" remediationeffort="3" exploitLevel="2" categoryid="18" pcirelated="true" date_first_occurrence="2023-02-13 13&#x3a;42&#x3a;32 UTC" remediation_status="New" cia_impact="ccp" grace_period_expires="2023-02-13 15&#x3a;19&#x3a;13 UTC" affects_policy_compliance="true" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="BenchmarkTest00007.java" line="61" sourcefilepath="org&#x2f;owasp&#x2f;benchmark&#x2f;testcode&#x2f;" scope="org.owasp.benchmark.testcode.BenchmarkTest00007" functionprototype="void doPost&#x28;javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse&#x29;" functionrelativelocation="65">
-                        <exploitability_adjustments>
-                            <exploitability_adjustment score_adjustment="1">
-                                <note>This source of the tainted data is an external web request.</note>
-                            </exploitability_adjustment>
-                        </exploitability_adjustments>
-                    </flaw>
-                </staticflaws>
-            </cwe>
-        </category>
-    </severity>
-    <severity level="4">
-        <category categoryid="19" categoryname="SQL Injection" pcirelated="true">
-            <desc>
-                <para text="SQL injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically construct a SQL query.  This allows an attacker to manipulate database queries in order to access, modify, or delete arbitrary data.  Depending on the platform, database type, and configuration, it may also be possible to execute administrative operations on the database, access the filesystem, or execute arbitrary system commands.  SQL injection attacks can also be used to subvert authentication and authorization schemes, which would enable an attacker to gain privileged access to restricted portions of the application." />
-            </desc>
-            <recommendations>
-                <para text="Several techniques can be used to prevent SQL injection attacks. These techniques complement each other and address security at different points in the application. Using multiple techniques provides defense-in-depth and minimizes the likelihood of a SQL injection vulnerability.">
-                    <bulletitem text="Use parameterized prepared statements rather than dynamically constructing SQL queries.  This will prevent the database from interpreting the contents of bind variables as part of the query and is the most effective defense against SQL injection." />
-                    <bulletitem text="Validate user-supplied input using positive filters &#x28;white lists&#x29; to ensure that it conforms to the expected format, using centralized data validation routines when possible. " />
-                    <bulletitem text="Normalize all user-supplied data before applying filters or regular expressions, or submitting the data to a database. This means that all URL-encoded &#x28;&#x25;xx&#x29;, HTML-encoded &#x28;&#x26;&#x23;xx&#x3b;&#x29;, or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters." />
-                    <bulletitem text="When using database abstraction libraries such as Hibernate, do not assume that all methods exposed by the API will automatically prevent SQL injection attacks.  Most libraries contain methods that pass arbitrary queries to the database in an unsafe manner." />
-                </para>
-            </recommendations>
-            <cwe cweid="89" cwename="Improper Neutralization of Special Elements used in an SQL Command &#x28;&#x27;SQL Injection&#x27;&#x29;" pcirelated="true" owasp="1347" sans="864">
-                <description>
-                    <text text="This database query contains a SQL injection flaw.  The function call constructs a dynamic SQL query using a variable derived from untrusted input.  An attacker could exploit this flaw to execute arbitrary SQL queries against the database." />
-                </description>
-                <staticflaws>
-                    <flaw severity="4" categoryname="Improper Neutralization of Special Elements used in an SQL Command &#x28;&#x27;SQL Injection&#x27;&#x29;" count="1" issueid="642" module="benchmark.war" type="java.sql.PreparedStatement.executeQuery"
-                        description="This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery&#x28;&#x29; constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery&#x28;&#x29; was called on the statement object, which contains tainted data. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getHeader.&#xd;&#xa;&#xd;&#xa;Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.&#xd;&#xa;&#xd;&#xa;References&#x3a; &#xd;&#xa;CWE &#x28;https&#x3a;&#x2f;&#x2f;cwe.mitre.org&#x2f;data&#x2f;definitions&#x2f;89.html&#x29; &#xd;&#xa;OWASP &#x28;https&#x3a;&#x2f;&#x2f;owasp.org&#x2f;www-community&#x2f;attacks&#x2f;SQL_Injection&#x29;&#xd;&#xa;&#xd;&#xa;"
-                        note="" cweid="89" remediationeffort="3" exploitLevel="2" categoryid="19" pcirelated="true" date_first_occurrence="2023-02-13 13&#x3a;42&#x3a;32 UTC" remediation_status="New" cia_impact="ppp" grace_period_expires="2023-02-13 15&#x3a;19&#x3a;13 UTC" affects_policy_compliance="true" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="BenchmarkTest00008.java" line="58" sourcefilepath="org&#x2f;owasp&#x2f;benchmark&#x2f;testcode&#x2f;" scope="org.owasp.benchmark.testcode.BenchmarkTest00008" functionprototype="void doPost&#x28;javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse&#x29;" functionrelativelocation="76">
-                        <exploitability_adjustments>
-                            <exploitability_adjustment score_adjustment="1">
-                                <note>This source of the tainted data is an external web request.</note>
-                            </exploitability_adjustment>
-                        </exploitability_adjustments>
-                    </flaw>
-                </staticflaws>
-            </cwe>
-        </category>
-    </severity>
-    <severity level="3" />
-    <severity level="2" />
-    <severity level="1" />
-    <severity level="0" />
-    <flaw-status new="4" reopen="0" open="0" fixed="0" total="4" not_mitigated="4" sev-1-change="0" sev-2-change="0" sev-3-change="0" sev-4-change="2" sev-5-change="2" />
-    <customfields>
-        <customfield name="Custom 1" value="" />
-        <customfield name="Custom 2" value="" />
-        <customfield name="Custom 3" value="" />
-        <customfield name="Custom 4" value="" />
-        <customfield name="Custom 5" value="" />
-        <customfield name="Custom 6" value="" />
-        <customfield name="Custom 7" value="" />
-        <customfield name="Custom 8" value="" />
-        <customfield name="Custom 9" value="" />
-        <customfield name="Custom 10" value="" />
-    </customfields>
-    <software_composition_analysis third_party_components="97" violate_policy="false" components_violated_policy="0">
-        <vulnerable_components>
-            <component component_id="0215b350-9987-4844-a39d-5ac23cdf25bc" file_name="batik-constants-1.14.jar" sha1="371acf696982f1c8e2689f5899b4e8453ccd74ff" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-constants" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-constants&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-constants-1.14.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="03e20677-040d-4661-8a23-67fb40fcd836" file_name="neko-htmlunit-2.24.jar" sha1="db21c784490b068c91eded812a68c199362872e9" vulnerabilities="1" max_cvss_score="5.0" version="2.24" library="HtmlUnit NekoHtml" library_id="maven&#x3a;net.sourceforge.htmlunit&#x3a;neko-htmlunit&#x3a;2.24&#x3a;" vendor="net.sourceforge.htmlunit" description="HtmlUnit adaptation of NekoHtml.&#xa;        It has the same functionality but exposing HTMLElements to be overridden." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;neko-htmlunit-2.24.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2022-29546" cvss_score="5.0" severity="3" cwe_id="" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="neko-htmlunit is vulnerable to denial of service. An attacker can crash the application through the out of memory exception in the &#x60;scanPI&#x60; function of &#x60;HTMLScanner.java&#x60; by providing a specifically crafted processing instruction." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="0a0c75bd-9fe0-4c13-a2a7-429f284cad67" file_name="shared-ldap-0.9.19.jar" sha1="6f97c0fb69d79d0a52246987163d9b7d0ec02423" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Common LDAP packages used by clients and servers." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="0b2a75d4-9901-41c2-92b8-3aeb652d004d" file_name="commons-collections-3.2.2.jar" sha1="8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5" vulnerabilities="0" max_cvss_score="" version="3.2.2" library="Apache Commons Collections" library_id="maven&#x3a;commons-collections&#x3a;commons-collections&#x3a;3.2.2&#x3a;" vendor="commons-collections" description="Types that extend and augment the Java Collections Framework." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-collections-3.2.2.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="0b844337-0619-4c97-9d8c-05211344c808" file_name="commons-lang-2.6.jar" sha1="0ce1edb914c94ebc388f086c6827e8bdeec71ac2" vulnerabilities="0" max_cvss_score="" version="2.6" library="Commons Lang" library_id="maven&#x3a;commons-lang&#x3a;commons-lang&#x3a;2.6&#x3a;" vendor="commons-lang" description="Commons Lang, a package of Java utility classes for the&#xa;        classes that are in java.lang&#x27;s hierarchy, or are considered to be so&#xa;        standard as to justify existence in java.lang." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-lang-2.6.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="0c55a308-9a12-4955-9b77-0c559560bf79" file_name="shared-asn1-codec-0.9.19.jar" sha1="e2db04aa62b7a963f2ccdcfd4f53fc4461bc3481" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared ASN.1 Codec" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-asn1-codec&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-asn1-codec-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="0ebf669d-3c5b-4031-8488-8c1519f2ceb8" file_name="commons-logging-1.2.jar" sha1="4bfc12adfe4842bf07b657f0369c4cb522955686" vulnerabilities="0" max_cvss_score="" version="1.2" library="Apache Commons Logging" library_id="maven&#x3a;commons-logging&#x3a;commons-logging&#x3a;1.2&#x3a;" vendor="commons-logging" description="Apache Commons Logging is a thin adapter allowing configurable bridging to other,&#xa;    well known logging systems." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-logging-1.2.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="0ec94587-a6bf-46f3-8038-fb15b9eb27c1" file_name="apacheds-jdbm-1.5.7.jar" sha1="0d3bc445bfceba7daa51bd193185375341f56cb3" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS JDBM implementation" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-jdbm&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="specific JDBM Implementation" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-jdbm-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="0ed4bbff-1bd6-47b8-be32-129fd1b9b4fb" file_name="dom4j-1.6.1.jar" sha1="5d3ccc056b6f056dbf0dddfdf43894b9065a8f94" vulnerabilities="3" max_cvss_score="7.5" version="1.6.1" library="dom4j" library_id="maven&#x3a;dom4j&#x3a;dom4j&#x3a;1.6.1&#x3a;" vendor="dom4j" description="dom4j&#x3a; the flexible XML framework for Java" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;dom4j-1.6.1.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="BSD 2-Clause &#x22;Simplified&#x22; License" spdx_id="BSD-2-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-2-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2018-1000632" cvss_score="5.0" severity="3" cwe_id="CWE-91" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="dom4j is vulnerable to XML External Entity &#x28;XXE&#x29; attacks. The library does not properly validate the attributes that can be inserted by the user, allowing a malicious user to conduct an XXE attack." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                    <vulnerability cve_id="CVE-2020-10683" cvss_score="7.5" severity="4" cwe_id="CWE-611" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="dom4j is vulnerable to XML external entity attacks. The default &#x60;SaxReader&#x28;&#x29;&#x60; does not disable external DTDs and External Entities by default, allowing an attacker to access local or internal network resources, or perform requests on behalf of the server." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                    <vulnerability cve_id="SRCCLR-SID-4943" cvss_score="6.8" severity="4" cwe_id="" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="dom4j is vulnerable to XML External Entity Injection. The library by default uses the &#x60;SAXReader&#x60; to parse documents without using the &#x60;setFeature&#x60; function in it to disable doctype and entities, allowing a malicious user to pass a document to execute an XML Injection attack." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="12e41b23-a654-4e42-b84d-c76027780d55" file_name="javassist-3.12.0.GA.jar" sha1="88b21d1ef06323beff58664cffa62848c033ecd2" vulnerabilities="0" max_cvss_score="" version="3.12.0.GA" library="Javassist" library_id="maven&#x3a;javassist&#x3a;javassist&#x3a;3.12.0.GA&#x3a;" vendor="javassist" description="Javassist &#x28;JAVA programming ASSISTant&#x29; makes Java bytecode manipulation&#xa;     simple.  It is a class library for editing bytecodes in Java." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;javassist-3.12.0.GA.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="GNU Lesser General Public License v2.1 only" spdx_id="LGPL-2.1-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-2.1-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="154b4a55-fb02-491d-9a82-e4a08ae9175b" file_name="xmlpull-xpp3-3.0.0.20130526.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="3.0.0.20130526" library="xmlpull-xpp3" library_id="maven&#x3a;net.sf.sociaal&#x3a;xmlpull-xpp3&#x3a;3.0.0.20130526&#x3a;" vendor="net.sf.sociaal" description="jME3 Vector Math" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xpp3-1.1.4c.jar&#x3a;xmlpull-xpp3-3.0.0.20130526.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="1617cbc7-c61a-4b5a-ab08-dde6e603951d" file_name="commons-io-2.6.jar" sha1="815893df5f31da2ece4040fe0a12fd44b577afaf" vulnerabilities="1" max_cvss_score="5.8" version="2.6" library="Apache Commons IO" library_id="maven&#x3a;commons-io&#x3a;commons-io&#x3a;2.6&#x3a;" vendor="commons-io" description="The Apache Commons IO library contains utility classes, stream implementations, file filters,&#xa;file comparators, endian transformation classes, and much more." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-io-2.6.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2021-29425" cvss_score="5.8" severity="3" cwe_id="CWE-22" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="commons-io is vulnerable to directory traversal. Invoking the method &#x60;FileNameUtils.normalize&#x60; with a malicious input string would potentially allow access to files within the parent directory." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="176c342e-02c3-4ad4-a883-3c4d9ccb24ee" file_name="shared-ldap-schema-0.9.19.jar" sha1="ad9e6c541dbbc259263ef8c6f81b68cce88b816e" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP Schema" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-schema&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Jar bundled LDIF files containing schema data using the Apache Directory&#xa;    specific meta schema for describing schema information using LDAP.  This&#xa;    jar can be used by clients as well as by ApacheDS&#x27; schema partition." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-schema-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="1b9e7711-aae5-4a86-8e09-b11ee11d7b16" file_name="xpp3-1.1.4c.jar" sha1="9b988ea84b9e4e9f1874e390ce099b8ac12cfff5" vulnerabilities="0" max_cvss_score="" version="1.1.4c" library="MXP1&#x3a; Xml Pull Parser 3rd Edition &#x28;XPP3&#x29;" library_id="maven&#x3a;xpp3&#x3a;xpp3&#x3a;1.1.4c&#x3a;" vendor="xpp3" description="MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4&#x2b;." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xpp3-1.1.4c.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 1.1" spdx_id="Apache-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-1.1.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="Public Domain Per Creative Commons" spdx_id="CC-PDDC" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CC-PDDC.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="Indiana University Extreme&#x21; Lab Software License" spdx_id="IUEL" license_url="https&#x3a;&#x2f;&#x2f;raw.githubusercontent.com&#x2f;x-stream&#x2f;mxparser&#x2f;master&#x2f;LICENSE.txt" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="1d0e47b6-1c0a-4b68-829f-fc95f1c3d782" file_name="shared-ldap-schema-loader-0.9.19.jar" sha1="82d8a22e58ec93fe3a582b5d573c724ebe91eac1" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP Schema Loader" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-schema-loader&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Initial schema loader used during server bootstrapping and client startup&#xa;    to populate hence why it&#x27;s located in shared." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-schema-loader-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="1db13660-bc19-4cb9-97e4-6ca97dd870e7" file_name="xmlgraphics-commons-2.6.jar" sha1="8779b8d8f426f24fdb4a512f8bc4248cb3775bd2" vulnerabilities="0" max_cvss_score="" version="2.6" library="Apache XML Graphics Commons" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;xmlgraphics-commons&#x3a;2.6&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xmlgraphics-commons-2.6.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="1e2bf166-2013-46d8-bc1e-b1c831d6bc8f" file_name="commons-pool-1.5.4.jar" sha1="75b6e20c596ed2945a259cea26d7fadd298398e6" vulnerabilities="0" max_cvss_score="" version="1.5.4" library="Commons Pool" library_id="maven&#x3a;commons-pool&#x3a;commons-pool&#x3a;1.5.4&#x3a;" vendor="commons-pool" description="Commons Object Pooling Library" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-pool-1.5.4.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="26477a44-7421-4b2b-a9b0-c9941b6ea1d1" file_name="spring-core-4.3.30.RELEASE.jar" sha1="b255bb7389e582d24574f75bc0c880ffb8103dfa" vulnerabilities="1" max_cvss_score="4.0" version="4.3.30.RELEASE" library="Spring Core" library_id="maven&#x3a;org.springframework&#x3a;spring-core&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-core-4.3.30.RELEASE.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2021-22096" cvss_score="4.0" severity="2" cwe_id="" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="Spring Framework is vulnerable to privilege escalation. The vulnerability exists due to lack of secure validations of user input which allows a malicious user to inject additional log files. " severity_desc="Low" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="2b03258c-e348-4223-a122-732b88d87adb" file_name="spring-web-4.3.30.RELEASE.jar" sha1="9b7860a324f4b2f2bc31bcdd99c7ee51fe32e0c8" vulnerabilities="1" max_cvss_score="7.5" version="4.3.30.RELEASE" library="Spring Web" library_id="maven&#x3a;org.springframework&#x3a;spring-web&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-web-4.3.30.RELEASE.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2016-1000027" cvss_score="7.5" severity="4" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" cve_summary="spring-web is vulnerable to remote code execution &#x28;RCE&#x29;. When it is used with external endpoints regardless of endpoints being authenticated or not, the function &#x60;HttpInvokerServiceExporter&#x3a; readRemoteInvocation&#x60; allows deserialization of untrusted object if the endpoints are exposed to untrusted clients. It depends on the implementation within a product to mandate an authentication and to protect an application from an authenticated deserialization. The vendor has claimed the behavior to be as intended. The documentation has been enhanced to describe precautions for this vulnerability." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="2f3b0e69-d778-496c-9522-bed71375c5db" file_name="httpcore5-h2-5.1.5.jar" sha1="624660339afd5006d427457e6b10b10b32fd86f1" vulnerabilities="0" max_cvss_score="" version="5.1.5" library="Apache HttpComponents Core HTTP&#x2f;2" library_id="maven&#x3a;org.apache.httpcomponents.core5&#x3a;httpcore5-h2&#x3a;5.1.5&#x3a;" vendor="org.apache.httpcomponents.core5" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;httpcore5-h2-5.1.5.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="3348ec3b-b8c1-4a03-bff3-8d2630f5d6e3" file_name="commons-fileupload-1.3.3.jar" sha1="04ff14d809195b711fd6bcc87e6777f886730ca1" vulnerabilities="0" max_cvss_score="" version="1.3.3" library="Apache Commons FileUpload" library_id="maven&#x3a;commons-fileupload&#x3a;commons-fileupload&#x3a;1.3.3&#x3a;" vendor="commons-fileupload" description="The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart&#xa;    file upload functionality to servlets and web applications." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-fileupload-1.3.3.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="3878c34b-bd52-4e89-a174-3893497faf8b" file_name="batik-i18n-1.14.jar" sha1="a4e7b0cda9132904f21b25ab29a0b73e1867e7fd" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-i18n" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-i18n&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-i18n-1.14.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="3adbf5c8-fae1-42fe-b1f2-72a0cffe6722" file_name="shared-ldap-constants-0.9.19.jar" sha1="a652b5344c22f7cdc77197f8254e491d8157bc30" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared Ldap Constants" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-constants&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Common LDAP constants used by clients and servers." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-constants-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="3b2463eb-bd8e-4200-8f19-d459488a6bb2" file_name="hibernate-jpa-2.0-api-1.0.1.Final.jar" sha1="3306a165afa81938fc3d8a0948e891de9f6b192b" vulnerabilities="0" max_cvss_score="" version="1.0.1.Final" library="JPA 2.0 API" library_id="maven&#x3a;org.hibernate.javax.persistence&#x3a;hibernate-jpa-2.0-api&#x3a;1.0.1.Final&#x3a;" vendor="org.hibernate.javax.persistence" description="Hibernate definition of the Java Persistence 2.0 &#x28;JSR 317&#x29; API." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hibernate-jpa-2.0-api-1.0.1.Final.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="GNU Lesser General Public License v2.1 only" spdx_id="LGPL-2.1-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-2.1-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="3c3bf3aa-68e9-4c08-b46a-d16e64494c80" file_name="batik-shared-resources-1.14.jar" sha1="42e9d6345952575e8b2f4ee26108b2811c334305" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-shared-resources" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-shared-resources&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-shared-resources-1.14.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="3cde053b-89c6-47f8-ad83-e51dd076f5b1" file_name="bcprov-jdk15to18-1.70.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="1.70" library="Bouncy Castle Provider" library_id="maven&#x3a;org.bouncycastle&#x3a;bcprov-jdk15to18&#x3a;1.70&#x3a;" vendor="org.bouncycastle" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;bcprov-jdk15on-1.70.jar&#x3a;bcprov-jdk15to18-1.70.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="MIT License" spdx_id="MIT" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;MIT.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="3d45c6e2-3766-4a88-b05c-33034152997f" file_name="apacheds-ldif-partition-1.5.7.jar" sha1="b67dd85fd9ed3c09850e6f163f6d6073409e2911" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS LDIF Partition" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-ldif-partition&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="A partition that backs it&#x27;s entries and indices in AvlTrees within memory." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-ldif-partition-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="3eddf03e-a6ea-485d-babd-bb7c757486ba" file_name="commons-collections4-4.2.jar" sha1="54ebea0a5b653d3c680131e73fe807bb8f78c4ed" vulnerabilities="0" max_cvss_score="" version="4.2" library="Apache Commons Collections" library_id="maven&#x3a;org.apache.commons&#x3a;commons-collections4&#x3a;4.2&#x3a;" vendor="org.apache.commons" description="The Apache Commons Collections package contains types that extend and augment the Java Collections Framework." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-collections4-4.2.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="444d38ed-40a2-49ed-b2c0-7df7a94cfd94" file_name="apacheds-xdbm-tools-1.5.7.jar" sha1="d0be502da7eab2a37ed57674adddcd65740fcaf5" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Generalized &#x28;X&#x29; DBM Tools" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-xdbm-tools&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Several kinds of two column key&#x2f;value data structures, in memory and on  &#xa;    disk which sort keys can can be used to implement xdbm partitions.  JDBM&#xa;    is one example.  These partition use the same database structure or scheme&#xa;    for maintaining LDAP entries and facilitating search operations on them.&#xa;    This module contains common tools that could be used to manage aspects  &#xa;    common to all xdbm implementations." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-xdbm-tools-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="464ca421-9218-4035-a496-164e6fd2ecb8" file_name="xml-apis-1.4.01.jar" sha1="3789d9fada2d3d458c4ba2de349d48780f381ee3" vulnerabilities="0" max_cvss_score="" version="1.4.01" library="XML Commons External Components XML APIs" library_id="maven&#x3a;xml-apis&#x3a;xml-apis&#x3a;1.4.01&#x3a;" vendor="xml-apis" description="xml-commons provides an Apache-hosted set of DOM, SAX, and &#xa;    JAXP interfaces for use in other xml-based projects. Our hope is that we &#xa;    can standardize on both a common version and packaging scheme for these &#xa;    critical XML standards interfaces to make the lives of both our developers &#xa;    and users easier. The External Components portion of xml-commons contains &#xa;    interfaces that are defined by external standards organizations. For DOM, &#xa;    that&#x27;s the W3C&#x3b; for SAX it&#x27;s David Megginson and sax.sourceforge.net&#x3b; for &#xa;    JAXP it&#x27;s Sun."
-                added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xml-apis-1.4.01.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="The SAX License" spdx_id="sax" license_url="http&#x3a;&#x2f;&#x2f;www.saxproject.org&#x2f;copying.html" risk_rating="0" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="W3C Software Notice and License &#x28;2002-12-31&#x29;" spdx_id="W3C" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;W3C.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="48201550-6cc5-461f-827b-637b0bd3456d" file_name="httpclient5-5.1.4.jar" sha1="208f9eed6d6ab709e2ae7a75b457ef60c0baefa5" vulnerabilities="0" max_cvss_score="" version="5.1.4" library="Apache HttpClient" library_id="maven&#x3a;org.apache.httpcomponents.client5&#x3a;httpclient5&#x3a;5.1.4&#x3a;" vendor="org.apache.httpcomponents.client5" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;httpclient5-5.1.4.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="4a1d9c80-c444-4ca2-8b4b-28082330c673" file_name="batik-util-1.14.jar" sha1="7ca55c864e5ddd690ba07f44e3ba8e68e9048a02" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-util" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-util&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-util-1.14.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="50905064-9c91-4881-9d86-6d8b78141983" file_name="reload4j-1.2.19.jar" sha1="4eae9978468c5e885a6fb44df7e2bbc07a20e6ce" vulnerabilities="0" max_cvss_score="" version="1.2.19" library="reload4j" library_id="maven&#x3a;ch.qos.reload4j&#x3a;reload4j&#x3a;1.2.19&#x3a;" vendor="ch.qos.reload4j" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;reload4j-1.2.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="59df56ca-c68a-4631-a8ee-6b1d14a3ef72" file_name="spring-tx-4.3.30.RELEASE.jar" sha1="0d8ba2d96a3767ec1ec4ae732ab833eaf4c16f92" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE" library="Spring Transaction" library_id="maven&#x3a;org.springframework&#x3a;spring-tx&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-tx-4.3.30.RELEASE.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="5a304710-09eb-4365-a255-2a99c10117aa" file_name="org.apache.servicemix.bundles.spring-aop-4.3.30.RELEASE_1.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE_1" library="org.apache.servicemix.bundles.spring-aop" library_id="maven&#x3a;org.apache.servicemix.bundles&#x3a;org.apache.servicemix.bundles.spring-aop&#x3a;4.3.30.RELEASE_1&#x3a;" vendor="org.apache.servicemix.bundles" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-aop-4.3.30.RELEASE.jar&#x3a;org.apache.servicemix.bundles.spring-aop-4.3.30.RELEASE_1.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="61476789-43ab-4c5e-a708-ba25acfd6524" file_name="asm-3.1.jar" sha1="c157def142714c544bdea2e6144645702adf7097" vulnerabilities="0" max_cvss_score="" version="3.1" library="ASM Core" library_id="maven&#x3a;asm&#x3a;asm&#x3a;3.1&#x3a;" vendor="asm" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;asm-3.1.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="6223718d-86ce-4198-bbc2-e49138e3e4b6" file_name="apacheds-avl-partition-1.5.7.jar" sha1="c237b89e58e06f048a9bd7e30b4364e2a76b14fb" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Avl Partition" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-avl-partition&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="A partition that backs it&#x27;s entries and indices in AvlTrees within memory." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-avl-partition-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="625545c7-8bc6-4279-9935-1dd9426a186b" file_name="apacheds-core-1.5.7.jar" sha1="fd6138cd10c3e3717d58bd84b841883b01486684" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Server&#x27;s core contains the JNDI provider, interceptors, schema, and&#xa;     database subsystems.  The core is the heart of the server without protocols&#xa;     enabled." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="63763b35-8114-4303-9668-9965245c7869" file_name="jersey-core-1.19.4.jar" sha1="21c5319c82ca29705715b315553a16f11b16655e" vulnerabilities="0" max_cvss_score="" version="1.19.4" library="jersey-core" library_id="maven&#x3a;com.sun.jersey&#x3a;jersey-core&#x3a;1.19.4&#x3a;" vendor="com.sun.jersey" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jersey-core-1.19.4.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Common Development and Distribution License 1.1&#x28;CDDL-1.1&#x29;" spdx_id="CDDL-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.1.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="GNU General Public License with Classpath Exceptions version 2.0" spdx_id="GPL-2.0-with-classpath-exception" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;GPL-2.0-with-classpath-exception.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="64dbc9d1-d92d-4d6c-b66d-b461627aa3b4" file_name="xml-apis-ext-1.3.04.jar" sha1="41a8b86b358e87f3f13cf46069721719105aff66" vulnerabilities="0" max_cvss_score="" version="1.3.04" library="XML Commons External Components XML APIs Extensions" library_id="maven&#x3a;xml-apis&#x3a;xml-apis-ext&#x3a;1.3.04&#x3a;" vendor="xml-apis" description="xml-commons provides an Apache-hosted set of DOM, SAX, and &#xa;    JAXP interfaces for use in other xml-based projects. Our hope is that we &#xa;    can standardize on both a common version and packaging scheme for these &#xa;    critical XML standards interfaces to make the lives of both our developers &#xa;    and users easier. The External Components portion of xml-commons contains &#xa;    interfaces that are defined by external standards organizations. For DOM, &#xa;    that&#x27;s the W3C&#x3b; for SAX it&#x27;s David Megginson and sax.sourceforge.net&#x3b; for &#xa;    JAXP it&#x27;s Sun."
-                added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xml-apis-ext-1.3.04.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="6dd2f6e8-4176-4dc5-a9c2-c940e2b272ab" file_name="shared-ldap-schema-manager-0.9.19.jar" sha1="af9286c5793881b0952eb96937dbbc960068583c" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP Schema Manager" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-schema-manager&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="SchemaManager implementation bundle." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-schema-manager-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="6f522c81-a30a-44b4-96f0-9838c176291d" file_name="xercesImpl-2.12.2.wso2v1.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="2.12.2.wso2v1" library="WSO2 Carbon Orbit - xercesImpl Library" library_id="maven&#x3a;org.wso2.orbit.xerces&#x3a;xercesImpl&#x3a;2.12.2.wso2v1&#x3a;" vendor="org.wso2.orbit.xerces" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xercesImpl-2.12.2.jar&#x3a;xercesImpl-2.12.2.wso2v1.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="73b29880-4766-4e58-9659-a666320f0406" file_name="xom-1.2.10.jar" sha1="4165e25bef19aad134f6498cc277110b9bc5e52b" vulnerabilities="0" max_cvss_score="" version="1.2.10" library="XOM" library_id="maven&#x3a;com.io7m.xom&#x3a;xom&#x3a;1.2.10&#x3a;" vendor="com.io7m.xom" description="The XOM Dual Streaming&#x2f;Tree API for Processing XML" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xom-1.2.10.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="GNU Lesser General Public License v2.1 only" spdx_id="LGPL-2.1-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-2.1-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="GNU Lesser General Public License v2.1 or later" spdx_id="LGPL-2.1-or-later" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-2.1-or-later.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="73f04942-ebd2-448f-bc00-3ad0e20687fc" file_name="apacheds-jdbm-partition-1.5.7.jar" sha1="cce63f267d285bc023742e808b25e4680d525dc8" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS JDBM Partition" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-jdbm-partition&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="JDBM BTree backed partition implementation." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-jdbm-partition-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="75a0548c-6c6d-4966-b589-b6681b31c2ab" file_name="apacheds-xdbm-base-1.5.7.jar" sha1="355caab0b9ab51c303aecb12dcd9b731d64aecef" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS XDBM Base" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-xdbm-base&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Base XDBM &#x28;btree based&#x29; entry store interfaces." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-xdbm-base-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="777376d9-270a-4f74-a01f-76398bbcb32c" file_name="shared-cursor-0.9.19.jar" sha1="fd9e4f305ce2b1e2336333dd89f2d938fe3b8299" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared Cursor" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-cursor&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Shared Cursor interfaces." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-cursor-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="7b39c7a3-2a65-4071-a76b-b9ebd1ef6bcf" file_name="shared-dsml-parser-0.9.19.jar" sha1="08d87c4a4d3f3781af96e56d6cb48d83ea793788" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared DSML Parser" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-dsml-parser&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-dsml-parser-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="7bd808cd-a21b-49ca-9947-d9ce25e703c0" file_name="hibernate-commons-annotations-3.2.0.Final.jar" sha1="ce990611448fc2865469e3b68d2fe76b050e3c4f" vulnerabilities="0" max_cvss_score="" version="3.2.0.Final" library="Hibernate Commons Annotations" library_id="maven&#x3a;org.hibernate&#x3a;hibernate-commons-annotations&#x3a;3.2.0.Final&#x3a;" vendor="org.hibernate" description="Common reflection code used in support of annotation processing" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hibernate-commons-annotations-3.2.0.Final.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="GNU Lesser General Public License v3.0 only" spdx_id="LGPL-3.0-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-3.0-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="7e19961d-7cb4-438f-8401-eaacb1ba4c97" file_name="apacheds-core-constants-1.5.7.jar" sha1="be79a639e71ee4e471174027b8bf3659b13000da" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core Constants" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-constants&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Contains classes that store interfaces with various constants in ApacheDS." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-constants-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="8002cc8a-fcfd-4909-9ef5-69a84c906da9" file_name="apacheds-jdbm-store-1.5.7.jar" sha1="c9d158fbb13ca60803b30ab5487543bb3a2b3faa" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS JDBM Store" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-jdbm-store&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="A JDBM entry store which does not have any dependency on core interfaces.&#xa;    The JDBM partition will use this store and build on it to adapt this to &#xa;    server specific partition interfaces.&#xa;    Having this separate module without dependencies on core interfaces makes&#xa;    it easier to avoid cyclic dependencies between modules.  This is especially&#xa;    important for use within the bootstrap plugin which needs to build the&#xa;    schema partition used for bootstrapping the server." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC"
-                component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-jdbm-store-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="819b1e28-faec-4545-8bc1-7d2b5066ed2c" file_name="batik-css-1.14.jar" sha1="3118d46f4879ec08c6c6471c7c0825652ed659ee" vulnerabilities="0" max_cvss_score="" version="1.14" library="batik-css" library_id="maven&#x3a;org.apache.xmlgraphics&#x3a;batik-css&#x3a;1.14&#x3a;" vendor="org.apache.xmlgraphics" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;batik-css-1.14.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="826b2871-f15d-41df-a36d-377927a46037" file_name="esapi-2.3.0.0.jar" sha1="237683050eebe9696e1568c8e2009edc072b75f7" vulnerabilities="0" max_cvss_score="" version="2.3.0.0" library="ESAPI" library_id="maven&#x3a;org.owasp.esapi&#x3a;esapi&#x3a;2.3.0.0&#x3a;" vendor="org.owasp.esapi" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;esapi-2.3.0.0.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="Creative Commons Attribution Share-Alike 3.0 &#x28;CC-BY-SA&#x29;" spdx_id="CC-BY-SA-3.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CC-BY-SA-3.0.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="8339ff6e-bcdc-4a5b-b206-a72a4ed8a55c" file_name="commons-dbcp-1.4.jar" sha1="30be73c965cc990b153a100aaaaafcf239f82d39" vulnerabilities="0" max_cvss_score="" version="1.4" library="Commons DBCP" library_id="maven&#x3a;commons-dbcp&#x3a;commons-dbcp&#x3a;1.4&#x3a;" vendor="commons-dbcp" description="Commons Database Connection Pooling" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-dbcp-1.4.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="8c59a8d5-2111-45f4-8ab5-735819ae9722" file_name="shared-i18n-0.9.19.jar" sha1="f4f9013c168628c1309b61b481af2d34b8971993" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared I18n" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-i18n&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Internationalization of errors and other messages" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-i18n-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="8d3852c8-aaee-4bc0-b4f1-564b79c98fac" file_name="apacheds-utils-1.5.7.jar" sha1="7f2e8a37b5feca127b92917fa2c2e7b66af5f833" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Utils" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-utils&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Contains utility classes for ApacheDS." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-utils-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="8d487a80-00aa-4bfe-b0bd-e7c9156a2c8c" file_name="apacheds-core-api-1.5.7.jar" sha1="1c103b7827827935046a29dc9939f386b8c136cd" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core API" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-api&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Contains interfaces and helper classes that are part of the ApacheDS Core API." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-api-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="8d9a63d8-808b-4233-9e54-279d0f51826f" file_name="log4j-1.2.17.jar" sha1="5af35056b4d257e4b64b9e8069c0746e8b08629f" vulnerabilities="6" max_cvss_score="9.0" version="1.2.17" library="Apache Log4j" library_id="maven&#x3a;log4j&#x3a;log4j&#x3a;1.2.17&#x3a;" vendor="log4j" description="Apache Log4j 1.2" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;log4j-1.2.17.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2019-17571" cvss_score="7.5" severity="4" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in &#x60;TcpSocketServer&#x60; and &#x60;UdpSocketServer&#x60; when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                    <vulnerability cve_id="CVE-2020-9493" cvss_score="6.8" severity="4" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability. " severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                    <vulnerability cve_id="CVE-2021-4104" cvss_score="6.0" severity="3" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="JMSAppender in log4j is vulnerable to deserialization of untrusted object. When an application is configured to use JMSAppender with the setting TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example &#x22;ldap&#x3a;&#x2f;&#x2f;host&#x3a;port&#x2f;a&#x22;, an attacker is able to execute code on the server as in Log4j 2.x CVE-2021-44228. However, this vulnerability is only depending on configuration. Note&#x3a; This CVE is for Log4j 1.x and its corresponding flaw information for Log4j 2.x is in CVE-2021-44228." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                    <vulnerability cve_id="CVE-2022-23302" cvss_score="6.0" severity="3" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="JMSSink in log4j is vulnerable to deserialization of untrusted object. The insecure use of JNDI in JMSSink allows an attacker to send malicious object in LDAP store if it is accessible by an attacker or is configured to use an untrusted site, leading to a remote code execution.  Note&#x3a; this vulnerability only affects the applications specifically configured to use JMSSink, which is not the default. " severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                    <vulnerability cve_id="CVE-2022-23305" cvss_score="6.8" severity="4" cwe_id="CWE-89" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="JDBCAppender in Log4j is vulnerable to SQL injection attacks. An attacker is able to execute arbitrary SQL commands via entering crafted strings into input fields and headers where the values to be inserted are converters from &#x60;PatternLayout&#x60;" severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                    <vulnerability cve_id="CVE-2022-23307" cvss_score="9.0" severity="5" cwe_id="CWE-502" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system. " severity_desc="Very High" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="8f196a52-7ab4-4345-9b91-469b14c5695f" file_name="spring-aop-4.3.30.RELEASE.jar" sha1="0b2a6f86ea659114df66cc5d5763667c96336efd" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE" library="Spring AOP" library_id="maven&#x3a;org.springframework&#x3a;spring-aop&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-aop-4.3.30.RELEASE.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="912a780c-0c8a-459b-98ea-35d5baeb8eef" file_name="slf4j-api-1.7.36.jar" sha1="6c62681a2f655b49963a5983b8b0950a6120ae14" vulnerabilities="0" max_cvss_score="" version="1.7.36" library="SLF4J API Module" library_id="maven&#x3a;org.slf4j&#x3a;slf4j-api&#x3a;1.7.36&#x3a;" vendor="org.slf4j" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;slf4j-api-1.7.36.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="MIT License" spdx_id="MIT" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;MIT.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="939ba91a-2f38-4ff1-b91a-c10beb11b4f0" file_name="hibernate-entitymanager-3.6.10.Final.jar" sha1="c74f1e1bf4fb6b8eaa7e501e6ccba9e055e52974" vulnerabilities="0" max_cvss_score="" version="3.6.10.Final" library="Hibernate ORM - hibernate-entitymanager" library_id="maven&#x3a;org.hibernate&#x3a;hibernate-entitymanager&#x3a;3.6.10.Final&#x3a;" vendor="org.hibernate" description="Hibernate Entity Manager" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hibernate-entitymanager-3.6.10.Final.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="GNU Lesser General Public License v3.0 only" spdx_id="LGPL-3.0-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-3.0-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="945978f1-0eb1-422e-92c6-c1827cd383c1" file_name="antlr-2.7.7.jar" sha1="83cd2cd674a217ade95a4bb83a8a14f351f48bd0" vulnerabilities="0" max_cvss_score="" version="2.7.7" library="antlr" library_id="maven&#x3a;antlr&#x3a;antlr&#x3a;2.7.7&#x3a;" vendor="antlr" description="A framework for constructing recognizers, compilers,&#xa;    and translators from grammatical descriptions containing&#xa;    Java, C&#x23;, C&#x2b;&#x2b;, or Python actions." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;antlr-2.7.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="98decff6-dc4a-4483-a05d-1d5189601816" file_name="shared-ldap-schema-dao-0.9.19.jar" sha1="b0103b559d251b8c46976cf0448771e396133a32" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDAP Schema DAO" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-schema-dao&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="File based schema data access object for managing schema data." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-schema-dao-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="9946bb08-5abd-4142-870f-cac59abe9c52" file_name="bcprov-jdk15on-1.70.jar" sha1="4636a0d01f74acaf28082fb62b317f1080118371" vulnerabilities="0" max_cvss_score="" version="1.70" library="Bouncy Castle Provider" library_id="maven&#x3a;org.bouncycastle&#x3a;bcprov-jdk15on&#x3a;1.70&#x3a;" vendor="org.bouncycastle" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;bcprov-jdk15on-1.70.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="MIT License" spdx_id="MIT" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;MIT.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="9e03e147-fdbe-4ea4-a093-67e71f077c23" file_name="bsh-2.0b6.jar" sha1="fb418f9b33a0b951e9a2978b4b6ee93b2707e72f" vulnerabilities="0" max_cvss_score="" version="2.0b6" library="BeanShell" library_id="maven&#x3a;org.apache-extras.beanshell&#x3a;bsh&#x3a;2.0b6&#x3a;" vendor="org.apache-extras.beanshell" description="BeanShell is a small, free, embeddable Java source interpreter&#xa;    with object scripting language features, written in Java. BeanShell&#xa;    dynamically executes standard Java syntax and extends it with common&#xa;    scripting conveniences such as loose types, commands, and method closures&#xa;    like those in Perl and JavaScript." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;bsh-2.0b6.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="a0f4f79d-c987-47a4-8b84-48770bf6a7e0" file_name="jta-1.1.jar" sha1="2ca09f0b36ca7d71b762e14ea2ff09d5eac57558" vulnerabilities="0" max_cvss_score="" version="1.1" library="Java Transaction API" library_id="maven&#x3a;javax.transaction&#x3a;jta&#x3a;1.1&#x3a;" vendor="javax.transaction" description="The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jta-1.1.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Common Development and Distribution License 1.1&#x28;CDDL-1.1&#x29;" spdx_id="CDDL-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.1.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="a3f25e49-47fe-4925-9907-c66b2cc563b1" file_name="apacheds-protocol-shared-1.5.7.jar" sha1="0fdcf26426d16aa46e899e5157ae357728926f00" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Protocol Shared" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-protocol-shared&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Shared library that is used by all protocol providers in ApacheDS" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-protocol-shared-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="ab96e19a-3ec6-4279-a9b7-dd9ce8579df2" file_name="antisamy-1.6.7.jar" sha1="bedd31a4447b56e1527b0faf79bb6bb25b311fb8" vulnerabilities="0" max_cvss_score="" version="1.6.7" library="OWASP AntiSamy" library_id="maven&#x3a;org.owasp.antisamy&#x3a;antisamy&#x3a;1.6.7&#x3a;" vendor="org.owasp.antisamy" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;antisamy-1.6.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="BSD 3-Clause &#x22;New&#x22; or &#x22;Revised&#x22; License" spdx_id="BSD-3-Clause" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;BSD-3-Clause.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="ac00db7a-2351-4aca-a738-45b14329ed0b" file_name="shared-asn1-0.9.19.jar" sha1="964da9c7f8d5efbd51c352f9a7db86988a4b3e05" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared ASN.1" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-asn1&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-asn1-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="acc08ba8-4a4e-4c8d-abcb-42f3d5d331ca" file_name="shared-ldap-jndi-0.9.19.jar" sha1="57c84b9a2705c7edd4416e4ef9b0c3a670fb7911" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared JNDI" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-jndi&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Shared libraries for client side JNDI handling that may be used &#xa;    both in the server and in studio." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-jndi-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="b258391f-e79c-4726-9d41-785c54164e2e" file_name="jersey-servlet-1.19.4.jar" sha1="fbdcb39db6a6976944a621fe11bf1d2ff048d7c2" vulnerabilities="0" max_cvss_score="" version="1.19.4" library="jersey-servlet" library_id="maven&#x3a;com.sun.jersey&#x3a;jersey-servlet&#x3a;1.19.4&#x3a;" vendor="com.sun.jersey" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jersey-servlet-1.19.4.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Common Development and Distribution License 1.1&#x28;CDDL-1.1&#x29;" spdx_id="CDDL-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.1.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="GNU General Public License with Classpath Exceptions version 2.0" spdx_id="GPL-2.0-with-classpath-exception" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;GPL-2.0-with-classpath-exception.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="b33b5e73-8db2-4abf-a201-48ca4c5b792b" file_name="apacheds-i18n-1.5.7.jar" sha1="69f6788a1b011cfff5039cd96ff447a89cdb4921" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS I18n" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-i18n&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Internationalization of errors and other messages" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-i18n-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="bbd977ba-9228-42c2-98a1-70df5e2a5b8e" file_name="apacheds-protocol-ldap-1.5.7.jar" sha1="f5e28caca2a05a18cd2ea8aa219d913295615208" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Protocol Ldap" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-protocol-ldap&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="The LDAPv3 protocol provider for ApacheDS" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-protocol-ldap-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="c094f7d8-e24d-4582-bd46-c0164fa6ac7b" file_name="spring-webmvc-4.3.30.RELEASE.jar" sha1="6bbc129acbda0a7e511438899adfe8544598a6bb" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE" library="Spring Web MVC" library_id="maven&#x3a;org.springframework&#x3a;spring-webmvc&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-webmvc-4.3.30.RELEASE.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="c2a521b2-7fb8-441b-8d64-c3fb407a2d76" file_name="cglib-2.2.jar" sha1="97d03461dc1c04ffc636dcb2579aae7724a78ef2" vulnerabilities="0" max_cvss_score="" version="2.2" library="cglib" library_id="maven&#x3a;cglib&#x3a;cglib&#x3a;2.2&#x3a;" vendor="cglib" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;cglib-2.2.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="c3de8821-d704-4389-8979-0a0a659f1600" file_name="apacheds-kerberos-shared-1.5.7.jar" sha1="fb1418a011ab6583b3f35259666825586f47a616" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Protocol Kerberos Shared" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-kerberos-shared&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="The Kerberos protocol provider for ApacheDS" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-kerberos-shared-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="c442c0df-b399-4bb5-885b-77fc88d2e01b" file_name="spring-context-4.3.30.RELEASE.jar" sha1="6a66a573322d555fb97ce44419f032d266f94cc4" vulnerabilities="1" max_cvss_score="5.0" version="4.3.30.RELEASE" library="Spring Context" library_id="maven&#x3a;org.springframework&#x3a;spring-context&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-context-4.3.30.RELEASE.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2022-22968" cvss_score="5.0" severity="3" cwe_id="CWE-178" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="spring-context is vulnerable to binding rules bypass. The vulnerability exists due to a lack of sanitization of HTTP request parameters allowing an attacker to bypass the &#x60;disallowedFields&#x60; and bind maliciously crafted HTTP request parameters. &#xa;" severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="c9f52235-a8a3-4c92-b75e-0522005cf1fd" file_name="shared-ldap-converter-0.9.19.jar" sha1="e792c73263fcc6280731941a2c4b0c1d0b562671" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared Ldap Converters" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldap-converter&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Common LDAP converters &#x3a; LDIF, DSML, CSV, etc" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldap-converter-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="ca67467b-9379-4173-af76-e08aba6c906b" file_name="jersey-server-1.19.4.jar" sha1="44df9a1310c1278b62658509aca3ca53978e8822" vulnerabilities="0" max_cvss_score="" version="1.19.4" library="jersey-server" library_id="maven&#x3a;com.sun.jersey&#x3a;jersey-server&#x3a;1.19.4&#x3a;" vendor="com.sun.jersey" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jersey-server-1.19.4.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Common Development and Distribution License 1.1&#x28;CDDL-1.1&#x29;" spdx_id="CDDL-1.1" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.1.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="GNU General Public License with Classpath Exceptions version 2.0" spdx_id="GPL-2.0-with-classpath-exception" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;GPL-2.0-with-classpath-exception.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="ccda7650-d805-48b5-9e62-31071b76d4e5" file_name="httpcore5-5.1.5.jar" sha1="df9da3a1fa2351c4790245400ed28d78a8ddd3fc" vulnerabilities="0" max_cvss_score="" version="5.1.5" library="Apache HttpComponents Core HTTP&#x2f;1.1" library_id="maven&#x3a;org.apache.httpcomponents.core5&#x3a;httpcore5&#x3a;5.1.5&#x3a;" vendor="org.apache.httpcomponents.core5" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;httpcore5-5.1.5.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="ce62e6c0-b44e-48eb-bc0c-badc4164f346" file_name="commons-configuration-1.10.jar" sha1="2b36e4adfb66d966c5aef2d73deb6be716389dc9" vulnerabilities="0" max_cvss_score="" version="1.10" library="Apache Commons Configuration" library_id="maven&#x3a;commons-configuration&#x3a;commons-configuration&#x3a;1.10&#x3a;" vendor="commons-configuration" description="Tools to assist in the reading of configuration&#x2f;preferences files in various formats." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-configuration-1.10.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="cff049d1-6b71-4c9e-a9a7-40ecf9387118" file_name="apacheds-core-entry-1.5.7.jar" sha1="2cbfadb432776e8e6c203685f0693dc54828be33" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core Entry" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-entry&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Server side LDAP entry classes." added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-entry-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="d2f901e9-b6cc-4fb2-b51e-43c1f00d2f91" file_name="spring-expression-4.3.30.RELEASE.jar" sha1="6ce0709c6899dde41a7213ccccfe2535e34c80fe" vulnerabilities="1" max_cvss_score="4.0" version="4.3.30.RELEASE" library="Spring Expression Language &#x28;SpEL&#x29;" library_id="maven&#x3a;org.springframework&#x3a;spring-expression&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-expression-4.3.30.RELEASE.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2022-22950" cvss_score="4.0" severity="2" cwe_id="CWE-770" first_found_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" cve_summary="Spring Expression is vulnerable to denial of service. The vulnerability exists due to the creation of large array in a SpEL and sending meaningless error messages to the user which allows an attacker to send crafted SpEL expressions that leads to an out ouf bound error causing an application crash. " severity_desc="Low" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="d5302b9e-8ffe-4dc8-90be-754e012a4553" file_name="commons-codec-1.15.jar" sha1="49d94806b6e3dc933dacbd8acb0fdbab8ebd1e5d" vulnerabilities="0" max_cvss_score="" version="1.15" library="Apache Commons Codec" library_id="maven&#x3a;commons-codec&#x3a;commons-codec&#x3a;1.15&#x3a;" vendor="commons-codec" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-codec-1.15.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="d9b02ab5-6bf5-4420-87e4-f8303961dedd" file_name="hibernate-core-3.6.10.Final.jar" sha1="6b36a1eef76cbccc2757f22a795b5e12ab56b3d5" vulnerabilities="2" max_cvss_score="5.8" version="3.6.10.Final" library="hibernate-core - relocation" library_id="maven&#x3a;org.hibernate&#x3a;hibernate-core&#x3a;3.6.10.Final&#x3a;" vendor="org.hibernate" description="The core functionality of Hibernate" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hibernate-core-3.6.10.Final.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="GNU Lesser General Public License v3.0 only" spdx_id="LGPL-3.0-only" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;LGPL-3.0-only.html" risk_rating="4" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2019-14900" cvss_score="4.0" severity="2" cwe_id="CWE-89" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="hibernate-core is vulnerable to SQL injection. The vulnerability exists in Hibernate ORM." severity_desc="Low" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                    <vulnerability cve_id="CVE-2020-25638" cvss_score="5.8" severity="3" cwe_id="CWE-89" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="hibernate-core is vulnerable to SQL injection. The vulnerability exists when both hibernate.use_sql_comments and JPQL String literals are used." severity_desc="Medium" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="da326e99-f038-409b-adce-d0558fa2c3ce" file_name="hsqldb-2.3.6.jar" sha1="d4adfef3f017dd71fe789067cc6b7c39f31f2a3a" vulnerabilities="1" max_cvss_score="7.5" version="2.3.6" library="HyperSQL Database" library_id="maven&#x3a;org.hsqldb&#x3a;hsqldb&#x3a;2.3.6&#x3a;" vendor="org.hsqldb" description="HSQLDB - Lightweight 100&#x25; Java SQL Database Engine" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;hsqldb-2.3.6.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="HSQLDB - COPYRIGHTS AND LICENSES &#x28;based on BSD License&#x29;&#x28;HSQLDB&#x29;" spdx_id="HSQLDB" license_url="http&#x3a;&#x2f;&#x2f;hsqldb.org&#x2f;web&#x2f;hsqlLicense.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2022-41853" cvss_score="7.5" severity="4" cwe_id="" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="duplicate of https&#x3a;&#x2f;&#x2f;research.prod.srcclr.io&#x2f;artifacts&#x2f;37492&#xa;&#xa;HyperSQL Database is vulnerable to remote code execution. The vulnerability exists in the &#x60;supportsJavaMethod&#x60; function of &#x60;HsqlDatabaseProperties.java&#x60; due to the untrusted input process allowing an attacker to execute remote codes in the system." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="dc3163d5-1961-4c9a-a505-7746eacbda58" file_name="apacheds-core-avl-1.5.7.jar" sha1="5ce1450389a7837c82b5b6f7402259643205a1ff" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core AVL" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-avl&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="A linked in memory AVL tree implementation with Cursor." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-avl-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="deb18769-a6b0-41c0-ba95-834a855bc932" file_name="commons-beanutils-1.9.4.jar" sha1="d52b9abcd97f38c81342bb7e7ae1eee9b73cba51" vulnerabilities="0" max_cvss_score="" version="1.9.4" library="Apache Commons BeanUtils" library_id="maven&#x3a;commons-beanutils&#x3a;commons-beanutils&#x3a;1.9.4&#x3a;" vendor="commons-beanutils" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;commons-beanutils-1.9.4.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="e2becfec-20eb-4b61-ae97-c581c9e643f0" file_name="apacheds-core-jndi-1.5.7.jar" sha1="ff9a051d9a4bf99ff66fd3cb7a8251b6e2b1db74" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core JNDI" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-jndi&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Contains a JNDI provider implementation which wraps the core so existing &#xa;     applications based on JNDI can use the server embedded transparently. &#xa;     Remote and local runtime operations will appear and feel exactly the same&#xa;     with a performance boost when local.  All operations via this JNDI provider&#xa;     bypass the LDAP stack to perform ooerations directly on the ApacheDS core." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-jndi-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="e35db03b-cfd8-4608-9359-114bd62f49be" file_name="spring-beans-4.3.30.RELEASE.jar" sha1="fd6d361c817081ef9d2101e912b2cd9825c9f02a" vulnerabilities="2" max_cvss_score="7.5" version="4.3.30.RELEASE" library="Spring Beans" library_id="maven&#x3a;org.springframework&#x3a;spring-beans&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-beans-4.3.30.RELEASE.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities>
-                    <vulnerability cve_id="CVE-2022-22965" cvss_score="7.5" severity="4" cwe_id="CWE-94" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="spring-beans is vulnerable to remote code execution. Using Spring Parameter Binding with non-basic parameter types, such as POJOs, allows an unauthenticated attacker to execute arbitrary code on the target system by writing or uploading arbitrary files &#x28;e.g .jsp files&#x29; to a location that can be loaded by the application server. &#xa;&#xa;Initial analysis at time of writing shows that exploitation of the vulnerability is only possible with JRE 9 and above, and Apache Tomcat 9 and above, and that the vulnerability requires the usage of Spring parameter binding with non-basic parameter types such as POJOs." severity_desc="High" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                    <vulnerability cve_id="CVE-2022-22970" cvss_score="3.5" severity="2" cwe_id="CWE-770" first_found_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" cve_summary="spring-beans is vulnerable to denial of service. An attacker can crash the application through a model object when it sets a multipart file or javax.servlet.Part of a field" severity_desc="Low" mitigation="false" vulnerability_affects_policy_compliance="false">
-                        <mitigations />
-                    </vulnerability>
-                </vulnerabilities>
-                <violated_policy_rules />
-            </component>
-            <component component_id="e65cab18-d336-4914-b6e8-ed27fa1ff4b0" file_name="apacheds-xdbm-search-1.5.7.jar" sha1="db55aa2b5f89732d6b54beb7d281cdd4b7fcc38e" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Generalized &#x28;X&#x29; DBM Search Engine" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-xdbm-search&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Search engine implementation generalized for XDBM entry store scheme." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-xdbm-search-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="e8960e5c-e197-409e-82c4-983f2e37f584" file_name="mina-core-2.0.0-RC1.jar" sha1="909120cba20f2965f036e9ca8a9ace5d222c6f6a" vulnerabilities="0" max_cvss_score="" version="2.0.0-RC1" library="Apache MINA Core" library_id="maven&#x3a;org.apache.mina&#x3a;mina-core&#x3a;2.0.0-RC1&#x3a;" vendor="org.apache.mina" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;mina-core-2.0.0-RC1.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="eb401f05-9552-4b26-b3d6-184e326230d3" file_name="xercesImpl-2.12.2.jar" sha1="f051f988aa2c9b4d25d05f95742ab0cc3ed789e2" vulnerabilities="0" max_cvss_score="" version="2.12.2" library="Xerces2-j" library_id="maven&#x3a;xerces&#x3a;xercesImpl&#x3a;2.12.2&#x3a;" vendor="xerces" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;xercesImpl-2.12.2.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="ec37de29-eaaa-4ad8-bfb3-521e9f16d20f" file_name="slf4j-reload4j-1.7.36.jar" sha1="db708f7d959dee1857ac524636e85ecf2e1781c1" vulnerabilities="0" max_cvss_score="" version="1.7.36" library="SLF4J Reload4j Binding" library_id="maven&#x3a;org.slf4j&#x3a;slf4j-reload4j&#x3a;1.7.36&#x3a;" vendor="org.slf4j" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;slf4j-reload4j-1.7.36.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="MIT License" spdx_id="MIT" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;MIT.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="ec4c0d0e-9172-40f3-8660-c2f5e54bb5c2" file_name="spring-jdbc-4.3.30.RELEASE.jar" sha1="0e64cae71ea1e368bb6713fb89e96d0c38705c47" vulnerabilities="0" max_cvss_score="" version="4.3.30.RELEASE" library="Spring JDBC" library_id="maven&#x3a;org.springframework&#x3a;spring-jdbc&#x3a;4.3.30.RELEASE&#x3a;" vendor="org.springframework" description="" added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;spring-jdbc-4.3.30.RELEASE.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="f00631e8-97c7-4af6-89d4-42f4a1e70a8b" file_name="apacheds-core-mock-1.5.7.jar" sha1="25bdadcc53553dbf6366cc67c143320960982956" vulnerabilities="0" max_cvss_score="" version="1.5.7" library="ApacheDS Core Mock" library_id="maven&#x3a;org.apache.directory.server&#x3a;apacheds-core-mock&#x3a;1.5.7&#x3a;" vendor="org.apache.directory.server" description="Some commonly used mock objects that have more than bare minimum of functionality." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;apacheds-core-mock-1.5.7.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="f83a2005-aad9-4a04-bd1d-615f0a6a7cbb" file_name="shared-ldif-0.9.19.jar" sha1="6f1b77705294a502d771c7d98d57460dcba8e420" vulnerabilities="0" max_cvss_score="" version="0.9.19" library="Apache Directory Shared LDIF" library_id="maven&#x3a;org.apache.directory.shared&#x3a;shared-ldif&#x3a;0.9.19&#x3a;" vendor="org.apache.directory.shared" description="Common LDIF packages used by clients and servers." added_date="2023-02-13 14&#x3a;01&#x3a;22 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;shared-ldif-0.9.19.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-            <component component_id="feda6e6b-ae6e-44ff-80ee-f1f5ce7ceb5f" file_name="jsr311-api-1.1.1.jar" sha1="59033da2a1afd56af1ac576750a8d0b1830d59e6" vulnerabilities="0" max_cvss_score="" version="1.1.1" library="jsr311-api" library_id="maven&#x3a;javax.ws.rs&#x3a;jsr311-api&#x3a;1.1.1&#x3a;" vendor="javax.ws.rs" description="" added_date="2023-02-13 14&#x3a;01&#x3a;23 UTC" component_affects_policy_compliance="false">
-                <file_paths>
-                    <file_path value="benchmark.war&#x23;zip&#x3a;WEB-INF&#x2f;lib&#x2f;jsr311-api-1.1.1.jar" />
-                </file_paths>
-                <licenses>
-                    <license name="Common Development and Distribution License 1.0" spdx_id="CDDL-1.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CDDL-1.0.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                    <license name="CeCILL Free Software License Agreement v1.0" spdx_id="CECILL-1.0" license_url="https&#x3a;&#x2f;&#x2f;spdx.org&#x2f;licenses&#x2f;CECILL-1.0.html" risk_rating="3" mitigation="false" license_affects_policy_compliance="false">
-                        <mitigations />
-                    </license>
-                </licenses>
-                <vulnerabilities />
-                <violated_policy_rules />
-            </component>
-        </vulnerable_components>
-    </software_composition_analysis>
+   <severity level="5">
+      <category categoryid="18" categoryname="Command or Argument Injection" pcirelated="true">
+         <desc>
+            <para text="Command or argument injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically construct and execute a command.  In the case of OS command injection, an attacker may be able to either alter the command executed by the application or append additional commands.  In the case of argument injection, the attacker may influence the behavior of the program in other ways, for example, changing the destination of an outbound network request or injecting additional commands into an argument or parameter. The command is typically executed with the privileges of the executing process and gives an attacker a privilege or capability that he would not otherwise have."/>
+         </desc>
+         <recommendations>
+            <para text="Careful handling of all untrusted data is critical in preventing injection attacks.   Using one or more of the following techniques provides defense-in-depth and minimizes the likelihood of an vulnerability.">
+               <bulletitem text="If possible, use library calls rather than external processes to recreate the desired functionality."/>
+               <bulletitem text="Validate user-supplied input using positive filters &#x28;white lists&#x29; to ensure that it conforms to the expected format, using centralized data validation routines when possible. "/>
+               <bulletitem text="Select safe API routines.  Some APIs that execute system commands take an array of strings as input rather than a single string, which protects against some forms of command injection by ensuring that a user-supplied argument cannot be interpreted as part of the command."/>
+            </para>
+         </recommendations>
+         <cwe cweid="78" cwename="Improper Neutralization of Special Elements used in an OS Command &#x28;&#x27;OS Command Injection&#x27;&#x29;" pcirelated="true" owasp="1347" sans="864" certc="1165" certcpp="875" certjava="1134">
+            <description>
+               <text text="This call contains a command injection flaw.  The argument to the function is constructed using untrusted input.  If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process.  The level of exposure depends on the effectiveness of input validation routines, if any."/>
+            </description>
+            <staticflaws>
+               <flaw severity="5" categoryname="Improper Neutralization of Special Elements used in an OS Command &#x28;&#x27;OS Command Injection&#x27;&#x29;" count="1" issueid="213" module="benchmark.war" type="java.lang.ProcessBuilder.start" description="This call to java.lang.ProcessBuilder.start&#x28;&#x29; contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. start&#x28;&#x29; was called on the pb object, which contains tainted data. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getHeader.&#xd;&#xa;&#xd;&#xa;Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a &#x22;safe&#x22; version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.&#xd;&#xa;&#xd;&#xa;References&#x3a; &#xd;&#xa;CWE &#x28;https&#x3a;&#x2f;&#x2f;cwe.mitre.org&#x2f;data&#x2f;definitions&#x2f;78.html&#x29; &#xd;&#xa;OWASP &#x28;https&#x3a;&#x2f;&#x2f;owasp.org&#x2f;www-community&#x2f;attacks&#x2f;Command_Injection&#x29;&#xd;&#xa;&#xd;&#xa;" note="" cweid="78" remediationeffort="3" exploitLevel="2" categoryid="18" pcirelated="true" date_first_occurrence="2023-02-13 13&#x3a;42&#x3a;32 UTC" remediation_status="New" cia_impact="ccp" grace_period_expires="2023-02-13 15&#x3a;19&#x3a;13 UTC" affects_policy_compliance="true" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="BenchmarkTest00006.java" line="69" sourcefilepath="org&#x2f;owasp&#x2f;benchmark&#x2f;testcode&#x2f;" scope="org.owasp.benchmark.testcode.BenchmarkTest00006" functionprototype="void doPost&#x28;javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse&#x29;" functionrelativelocation="83">
+                  <exploitability_adjustments>
+                     <exploitability_adjustment score_adjustment="1">
+                        <note>This source of the tainted data is an external web request.</note>
+                     </exploitability_adjustment>
+                  </exploitability_adjustments>
+               </flaw>
+               <flaw severity="5" categoryname="Improper Neutralization of Special Elements used in an OS Command &#x28;&#x27;OS Command Injection&#x27;&#x29;" count="1" issueid="212" module="benchmark.war" type="java.lang.Runtime.exec" description="This call to java.lang.Runtime.exec&#x28;&#x29; contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec&#x28;&#x29; contains tainted data from the variable args. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getHeader.&#xd;&#xa;&#xd;&#xa;Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a &#x22;safe&#x22; version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.&#xd;&#xa;&#xd;&#xa;References&#x3a; &#xd;&#xa;CWE &#x28;https&#x3a;&#x2f;&#x2f;cwe.mitre.org&#x2f;data&#x2f;definitions&#x2f;78.html&#x29; &#xd;&#xa;OWASP &#x28;https&#x3a;&#x2f;&#x2f;owasp.org&#x2f;www-community&#x2f;attacks&#x2f;Command_Injection&#x29;&#xd;&#xa;&#xd;&#xa;" note="" cweid="78" remediationeffort="3" exploitLevel="2" categoryid="18" pcirelated="true" date_first_occurrence="2023-02-13 13&#x3a;42&#x3a;32 UTC" remediation_status="New" cia_impact="ccp" grace_period_expires="2023-02-13 15&#x3a;19&#x3a;13 UTC" affects_policy_compliance="true" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="BenchmarkTest00007.java" line="61" sourcefilepath="org&#x2f;owasp&#x2f;benchmark&#x2f;testcode&#x2f;" scope="org.owasp.benchmark.testcode.BenchmarkTest00007" functionprototype="void doPost&#x28;javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse&#x29;" functionrelativelocation="65">
+                  <exploitability_adjustments>
+                     <exploitability_adjustment score_adjustment="1">
+                        <note>This source of the tainted data is an external web request.</note>
+                     </exploitability_adjustment>
+                  </exploitability_adjustments>
+               </flaw>
+            </staticflaws>
+         </cwe>
+      </category>
+   </severity>
+   <severity level="4">
+      <category categoryid="19" categoryname="SQL Injection" pcirelated="true">
+         <desc>
+            <para text="SQL injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically construct a SQL query.  This allows an attacker to manipulate database queries in order to access, modify, or delete arbitrary data.  Depending on the platform, database type, and configuration, it may also be possible to execute administrative operations on the database, access the filesystem, or execute arbitrary system commands.  SQL injection attacks can also be used to subvert authentication and authorization schemes, which would enable an attacker to gain privileged access to restricted portions of the application."/>
+         </desc>
+         <recommendations>
+            <para text="Several techniques can be used to prevent SQL injection attacks. These techniques complement each other and address security at different points in the application. Using multiple techniques provides defense-in-depth and minimizes the likelihood of a SQL injection vulnerability.">
+               <bulletitem text="Use parameterized prepared statements rather than dynamically constructing SQL queries.  This will prevent the database from interpreting the contents of bind variables as part of the query and is the most effective defense against SQL injection."/>
+               <bulletitem text="Validate user-supplied input using positive filters &#x28;white lists&#x29; to ensure that it conforms to the expected format, using centralized data validation routines when possible. "/>
+               <bulletitem text="Normalize all user-supplied data before applying filters or regular expressions, or submitting the data to a database. This means that all URL-encoded &#x28;&#x25;xx&#x29;, HTML-encoded &#x28;&#x26;&#x23;xx&#x3b;&#x29;, or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters."/>
+               <bulletitem text="When using database abstraction libraries such as Hibernate, do not assume that all methods exposed by the API will automatically prevent SQL injection attacks.  Most libraries contain methods that pass arbitrary queries to the database in an unsafe manner."/>
+            </para>
+         </recommendations>
+         <cwe cweid="89" cwename="Improper Neutralization of Special Elements used in an SQL Command &#x28;&#x27;SQL Injection&#x27;&#x29;" pcirelated="true" owasp="1347" sans="864">
+            <description>
+               <text text="This database query contains a SQL injection flaw.  The function call constructs a dynamic SQL query using a variable derived from untrusted input.  An attacker could exploit this flaw to execute arbitrary SQL queries against the database."/>
+            </description>
+            <staticflaws>
+               <flaw severity="4" categoryname="Improper Neutralization of Special Elements used in an SQL Command &#x28;&#x27;SQL Injection&#x27;&#x29;" count="1" issueid="642" module="benchmark.war" type="java.sql.PreparedStatement.executeQuery" description="This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery&#x28;&#x29; constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery&#x28;&#x29; was called on the statement object, which contains tainted data. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getHeader.&#xd;&#xa;&#xd;&#xa;Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.&#xd;&#xa;&#xd;&#xa;References&#x3a; &#xd;&#xa;CWE &#x28;https&#x3a;&#x2f;&#x2f;cwe.mitre.org&#x2f;data&#x2f;definitions&#x2f;89.html&#x29; &#xd;&#xa;OWASP &#x28;https&#x3a;&#x2f;&#x2f;owasp.org&#x2f;www-community&#x2f;attacks&#x2f;SQL_Injection&#x29;&#xd;&#xa;&#xd;&#xa;" note="" cweid="89" remediationeffort="3" exploitLevel="2" categoryid="19" pcirelated="true" date_first_occurrence="2023-02-13 13&#x3a;42&#x3a;32 UTC" remediation_status="New" cia_impact="ppp" grace_period_expires="2023-02-13 15&#x3a;19&#x3a;13 UTC" affects_policy_compliance="true" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="BenchmarkTest00008.java" line="58" sourcefilepath="org&#x2f;owasp&#x2f;benchmark&#x2f;testcode&#x2f;" scope="org.owasp.benchmark.testcode.BenchmarkTest00008" functionprototype="void doPost&#x28;javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse&#x29;" functionrelativelocation="76">
+                  <exploitability_adjustments>
+                     <exploitability_adjustment score_adjustment="1">
+                        <note>This source of the tainted data is an external web request.</note>
+                     </exploitability_adjustment>
+                  </exploitability_adjustments>
+               </flaw>
+            </staticflaws>
+         </cwe>
+      </category>
+   </severity>
+   <severity level="3"/>
+   <severity level="2"/>
+   <severity level="1"/>
+   <severity level="0"/>
+   <flaw-status new="4" reopen="0" open="0" fixed="0" total="4" not_mitigated="4" sev-1-change="0" sev-2-change="0" sev-3-change="0" sev-4-change="2" sev-5-change="2"/>
 </detailedreport>

From 663d0e145501d368bc33f20fa589d4279fa7e6dc Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Fri, 3 Mar 2023 16:23:02 +0530
Subject: [PATCH 03/10] Fix. condition to check root node name

---
 .../score/parsers/VeracodeReader.java         | 12 +++-------
 .../score/parsers/VeracodeReaderTest.java     | 22 ++++++++++++++++---
 2 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java
index 5b58f4d7..e39093ec 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java
@@ -40,18 +40,12 @@ public class VeracodeReader extends Reader {
     @Override
     public boolean canRead(ResultFile resultFile) {
         return resultFile.filename().endsWith(".xml")
-                && (resultFile.line(1).startsWith("<detailedreport")
-                        || resultFile.line(2).startsWith("<detailedreport"));
+                && (resultFile.xmlRootNodeName().equalsIgnoreCase("detailedreport"));
     }
 
     @Override
     public TestSuiteResults parse(ResultFile resultFile) throws Exception {
-        DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
-        // Prevent XXE
-        docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-        DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
-        InputSource is = new InputSource(new FileInputStream(resultFile.file()));
-        Document doc = docBuilder.parse(is);
+
 
         TestSuiteResults tr =
                 new TestSuiteResults("Veracode SAST", true, TestSuiteResults.ToolType.SAST);
@@ -59,7 +53,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
         // <static-analysis rating="F" score="24" submitted_date="2015-05-23 00:04:57 UTC"
         // published_date="2015-05-28 15:28:35 UTC" next_scan_due="2015-08-28 15:28:35 UTC"
         // analysis_size_bytes="70797465" engine_version="82491">
-        Node root = doc.getDocumentElement();
+        Node root = resultFile.xmlRootNode();
         NodeList rootList = root.getChildNodes();
         Node sa = getNamedNode("static-analysis", rootList);
         String version = getAttributeValue("engine_version", sa);
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VeracodeReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VeracodeReaderTest.java
index f869d0d7..618fbbaf 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VeracodeReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VeracodeReaderTest.java
@@ -2,9 +2,10 @@
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.owasp.benchmarkutils.score.BenchmarkScore;
-import org.owasp.benchmarkutils.score.ResultFile;
-import org.owasp.benchmarkutils.score.TestHelper;
+import org.owasp.benchmarkutils.score.*;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 class VeracodeReaderTest extends ReaderTestBase {
 
@@ -20,4 +21,19 @@ void setUp() {
     void onlyVeracodeReportCanReadAsTrue() {
         assertOnlyMatcherClassIs(this.resultFile, VeracodeReader.class);
     }
+
+    @Test
+    void readerHandlesGivenResultFile() throws Exception {
+        VeracodeReader reader = new VeracodeReader();
+        TestSuiteResults result = reader.parse(resultFile);
+
+        assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
+        assertTrue(result.isCommercial());
+        assertEquals("Veracode SAST", result.getToolName());
+
+        assertEquals(3, result.getTotalResults());
+
+        assertEquals(CweNumber.COMMAND_INJECTION, result.get(7).get(0).getCWE());
+        assertEquals(CweNumber.SQL_INJECTION, result.get(8).get(0).getCWE());
+    }
 }

From a3dc848af330d960daf5cfbfb33c2c9deb03cc16 Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Wed, 10 Jul 2024 16:36:53 +0530
Subject: [PATCH 04/10] Add. Gitlab SAST parser

---
 .../score/parsers/GitLabSastReader.java       | 137 +++++++
 .../benchmarkutils/score/parsers/Reader.java  |   1 +
 .../score/parsers/GitLabSastReaderTest.java   |  62 +++
 .../testfiles/Benchmark_GitLab_SAST.json      | 380 ++++++++++++++++++
 4 files changed, 580 insertions(+)
 create mode 100644 plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
 create mode 100644 plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
 create mode 100644 plugin/src/test/resources/testfiles/Benchmark_GitLab_SAST.json

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
new file mode 100644
index 00000000..c8359940
--- /dev/null
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
@@ -0,0 +1,137 @@
+package org.owasp.benchmarkutils.score.parsers;
+
+import org.json.JSONArray;
+import org.json.JSONObject;
+import org.owasp.benchmarkutils.score.*;
+
+public class GitLabSastReader extends Reader {
+    @Override
+    public boolean canRead(ResultFile resultFile) {
+        return resultFile.isJson()
+                && resultFile.json().has("scan")
+                && resultFile
+                .json()
+                .getJSONObject("scan")
+                .getJSONObject("analyzer")
+                .getJSONObject("vendor")
+                .getString("name")
+                .equalsIgnoreCase("GitLab");
+    }
+
+    @Override
+    public TestSuiteResults parse(ResultFile resultFile) throws Exception {
+        TestSuiteResults tr = new TestSuiteResults("GitLab-SAST", true, TestSuiteResults.ToolType.SAST);
+
+        JSONArray vulnerabilities = resultFile.json().getJSONArray("vulnerabilities");
+
+        for (int vulnerability = 0; vulnerability < vulnerabilities.length(); vulnerability++) {
+            TestCaseResult tcr = parseGitLabSastFindings(vulnerabilities.getJSONObject(vulnerability));
+            if (tcr != null) {
+                tr.put(tcr);
+            }
+        }
+        return tr;
+    }
+
+    private TestCaseResult parseGitLabSastFindings(JSONObject vulnerability) {
+
+        try {
+            String className = vulnerability.getJSONObject("location").getString("file");
+            className = (className.substring(className.lastIndexOf('/') + 1)).split("\\.")[0];
+
+            if (className.startsWith(BenchmarkScore.TESTCASENAME)) {
+                TestCaseResult tcr = new TestCaseResult();
+
+                JSONArray identifiers = vulnerability.getJSONArray("identifiers");
+
+                int cwe = identifiers.getJSONObject(1).getInt("value");
+                cwe = translate(cwe);
+
+                String category = identifiers.getJSONObject(2).getString("name");
+                category = category.split("-")[1].strip();
+
+                String evidence = vulnerability.getString("cve");
+
+                tcr.setCWE(cwe);
+                tcr.setCategory(category);
+                tcr.setEvidence(evidence);
+                tcr.setConfidence(0);
+                tcr.setNumber(testNumber(className));
+
+                return tcr;
+            }
+        } catch (Exception ex) {
+            ex.printStackTrace();
+        }
+
+        return null;
+    }
+
+    private int translate(int cwe) {
+        //in gitlab sast {
+        //  "trustbound": 306,  // Authentication Bypass Using Trust Boundaries (CWE-306)
+        //  "weakrand": 338,  // Use of Cryptographically Weak Pseudo-Random Number Generator (CWE-338)
+        //  "sqli": 89,  // SQL Injection (CWE-89)
+        //  "crypto": 327,  // Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
+        //  "cmdi": 185,  // Improper Control of Generation of Code ('Code Injection') (CWE-185)
+        //  "xss": 79,  // Cross-site Scripting (CWE-79)
+        //  "hash": 326,  // Inadequate Encryption Strength (CWE-326)
+        //  "pathtraver": 22,  // Path Traversal (CWE-22)
+        //  "securecookie": 614,  // Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
+        //  "xpathi": 643,  // XPath Injection (CWE-643)
+        //  "ldapi": 90,  // Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE-90)
+        //  "httpresponse": 113,  // Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)
+        //  "debugcode": 259,  // Use of Hard-coded Password (CWE-259)
+        //  "cryptointegration": 1004  // Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004)
+        //}
+
+        //in benchmark tool {
+        //  "trustbound": 501,
+        //  "weakrand": 330,
+        //  "sqli": 89,
+        //  "crypto": 327,
+        //  "cmdi": 78,
+        //  "xss": 79,
+        //  "hash": 328,
+        //  "pathtraver": 22,
+        //  "securecookie": 614,
+        //  "xpathi": 643,
+        //  "ldapi": 90
+        //}
+        switch (cwe) {
+            case 22:
+                return CweNumber.PATH_TRAVERSAL;
+            case 79:
+                return CweNumber.XSS;
+            case 89:
+                return CweNumber.SQL_INJECTION;
+            case 90:
+                return CweNumber.LDAP_INJECTION;
+            case 113:
+                return CweNumber.HTTP_RESPONSE_SPLITTING;
+            case 185:
+                return CweNumber.COMMAND_INJECTION;
+            case 326:
+            case 327:
+            case 328:
+                return CweNumber.WEAK_CRYPTO_ALGO;
+            case 338:
+                return CweNumber.WEAK_RANDOM;
+            case 614:
+                return CweNumber.INSECURE_COOKIE;
+            case 643:
+                return CweNumber.XPATH_INJECTION;
+            case 1004:
+                return CweNumber.COOKIE_WITHOUT_HTTPONLY;
+            case 259:
+            case 306:
+                break;
+            default:
+                System.out.println(
+                        "INFO: Found following CWE in GitLab SAST results which we haven't seen before: "
+                                + cwe);
+        }
+
+        return cwe;
+    }
+}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java
index 421330b6..9d078f50 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java
@@ -73,6 +73,7 @@ public static List<Reader> allReaders() {
                 new FluidAttacksReader(),
                 new FortifyReader(),
                 new FusionLiteInsightReader(),
+                new GitLabSastReader(),
                 new HCLAppScanIASTReader(),
                 new HCLAppScanSourceReader(),
                 new HCLAppScanStandardReader(),
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
new file mode 100644
index 00000000..2b86ab6b
--- /dev/null
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
@@ -0,0 +1,62 @@
+package org.owasp.benchmarkutils.score.parsers;
+
+import org.json.JSONArray;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.benchmarkutils.score.*;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class GitLabSastReaderTest extends ReaderTestBase {
+
+    private ResultFile resultFile;
+
+    @BeforeEach
+    void setUp() {
+        resultFile = TestHelper.resultFileOf("testfiles/Benchmark_GitLab_SAST.json");
+        BenchmarkScore.TESTCASENAME = "BenchmarkTest";
+    }
+
+    @Test
+    public void onlyGitLabSastReaderReportsCanReadAsTrue() {
+        assertOnlyMatcherClassIs(this.resultFile, GitLabSastReader.class);
+    }
+
+    @Test
+    void readerHandlesGivenResultFile() throws Exception {
+        GitLabSastReader reader = new GitLabSastReader();
+        TestSuiteResults result = reader.parse(resultFile);
+
+        assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
+        assertTrue(result.isCommercial());
+        assertEquals("GitLab-SAST", result.getToolName());
+
+        assertEquals(5, result.getTotalResults());
+
+        assertEquals(CweNumber.WEAK_CRYPTO_ALGO, result.get(1).get(0).getCWE());
+        assertEquals(CweNumber.PATH_TRAVERSAL, result.get(5).get(0).getCWE());
+    }
+
+    @Test
+    void isAbleToFetchTestFileClassName() {
+        JSONArray vulnerabilities = resultFile.json().getJSONArray("vulnerabilities");
+        String path = vulnerabilities.getJSONObject(1).getJSONObject("location").getString("file");
+
+        assertEquals("src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00614.java", path);
+
+        String className = (path.substring(path.lastIndexOf('/') + 1)).split("\\.")[0];
+        assertTrue(className.startsWith(BenchmarkScore.TESTCASENAME));
+
+        JSONArray identifiers = vulnerabilities.getJSONObject(1).getJSONArray("identifiers");
+        int cwe = identifiers.getJSONObject(1).getInt("value");
+        assertEquals(327, cwe);
+
+        String category = identifiers.getJSONObject(2).getString("name");
+        category = category.split("-")[1].strip();
+        assertEquals("Cryptographic Failures", category);
+
+        String evidence = vulnerabilities.getJSONObject(1).getString("cve");
+        assertEquals("semgrep_id:find_sec_bugs.CIPHER_INTEGRITY-1:71:71", evidence);
+    }
+}
\ No newline at end of file
diff --git a/plugin/src/test/resources/testfiles/Benchmark_GitLab_SAST.json b/plugin/src/test/resources/testfiles/Benchmark_GitLab_SAST.json
new file mode 100644
index 00000000..dbab65d9
--- /dev/null
+++ b/plugin/src/test/resources/testfiles/Benchmark_GitLab_SAST.json
@@ -0,0 +1,380 @@
+{
+  "version": "15.1.0",
+  "vulnerabilities": [
+    {
+      "id": "55fbae4bfbd000f5b526729b5a2639465e26c95f0c8c421e81882b7587b9c4ad",
+      "category": "sast",
+      "name": "Use of cryptographically weak pseudo-random number generator (PRNG)",
+      "description": "This rule identifies use of cryptographically weak random number generators.\nUsing cryptographically weak random number generators like `crypto.pseudoRandomBytes()` \nand `Math.random()` for security-critical tasks can expose systems to significant \nvulnerabilities. Attackers might predict the generated random numbers, compromising \nthe integrity and confidentiality of cryptographic operations. This could lead to \nbreaches where sensitive data is accessed or manipulated, authentication mechanisms \nare bypassed, or secure communications are intercepted, ultimately undermining the \nsecurity of the entire system or application.\n\nMitigation strategy:\nReplace the use of these cryptographically weak random number generators with \n`crypto.randomBytes()`, a method provided by Node.js's `crypto` module that \ngenerates cryptographically secure random numbers. This method should be used \nfor all operations requiring secure randomness, such as generating keys, tokens, \nor any cryptographic material.\n\nSecure Code Example:\n```\nconst crypto = require('crypto');\nconst secureBytes = crypto.randomBytes(256);\nconsole.log(`Secure random bytes: ${secureBytes.toString('hex')}`);\n```\n",
+      "cve": "semgrep_id:nodejs_scan.javascript-crypto-rule-node_insecure_random_generator:1642:1642",
+      "severity": "Medium",
+      "scanner": {
+        "id": "semgrep",
+        "name": "Semgrep"
+      },
+      "location": {
+        "file": "scorecard/content/js/bootstrap.js",
+        "start_line": 1642
+      },
+      "identifiers": [
+        {
+          "type": "semgrep_id",
+          "name": "nodejs_scan.javascript-crypto-rule-node_insecure_random_generator",
+          "value": "nodejs_scan.javascript-crypto-rule-node_insecure_random_generator"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-338",
+          "value": "338",
+          "url": "https://cwe.mitre.org/data/definitions/338.html"
+        },
+        {
+          "type": "owasp",
+          "name": "A02:2021 - Cryptographic Failures",
+          "value": "A02:2021"
+        },
+        {
+          "type": "owasp",
+          "name": "A3:2017 - Sensitive Data Exposure",
+          "value": "A3:2017"
+        },
+        {
+          "type": "njsscan_rule_type",
+          "name": "NodeJS Scan ID javascript-crypto-rule-node_insecure_random_generator",
+          "value": "crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator."
+        }
+      ]
+    },
+    {
+      "id": "f6257f2ca6c4fab2f604a4489b6e18ae19afdaa779900511b4b35597ab89ca43",
+      "category": "sast",
+      "name": "Use of a broken or risky cryptographic algorithm",
+      "description": "Cryptographic algorithms provide many different modes of operation, only some of which provide\nmessage integrity. Without message integrity it could be possible for an adversary to attempt\nto tamper with the ciphertext which could lead to compromising the encryption key. Newer\nalgorithms\napply message integrity to validate ciphertext has not been tampered with.\n\nInstead of using an algorithm that requires configuring a cipher mode, an algorithm\nthat has built-in message integrity should be used. Consider using `ChaCha20Poly1305` or\n`AES-256-GCM` instead.\n\nFor older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is\nrecommended, however it has many drawbacks:\n  - Slower than `ChaCha20Poly1305`.\n  - Catastrophic failure if nonce values are reused.\n\nExample using `ChaCha20Poly1305`:\n```\npublic encrypt() throws Exception {\n    chaChaEncryption(\"Secret text to encrypt\".getBytes(StandardCharsets.UTF_8));\n}\n\npublic SecureRandom getSecureRandomDRBG() throws NoSuchAlgorithmException {\n// Use DRBG according to\nhttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf\n    return SecureRandom.getInstance(\"DRBG\",\n            // Security strength in bits (default is 128)\n            DrbgParameters.instantiation(256,\n                // Set prediction resistance and re-seeding\n                DrbgParameters.Capability.PR_AND_RESEED,\n                // Set the personalization string (optional, not necessary)\n                \"some_personalization_string\".getBytes()\n            )\n    );\n}\n\npublic Cipher getChaCha20Poly1305(int mode, byte[] ivKey, byte[] secretKey) throws\nNoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException,\nInvalidAlgorithmParameterException  {\n    // Get a DRBG random number generator instance\n    SecureRandom random = getSecureRandomDRBG();\n    // Create a ChaCha20-Poly1305 cipher instance\n    Cipher chaChaCipher = Cipher.getInstance(\"ChaCha20-Poly1305/None/NoPadding\");\n    // Create our parameterSpec using our ivKey\n    AlgorithmParameterSpec parameterSpec = new IvParameterSpec(ivKey);\n    // Create a SecretKeySpec using our secretKey\n    SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, \"ChaCha20\");\n    // Initialize and return the cipher for the provided mode\n    chaChaCipher.init(mode, secretKeySpec, parameterSpec, random);\n    return chaChaCipher;\n}\n\npublic void chaChaEncryption(byte[] plainText) throws NoSuchAlgorithmException,\nNoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException {\n    // Get a DRBG random number generator instance\n    SecureRandom random = getSecureRandomDRBG();\n    // Create secretKey\n    byte[] secretKey = new byte[32];\n    random.nextBytes(secretKey);\n    // Create an IV Key\n    byte[] ivKey = new byte[12];\n    random.nextBytes(ivKey);\n\n    // Create a chaCha encryption cipher instance\n    Cipher chaChaEncryptor = getChaCha20Poly1305(Cipher.ENCRYPT_MODE, ivKey, secretKey);\n\n    // Encrypt the text using ChaCha20Poly1305\n    byte[] cipherText = null;\n    try {\n        cipherText = chaChaEncryptor.doFinal(plainText);\n    } catch (IllegalBlockSizeException | BadPaddingException e) {\n        System.out.println(\"failed to encrypt text\");\n        return;\n    }\n    System.out.println(\"encrypted: \" + Base64.getEncoder().encodeToString(cipherText));\n\n     // Create a chaCha decryption cipher instance\n    Cipher chaChaDecryptor = getChaCha20Poly1305(Cipher.DECRYPT_MODE, ivKey, secretKey);\n\n    // Decrypt the text\n    byte[] decryptedText = null;\n    try {\n        decryptedText = chaChaDecryptor.doFinal(cipherText);\n    } catch (IllegalBlockSizeException | BadPaddingException e) {\n        System.out.println(\"failed to decrypt text\");\n        return;\n    }\n    System.out.println(\"decrypted: \" + new String(decryptedText, StandardCharsets.UTF_8));\n}\n```\n\nFor more information on Java Cryptography see:\nhttps://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html\n",
+      "cve": "semgrep_id:find_sec_bugs.CIPHER_INTEGRITY-1:71:71",
+      "severity": "Medium",
+      "scanner": {
+        "id": "semgrep",
+        "name": "Semgrep"
+      },
+      "location": {
+        "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java",
+        "start_line": 71
+      },
+      "identifiers": [
+        {
+          "type": "semgrep_id",
+          "name": "find_sec_bugs.CIPHER_INTEGRITY-1",
+          "value": "find_sec_bugs.CIPHER_INTEGRITY-1"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-327",
+          "value": "327",
+          "url": "https://cwe.mitre.org/data/definitions/327.html"
+        },
+        {
+          "type": "owasp",
+          "name": "A02:2021 - Cryptographic Failures",
+          "value": "A02:2021"
+        },
+        {
+          "type": "owasp",
+          "name": "A3:2017 - Sensitive Data Exposure",
+          "value": "A3:2017"
+        },
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-CIPHER_INTEGRITY",
+          "value": "CIPHER_INTEGRITY"
+        }
+      ],
+      "tracking": {
+        "type": "source",
+        "items": [
+          {
+            "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00614.java",
+            "line_start": 71,
+            "line_end": 71,
+            "signatures": [
+              {
+                "algorithm": "scope_offset_compressed",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00614.java|BenchmarkTest00614[0]|doPost[0]:18"
+              },
+              {
+                "algorithm": "scope_offset",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00614.java|BenchmarkTest00614[0]|doPost[0]:33"
+              }
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "id": "495c1ce376eaa30612723cf238ab83e3324e221ad8ce47e8c6baaac813407f4c",
+      "category": "sast",
+      "name": "Sensitive cookie without 'HttpOnly' flag",
+      "description": "The `HttpOnly` attribute when set to `true` protects the cookie value from being accessed by\nclient side JavaScript such\nas reading the `document.cookie` values. By enabling this protection, a website that is\nvulnerable to\nCross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie\nvalue from JavaScript.\n\nExample of protecting a `Cookie`:\n```\n// Create an HttpOnly cookie.\nCookie someCookie = new Cookie(\"SomeCookieName\", \"SomeValue\");\n// Set HttpOnly flag to true\nsomeCookie.setHttpOnly(true);\n```\n\nFor more information see:\nhttps://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-\n\nSession cookies should be configured with the following security directives:\n\n- [HTTPOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)\n- [Secure](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)\n- [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)\n",
+      "cve": "semgrep_id:java_cookie_rule-CookieHTTPOnly:42:42",
+      "severity": "Low",
+      "scanner": {
+        "id": "semgrep",
+        "name": "Semgrep"
+      },
+      "location": {
+        "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java",
+        "start_line": 42
+      },
+      "identifiers": [
+        {
+          "type": "semgrep_id",
+          "name": "java_cookie_rule-CookieHTTPOnly",
+          "value": "java_cookie_rule-CookieHTTPOnly"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-1004",
+          "value": "1004",
+          "url": "https://cwe.mitre.org/data/definitions/1004.html"
+        },
+        {
+          "type": "owasp",
+          "name": "A05:2021 - Security Misconfiguration",
+          "value": "A05:2021"
+        },
+        {
+          "type": "owasp",
+          "name": "A6:2017 - Security Misconfiguration",
+          "value": "A6:2017"
+        }
+      ],
+      "tracking": {
+        "type": "source",
+        "items": [
+          {
+            "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00963.java",
+            "line_start": 42,
+            "line_end": 42,
+            "signatures": [
+              {
+                "algorithm": "scope_offset_compressed",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00963.java|BenchmarkTest00963[0]|doGet[0]:8"
+              },
+              {
+                "algorithm": "scope_offset",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00963.java|BenchmarkTest00963[0]|doGet[0]:10"
+              }
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "id": "848bf059acdd454937903a565afc6af42eafba984cebe9850c014b393ca5f7d0",
+      "category": "sast",
+      "name": "Improper neutralization of special elements used in an LDAP query ('LDAP Injection')",
+      "description": "LDAP injection attacks exploit LDAP queries to influence how data is returned by\nthe LDAP server.\n\nLater versions of Java's `InitialDirContext.search` introduced a four argument method, one of\nwhich is the `filterArg` parameter. The `filterArg` will be automatically encoded when\nquerying\nthe LDAP server. If this method signature is not available, the application must encode the\nLDAP strings manually.\n\nMore details on the four argument `search` method can be found here:\nhttps://docs.oracle.com/en/java/javase/20/docs/api/java.naming/javax/naming/directory/InitialDirContext.html#search(javax.naming.Name,java.lang.String,java.lang.Object[],javax.naming.directory.SearchControls)\n\nTo encode the string manually, it is recommended that all input passed to LDAP querying\nsystems\nencode the following values:\n\n- Any occurrence of the null character must be escaped as \u201c\\00\u201d.\n- Any occurrence of the open parenthesis character must be escaped as \u201c\\28\u201d.\n- Any occurrence of the close parenthesis character must be escaped as \u201c\\29\u201d.\n- Any occurrence of the asterisk character must be escaped as \u201c\\2a\u201d.\n- Any occurrence of the backslash character must be escaped as \u201c\\5c\u201d.\n\nExample function that safely encodes user-supplied input to be used in an LDAP query.\n```\npublic static String encodeLDAPString(String input) {\n  // Note the \\ character is replaced first\n  CharSequence[] chars = new CharSequence[] { \"\\\\\", \"\\0\", \"(\", \")\", \"*\" };\n  CharSequence[] encoded = new CharSequence[] { \"\\\\5c\", \"\\\\00\", \"\\\\28\", \"\\\\29\", \"\\\\2a\" };\n  // Iterate over each character sequence, replacing the raw value with an encoded version of\nit\n  for (int i = 0; i < chars.length; i++)\n  {\n      // re-assign to input\n      input = input.replace(chars[i], encoded[i]);\n  }\n  // return our modified input string\n  return input;\n}\n```\n\nExample code that using the `filterArgs` parameter which automatically encodes for us:\n```\n// Create a properties to hold the ldap connection details\nProperties props = new Properties();\n// Use the com.sun.jndi.ldap.LdapCtxFactory factory provider\nprops.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\n// The LDAP server URL\nprops.put(Context.PROVIDER_URL, \"ldap://ldap.example.org:3889\");\n// User details for the connection\nprops.put(Context.SECURITY_PRINCIPAL, \"cn=admin,dc=example,dc=org\");\n// LDAP account password\nString ldapAccountPassword = getAccountPasswordFromSecureStoreOrKMS();\n// Pass in the LDAP password\nprops.put(Context.SECURITY_CREDENTIALS, ldapAccountPassword);\n\n// Create the LDAPContext\nInitialDirContext ldapContext = new InitialDirContext(props);\n// Example using SUBTREE_SCOPE SearchControls\nSearchControls searchControls = new SearchControls();\nsearchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);\n\n// Get user input for query\nString userQuery = someUserInput;\n// Use searchArguments to hold the user-supplied input\nObject[] searchArguments = new Object[]{userQuery};\n// Hardcode the BaseDN, use the {0} format specifier to use the searchArguments array value,\nand pass in the search controls.\n// searchArguments automatically encode\nNamingEnumeration answer = ldapContext.search(\"dc=example,dc=org\", \"(cn={0})\",\nsearchArguments, searchControls);\n// Process the response answer\nwhile (answer.hasMoreElements()) {\n  ...\n}\n```\n\nFor more information on LDAP Injection see OWASP:\nhttps://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html\n",
+      "cve": "semgrep_id:find_sec_bugs.LDAP_INJECTION-1:67:67",
+      "severity": "Medium",
+      "scanner": {
+        "id": "semgrep",
+        "name": "Semgrep"
+      },
+      "location": {
+        "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java",
+        "start_line": 67
+      },
+      "identifiers": [
+        {
+          "type": "semgrep_id",
+          "name": "find_sec_bugs.LDAP_INJECTION-1",
+          "value": "find_sec_bugs.LDAP_INJECTION-1"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-90",
+          "value": "90",
+          "url": "https://cwe.mitre.org/data/definitions/90.html"
+        },
+        {
+          "type": "owasp",
+          "name": "A03:2021 - Injection",
+          "value": "A03:2021"
+        },
+        {
+          "type": "owasp",
+          "name": "A1:2017 - Injection",
+          "value": "A1:2017"
+        },
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-LDAP_INJECTION",
+          "value": "LDAP_INJECTION"
+        }
+      ],
+      "tracking": {
+        "type": "source",
+        "items": [
+          {
+            "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01154.java",
+            "line_start": 67,
+            "line_end": 67,
+            "signatures": [
+              {
+                "algorithm": "scope_offset_compressed",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01154.java|BenchmarkTest01154[0]|doPost[0]:10"
+              },
+              {
+                "algorithm": "scope_offset",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01154.java|BenchmarkTest01154[0]|doPost[0]:29"
+              }
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "id": "9858d7dcc18a7efd19967095e4b895507f55262747fffb28bb08a806c8b4129c",
+      "category": "sast",
+      "name": "Sensitive cookie without 'HttpOnly' flag",
+      "description": "The `HttpOnly` attribute when set to `true` protects the cookie value from being accessed by\nclient side JavaScript such\nas reading the `document.cookie` values. By enabling this protection, a website that is\nvulnerable to\nCross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie\nvalue from JavaScript.\n\nExample of protecting a `Cookie`:\n```\n// Create an HttpOnly cookie.\nCookie someCookie = new Cookie(\"SomeCookieName\", \"SomeValue\");\n// Set HttpOnly flag to true\nsomeCookie.setHttpOnly(true);\n```\n\nFor more information see:\nhttps://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean-\n\nSession cookies should be configured with the following security directives:\n\n- [HTTPOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)\n- [Secure](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)\n- [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)\n",
+      "cve": "semgrep_id:java_cookie_rule-CookieHTTPOnly:42:42",
+      "severity": "Low",
+      "scanner": {
+        "id": "semgrep",
+        "name": "Semgrep"
+      },
+      "location": {
+        "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java",
+        "start_line": 42
+      },
+      "identifiers": [
+        {
+          "type": "semgrep_id",
+          "name": "java_cookie_rule-CookieHTTPOnly",
+          "value": "java_cookie_rule-CookieHTTPOnly"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-1004",
+          "value": "1004",
+          "url": "https://cwe.mitre.org/data/definitions/1004.html"
+        },
+        {
+          "type": "owasp",
+          "name": "A05:2021 - Security Misconfiguration",
+          "value": "A05:2021"
+        },
+        {
+          "type": "owasp",
+          "name": "A6:2017 - Security Misconfiguration",
+          "value": "A6:2017"
+        }
+      ],
+      "tracking": {
+        "type": "source",
+        "items": [
+          {
+            "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01850.java",
+            "line_start": 42,
+            "line_end": 42,
+            "signatures": [
+              {
+                "algorithm": "scope_offset_compressed",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01850.java|BenchmarkTest01850[0]|doGet[0]:8"
+              },
+              {
+                "algorithm": "scope_offset",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01850.java|BenchmarkTest01850[0]|doGet[0]:10"
+              }
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "id": "0f1c4f64bcfaff264d127e13e0f290633e366dfd91c6df487f97bd8fdc2ceb6e",
+      "category": "sast",
+      "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+      "description": "Detected a potential path traversal. A malicious actor could control\nthe location of this file, to include going backwards in the directory\nwith '../'. \n\nTo address this, ensure that user-controlled variables in file\npaths are sanitized. You may also consider using a utility method such as\norg.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file\nname from the path.\n\nExample code using FilenameUtils.getName(...)\n\n```\npublic void ok(HttpServletRequest request, HttpServletResponse response)\n        throws ServletException, IOException {\n    String image = request.getParameter(\"image\");\n    File file = new File(\"static/images/\", FilenameUtils.getName(image));\n\n    if (!file.exists()) {\n        log.info(image + \" could not be created.\");\n        response.sendError();\n    }\n\n    response.sendRedirect(\"/index.html\");\n}\n```\n",
+      "cve": "semgrep_id:java_file_rule-FilePathTraversalHttpServlet:56:56",
+      "severity": "Critical",
+      "scanner": {
+        "id": "semgrep",
+        "name": "Semgrep"
+      },
+      "location": {
+        "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java",
+        "start_line": 56
+      },
+      "identifiers": [
+        {
+          "type": "semgrep_id",
+          "name": "java_file_rule-FilePathTraversalHttpServlet",
+          "value": "java_file_rule-FilePathTraversalHttpServlet"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-22",
+          "value": "22",
+          "url": "https://cwe.mitre.org/data/definitions/22.html"
+        },
+        {
+          "type": "owasp",
+          "name": "A01:2021 - Broken Access Control",
+          "value": "A01:2021"
+        },
+        {
+          "type": "owasp",
+          "name": "A5:2017 - Broken Access Control",
+          "value": "A5:2017"
+        }
+      ],
+      "tracking": {
+        "type": "source",
+        "items": [
+          {
+            "file": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02470.java",
+            "line_start": 56,
+            "line_end": 56,
+            "signatures": [
+              {
+                "algorithm": "scope_offset_compressed",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02470.java|BenchmarkTest02470[0]|doPost[0]:9"
+              },
+              {
+                "algorithm": "scope_offset",
+                "value": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02470.java|BenchmarkTest02470[0]|doPost[0]:18"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "dependency_files": null,
+  "scan": {
+    "analyzer": {
+      "id": "semgrep",
+      "name": "Semgrep",
+      "url": "https://gitlab.com/gitlab-org/security-products/analyzers/semgrep",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "5.3.3"
+    },
+    "scanner": {
+      "id": "semgrep",
+      "name": "Semgrep",
+      "url": "https://github.com/returntocorp/semgrep",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "1.72.0"
+    },
+    "primary_identifiers": [],
+    "type": "sast",
+    "start_time": "2024-07-03T08:44:11",
+    "end_time": "2024-07-03T08:44:45",
+    "status": "success"
+  }
+}
\ No newline at end of file

From 91f7518256db4741bcef5558c7569c067b36f452 Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Wed, 10 Jul 2024 16:54:38 +0530
Subject: [PATCH 05/10] Fix. Testfile location

---
 .../benchmarkutils/score/parsers/GitLabSastReaderTest.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
index 2b86ab6b..188fcfbb 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
@@ -43,7 +43,7 @@ void isAbleToFetchTestFileClassName() {
         JSONArray vulnerabilities = resultFile.json().getJSONArray("vulnerabilities");
         String path = vulnerabilities.getJSONObject(1).getJSONObject("location").getString("file");
 
-        assertEquals("src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00614.java", path);
+        assertEquals("src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java", path);
 
         String className = (path.substring(path.lastIndexOf('/') + 1)).split("\\.")[0];
         assertTrue(className.startsWith(BenchmarkScore.TESTCASENAME));

From 17466f7500d8eedc06d264474f8c8699afd3d5b7 Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Wed, 10 Jul 2024 17:03:27 +0530
Subject: [PATCH 06/10] Refactor. remove comments

---
 .../score/parsers/GitLabSastReader.java       | 31 +------------------
 1 file changed, 1 insertion(+), 30 deletions(-)

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
index c8359940..2c9d45f3 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
@@ -68,36 +68,7 @@ private TestCaseResult parseGitLabSastFindings(JSONObject vulnerability) {
     }
 
     private int translate(int cwe) {
-        //in gitlab sast {
-        //  "trustbound": 306,  // Authentication Bypass Using Trust Boundaries (CWE-306)
-        //  "weakrand": 338,  // Use of Cryptographically Weak Pseudo-Random Number Generator (CWE-338)
-        //  "sqli": 89,  // SQL Injection (CWE-89)
-        //  "crypto": 327,  // Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
-        //  "cmdi": 185,  // Improper Control of Generation of Code ('Code Injection') (CWE-185)
-        //  "xss": 79,  // Cross-site Scripting (CWE-79)
-        //  "hash": 326,  // Inadequate Encryption Strength (CWE-326)
-        //  "pathtraver": 22,  // Path Traversal (CWE-22)
-        //  "securecookie": 614,  // Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
-        //  "xpathi": 643,  // XPath Injection (CWE-643)
-        //  "ldapi": 90,  // Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE-90)
-        //  "httpresponse": 113,  // Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)
-        //  "debugcode": 259,  // Use of Hard-coded Password (CWE-259)
-        //  "cryptointegration": 1004  // Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004)
-        //}
-
-        //in benchmark tool {
-        //  "trustbound": 501,
-        //  "weakrand": 330,
-        //  "sqli": 89,
-        //  "crypto": 327,
-        //  "cmdi": 78,
-        //  "xss": 79,
-        //  "hash": 328,
-        //  "pathtraver": 22,
-        //  "securecookie": 614,
-        //  "xpathi": 643,
-        //  "ldapi": 90
-        //}
+
         switch (cwe) {
             case 22:
                 return CweNumber.PATH_TRAVERSAL;

From ab1a3b37f9f7b0312d71252d9680eed375c44bf2 Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Wed, 10 Jul 2024 22:34:04 +0530
Subject: [PATCH 07/10] Refactor. test function name

---
 .../benchmarkutils/score/parsers/GitLabSastReaderTest.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
index 188fcfbb..7af5198a 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
@@ -39,7 +39,7 @@ void readerHandlesGivenResultFile() throws Exception {
     }
 
     @Test
-    void isAbleToFetchTestFileClassName() {
+    void isAbleToExtractDataToCreateTestCaseResults() {
         JSONArray vulnerabilities = resultFile.json().getJSONArray("vulnerabilities");
         String path = vulnerabilities.getJSONObject(1).getJSONObject("location").getString("file");
 

From 33117923f13ac7a04c27497d100695ad72683e50 Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Wed, 10 Jul 2024 22:55:26 +0530
Subject: [PATCH 08/10] Add. disclaimer block

---
 .../score/parsers/GitLabSastReader.java         | 17 +++++++++++++++++
 .../score/parsers/sarif/SnykReader.java         |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
index 2c9d45f3..40076b89 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
@@ -1,3 +1,20 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details
+ *
+ * @author Barath Raj
+ * @created 2024
+ */
 package org.owasp.benchmarkutils.score.parsers;
 
 import org.json.JSONArray;
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReader.java
index 5f042fc7..4d75c4cc 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReader.java
@@ -12,7 +12,7 @@
  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
  * PURPOSE. See the GNU General Public License for more details
  *
- * @author Raj Barath
+ * @author Barath Raj
  * @created 2023
  */
 package org.owasp.benchmarkutils.score.parsers.sarif;

From 923d9c66a04895fcae713df17ccf3eeb35b85ecd Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Wed, 10 Jul 2024 22:56:26 +0530
Subject: [PATCH 09/10] Add. disclaimer block

---
 .../score/parsers/GitLabSastReaderTest.java     | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
index 7af5198a..50dcbd19 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReaderTest.java
@@ -1,3 +1,20 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details
+ *
+ * @author Barath Raj
+ * @created 2024
+ */
 package org.owasp.benchmarkutils.score.parsers;
 
 import org.json.JSONArray;

From 5986a0c5a1aad83c07050d6aeb420bb1cefba39f Mon Sep 17 00:00:00 2001
From: Barath Raj <rajbarathk@gmail.com>
Date: Thu, 11 Jul 2024 00:39:24 +0530
Subject: [PATCH 10/10] Refactor. logic for vaild test case result check

---
 .../score/parsers/GitLabSastReader.java              | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
index 40076b89..c34e08e9 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/GitLabSastReader.java
@@ -19,7 +19,10 @@
 
 import org.json.JSONArray;
 import org.json.JSONObject;
-import org.owasp.benchmarkutils.score.*;
+import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestCaseResult;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
 
 public class GitLabSastReader extends Reader {
     @Override
@@ -53,10 +56,9 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
     private TestCaseResult parseGitLabSastFindings(JSONObject vulnerability) {
 
         try {
-            String className = vulnerability.getJSONObject("location").getString("file");
-            className = (className.substring(className.lastIndexOf('/') + 1)).split("\\.")[0];
+            int testNumber = testNumber(vulnerability.getJSONObject("location").getString("file"));
 
-            if (className.startsWith(BenchmarkScore.TESTCASENAME)) {
+            if (testNumber > -1) {
                 TestCaseResult tcr = new TestCaseResult();
 
                 JSONArray identifiers = vulnerability.getJSONArray("identifiers");
@@ -73,7 +75,7 @@ private TestCaseResult parseGitLabSastFindings(JSONObject vulnerability) {
                 tcr.setCategory(category);
                 tcr.setEvidence(evidence);
                 tcr.setConfidence(0);
-                tcr.setNumber(testNumber(className));
+                tcr.setNumber(testNumber);
 
                 return tcr;
             }