ESL SBOMator
Professional SBOM Analysis & Vulnerability Management
www.eswlab.com | Engineering Software Lab
ESL SBOMator
Project in Report:
WebGoat
197
Total Components
10
Vulnerable Components
109
Total CVEs
5.1%
Components with Known CVEs
0
Ransomware CVEs
Used in ransomware campaigns1
Weaponized CVEs
Actively exploited in wild108
No Known Exploitation
CVEs without active exploitation🏢 Vendor/Manufacturer Distribution
VMware
43 components
21.8%
Maven Community
28 components
14.2%
FasterXML
19 components
9.6%
Eclipse Foundation
13 components
6.6%
Apache
12 components
6.1%
Vulnerability Severity Distribution
20 Critical
64 High
22 Medium
3 Low
Click any CVE ID below to view detailed vulnerability information on the National Vulnerability Database
Component Vulnerability Analysis
Threat-Based Prioritization: Components are sorted by security threat level:
RANSOMWARE
WEAPONIZED
Standard CVEs
No CVEs
| Component | Version | Type | Vendor | License | CVEs | Score | Severity | Vulnerabilities (Click CVE IDs) |
|---|---|---|---|---|---|---|---|---|
| xstream WEAPONIZED | 1.4.5 | library | 📦 XStream Source: maven_group |
Unknown | 36 | 9.8 | Critical | CVE-2021-39144 WEAPONIZED +2 EPSS 94.3% Grype CVE-2020-26258 EPSS 93.7% Grype CVE-2020-26217 EPSS 93.0% Grype CVE-2021-21351 EPSS 91.6% Grype CVE-2021-29505 +1 EPSS 90.8% Grype CVE-2020-26259 EPSS 88.9% Grype CVE-2021-21345 +1 EPSS 87.0% Grype CVE-2021-39141 +2 EPSS 81.8% Grype CVE-2021-39152 +2 EPSS 61.8% Grype CVE-2021-39146 +2 EPSS 47.2% Grype CVE-2021-21341 +1 EPSS 27.3% Grype CVE-2021-21344 EPSS 26.3% Grype CVE-2013-7285 EPSS 14.8% Grype CVE-2021-21350 EPSS 7.1% Grype CVE-2021-21349 +1 EPSS 6.7% Grype CVE-2022-41966 +2 EPSS 3.2% Grype CVE-2021-21346 +2 EPSS 2.9% Grype CVE-2016-3674 EPSS 2.9% Grype CVE-2017-7957 EPSS 2.6% Grype CVE-2021-21347 +2 EPSS 2.6% Grype
CVE-2021-39150 +2 EPSS 2.3% Grype CVE-2021-43859 EPSS 1.9% Grype CVE-2021-21342 +1 EPSS 0.9% Grype CVE-2021-39139 +2 EPSS 0.8% Grype CVE-2021-39153 +2 EPSS 0.7% Grype CVE-2021-39149 +2 EPSS 0.7% Grype CVE-2021-39154 +2 EPSS 0.7% Grype CVE-2021-39147 +2 EPSS 0.7% Grype CVE-2021-39151 +2 EPSS 0.7% Grype CVE-2021-39148 +2 EPSS 0.7% Grype CVE-2021-21343 EPSS 0.6% Grype CVE-2021-39145 +1 EPSS 0.6% Grype CVE-2024-47072 EPSS 0.3% Grype CVE-2022-40151 EPSS 0.3% Grype CVE-2021-21348 +1 EPSS 0.3% Grype CVE-2021-39140 +2 EPSS 0.1% Grype
|
| jackson-databind | 2.9.6 | library | 🏭 FasterXML | Apache-2.0 | 60 | 10.0 | Critical | CVE-2020-11113 EPSS 60.7% Grype CVE-2020-36179 EPSS 60.3% Grype CVE-2020-9548 EPSS 57.6% Grype CVE-2019-12384 EPSS 51.7% Grype CVE-2020-10672 EPSS 40.1% Grype CVE-2020-35728 EPSS 39.7% Grype CVE-2020-9547 EPSS 38.3% Grype CVE-2020-10673 EPSS 20.5% Grype CVE-2019-12814 EPSS 18.3% Grype CVE-2019-12086 EPSS 15.5% Grype CVE-2018-14718 EPSS 14.5% Grype CVE-2019-14439 EPSS 10.3% Grype CVE-2020-10650 EPSS 9.9% Grype CVE-2020-14195 EPSS 9.5% Grype CVE-2020-36188 EPSS 9.4% Grype CVE-2018-14721 EPSS 9.4% Grype CVE-2020-14060 EPSS 8.7% Grype CVE-2020-8840 EPSS 8.2% Grype CVE-2020-14062 EPSS 7.7% Grype CVE-2019-14540 EPSS 7.1% Grype
CVE-2020-36184 EPSS 6.9% Grype CVE-2020-11112 EPSS 6.8% Grype CVE-2018-19360 EPSS 6.7% Grype CVE-2020-14061 EPSS 6.2% Grype CVE-2020-35491 EPSS 5.7% Grype CVE-2020-36181 EPSS 5.4% Grype CVE-2018-19362 EPSS 4.1% Grype CVE-2020-10968 EPSS 4.0% Grype CVE-2020-35490 EPSS 3.9% Grype CVE-2020-36189 EPSS 3.6% Grype CVE-2018-14719 EPSS 3.5% Grype CVE-2018-14720 EPSS 3.3% Grype CVE-2020-36182 EPSS 2.7% Grype CVE-2020-36180 EPSS 2.7% Grype CVE-2020-36185 EPSS 2.7% Grype CVE-2020-24616 EPSS 2.7% Grype CVE-2018-19361 EPSS 2.4% Grype CVE-2020-36186 EPSS 2.4% Grype CVE-2020-9546 EPSS 2.3% Grype CVE-2020-11111 EPSS 2.2% Grype CVE-2020-36187 EPSS 2.1% Grype CVE-2020-11620 EPSS 2.1% Grype CVE-2020-36183 EPSS 2.1% Grype CVE-2020-24750 EPSS 2.0% Grype CVE-2019-20330 EPSS 1.9% Grype CVE-2019-16943 EPSS 1.8% Grype CVE-2019-14379 EPSS 1.5% Grype CVE-2020-11619 EPSS 1.3% Grype CVE-2019-17267 EPSS 1.2% Grype CVE-2019-17531 EPSS 1.2% Grype CVE-2020-10969 EPSS 1.0% Grype CVE-2019-14893 +1 EPSS 1.0% Grype CVE-2019-14892 +1 EPSS 0.9% Grype CVE-2019-16335 EPSS 0.7% Grype CVE-2020-36518 EPSS 0.5% Grype CVE-2021-20190 EPSS 0.5% Grype CVE-2019-16942 EPSS 0.4% Grype CVE-2022-42003 EPSS 0.3% Grype CVE-2022-42004 EPSS 0.3% Grype CVE-2020-25649 EPSS 0.0% Grype
|
| tomcat-embed-core | 10.1.46 | library | 🏭 Apache | Apache-2.0 | 3 | 9.1 | Critical | CVE-2025-61795 EPSS 0.2% Grype CVE-2026-24733 EPSS 0.2% Grype CVE-2025-66614 EPSS 0.0% Grype |
| jackson-core | 2.9.6 | library | 🏭 FasterXML | Apache-2.0 | 2 | 8.7 | High | CVE-2025-52999 EPSS 0.1% Grype CVE-2025-49128 EPSS 0.0% Grype |
| jackson-core | 2.15.0 | library | 🏭 FasterXML | Apache-2.0 | 1 | 8.7 | High | ⚠️GHSA-72hv-8253-57qq Grype |
| jose4j | 0.9.3 | library | 📦 Brian Campbell Source: maven_group |
The Apache Software License, Version 2.0 MAVEN |
2 | 7.5 | High | CVE-2023-51775 EPSS 0.4% Grype CVE-2024-29371 EPSS 0.0% Grype |
| commons-lang3 | 3.14.0 | library | 🏭 Apache | Apache-2.0 | 1 | 6.5 | Medium | CVE-2025-48924 EPSS 0.0% Grype |
| logback-core | 1.5.18 | library | 🏭 QOS.ch | EPL-1.0 OR LGPL-2.1 | 2 | 5.9 | Medium | CVE-2025-11226 EPSS 0.1% Grype CVE-2026-1225 EPSS 0.0% Grype |
| nimbus-jose-jwt | 9.37.3 | library | 📦 Connect2id Source: maven_group |
The Apache Software License, Version 2.0 MAVEN |
1 | 5.8 | Medium | CVE-2025-53864 EPSS 0.1% Grype |
| jruby | 9.4.8.0 | library | 📦 JRuby Source: maven_group |
Unknown | 1 | 5.7 | Medium | CVE-2025-46551 EPSS 0.1% Grype |
| commons-exec | 1.5.0 | library | 🏭 Apache | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-validation | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-starter | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-core | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-jcl | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-context | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-aop | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-beans | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-expression | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| micrometer-observation | 1.14.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| micrometer-commons | 1.14.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-autoconfigure | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-logging | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| logback-classic | 1.5.18 | library | 🏭 QOS.ch | EPL-1.0 OR LGPL-2.1 | 0 | 0.0 | No CVEs | None |
| slf4j-api | 2.0.17 | library | 🏭 QOS.ch | MIT | 0 | 0.0 | No CVEs | None |
| log4j-to-slf4j | 2.24.3 | library | 🏭 Apache | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| log4j-api | 2.24.3 | library | 🏭 Apache | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jul-to-slf4j | 2.0.17 | library | 🏭 QOS.ch | MIT | 0 | 0.0 | No CVEs | None |
| jakarta.annotation-api | 2.1.1 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| snakeyaml | 2.4 | library | 🏭 SnakeYAML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| tomcat-embed-el | 10.1.46 | library | 🏭 Apache | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| hibernate-validator | 8.0.3.Final | library | 🏭 Red Hat | LGPL-2.1 | 0 | 0.0 | No CVEs | None |
| jakarta.validation-api | 3.0.2 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| jboss-logging | 3.4.3.Final | library | 🏭 Red Hat | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| classmate | 1.5.1 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| lombok | 1.18.42 | library | 📦 Project Lombok Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| jaxb-api | UNKNOWN | library | 📦 Oracle Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-web | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-json | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-web | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jackson-databind | 2.19.2 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jackson-annotations | 2.19.2 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jackson-core | 2.19.2 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jackson-datatype-jdk8 | 2.19.2 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jackson-datatype-jsr310 | 2.19.2 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jackson-module-parameter-names | 2.19.2 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-tomcat | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| tomcat-annotations-api | 10.1.46 | library | 🏭 Apache | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| tomcat-embed-websocket | 10.1.46 | library | 🏭 Apache | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-webmvc | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-actuator | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-actuator-autoconfigure | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-actuator | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| micrometer-observation | 1.15.4 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| micrometer-commons | 1.15.4 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| micrometer-jakarta9 | 1.15.4 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| micrometer-core | 1.15.4 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| HdrHistogram | 2.2.2 | library | 📦 HdrHistogram Source: maven_group |
Public Domain, per Creative Commons CC0 MAVEN |
0 | 0.0 | No CVEs | None |
| LatencyUtils | 2.0.3 | library | 📦 LatencyUtils Source: maven_group |
Public Domain, per Creative Commons CC0 MAVEN |
0 | 0.0 | No CVEs | None |
| HdrHistogram | 2.1.8 | library | 📦 HdrHistogram Source: maven_group |
Public Domain, per Creative Commons CC0 MAVEN |
0 | 0.0 | No CVEs | None |
| flyway-core | 11.7.2 | library | 📦 Redgate Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| jackson-dataformat-toml | 2.15.2 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| lombok | 1.18.32 | library | 📦 Project Lombok Source: maven_group |
The MIT License MAVEN |
0 | 0.0 | No CVEs | None |
| jackson-datatype-jsr310 | 2.15.2 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| flyway-database-hsqldb | 11.7.2 | library | 📦 Redgate Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| asciidoctorj | 3.0.0 | library | 📦 Asciidoctor Source: maven_group |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| asciidoctorj-api | 3.0.0 | library | 📦 Asciidoctor Source: maven_group |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jruby-base | 9.4.8.0 | library | 📦 JRuby Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| asm | 9.2 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| asm-commons | 9.2 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| asm-tree | 9.2 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| asm-analysis | 9.2 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| asm-util | 9.2 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| jnr-netdb | 1.2.0 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jnr-ffi | 2.2.0 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jffi | 1.3.0 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| asm | 7.1 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| asm-commons | 7.1 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| asm-analysis | 7.1 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| asm-tree | 7.1 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| asm-util | 7.1 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| jnr-a64asm | 1.0.0 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jnr-x86asm | 1.0.2 | library | 📦 Maven Community Source: ecosystem |
MIT License MAVEN |
0 | 0.0 | No CVEs | None |
| jnr-enxio | 0.32.17 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jnr-constants | 0.10.4 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jnr-ffi | 2.2.16 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jffi | 1.3.13 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jnr-unixsocket | 0.38.22 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jnr-posix | 3.1.19 | library | 📦 Python Porting Community Source: known_maintainer |
Eclipse Public License - v 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| joni | 2.2.1 | library | 📦 JRuby Source: maven_group |
MIT License MAVEN |
0 | 0.0 | No CVEs | None |
| jcodings | 1.0.58 | library | 📦 JRuby Source: maven_group |
MIT License MAVEN |
0 | 0.0 | No CVEs | None |
| dirgra | 0.3 | library | 📦 JRuby Source: maven_group |
EPL MAVEN |
0 | 0.0 | No CVEs | None |
| invokebinder | 1.13 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| options | 1.6 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jzlib | 1.1.5 | library | 📦 JRuby Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| joda-time | 2.12.7 | library | 📦 Maven Community Source: ecosystem |
Apache License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jitescript | 0.4.1 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| asm-all | 5.0.1 | library | 📦 OW2 Consortium Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| backport9 | 1.13 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jruby-stdlib | 9.4.8.0 | library | 📦 JRuby Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-data-jpa | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-jdbc | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| HikariCP | 6.3.3 | library | 🏭 Zaxxer | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-jdbc | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-tx | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| hibernate-core | 6.6.29.Final | library | 🏭 Red Hat | LGPL-2.1 | 0 | 0.0 | No CVEs | None |
| jakarta.persistence-api | 3.1.0 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| jakarta.transaction-api | 2.0.1 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| jboss-logging | 3.5.0.Final | library | 🏭 Red Hat | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| hibernate-commons-annotations | 7.0.3.Final | library | 🏭 Red Hat | LGPL-2.1 | 0 | 0.0 | No CVEs | None |
| jandex | 3.2.0 | library | 🏭 SmallRye | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| byte-buddy | 1.15.11 | library | 🏭 Byte Buddy | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jakarta.xml.bind-api | 4.0.0 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| jakarta.activation-api | 2.1.0 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| jaxb-runtime | 4.0.2 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| jakarta.inject-api | 2.0.1 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| antlr4-runtime | 4.13.0 | library | 🏭 ANTLR | BSD-3-Clause | 0 | 0.0 | No CVEs | None |
| spring-data-jpa | 3.5.4 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-data-commons | 3.5.4 | library | 📦 Maven Community Source: ecosystem |
Unknown | 0 | 0.0 | No CVEs | None |
| jakarta.annotation-api | 2.0.0 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| spring-aspects | 6.2.11 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| aspectjweaver | 1.9.22.1 | library | 🏭 Eclipse Foundation | EPL-1.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-security | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-security-config | 6.5.5 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-security-core | 6.5.5 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-security-crypto | 6.5.5 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-security-web | 6.5.5 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-starter-thymeleaf | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| thymeleaf-spring6 | 3.1.3.RELEASE | library | 📦 Thymeleaf Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| thymeleaf | 3.1.2.RELEASE | library | 📦 Thymeleaf Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| ognl | 3.3.4 | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| javassist | 3.29.0-GA | library | 📦 Maven Community Source: ecosystem |
MPL 1.1 MAVEN |
0 | 0.0 | No CVEs | None |
| attoparser | 2.0.7.RELEASE | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| unbescape | 1.1.6.RELEASE | library | 📦 Maven Community Source: ecosystem |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| spring-boot-starter-oauth2-client | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-security-oauth2-client | 6.5.5 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-security-oauth2-core | 6.5.5 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| oauth2-oidc-sdk | 9.43.6 | library | 📦 Connect2id Source: maven_group |
Apache License, version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jcip-annotations | 1.0-1 | library | 📦 Maven Community Source: ecosystem |
Apache License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| content-type | 2.2 | library | 📦 Connect2id Source: maven_group |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| json-smart | 2.5.2 | library | 📦 Uriel Chemouni Source: maven_group |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| accessors-smart | 2.5.2 | library | 📦 Uriel Chemouni Source: maven_group |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| asm | 9.7.1 | library | 📦 OW2 Consortium Source: maven_group |
BSD-3-Clause MAVEN |
0 | 0.0 | No CVEs | None |
| lang-tag | 1.7 | library | 📦 Connect2id Source: maven_group |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| spring-security-oauth2-jose | 6.5.5 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| nimbus-jose-jwt | 9.37.4 | library | 📦 Connect2id Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| thymeleaf-extras-springsecurity6 | 3.1.3.RELEASE | library | 📦 Thymeleaf Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| thymeleaf-spring6 | 3.1.2.RELEASE | library | 📦 Thymeleaf Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| jakarta.servlet-api | 6.0.0 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| hsqldb | 2.7.3 | library | 📦 HSQLDB Group Source: maven_group |
HSQLDB License, a BSD open source license MAVEN |
0 | 0.0 | No CVEs | None |
| jsoup | 1.19.1 | library | 📦 jsoup Source: maven_group |
The MIT License MAVEN |
0 | 0.0 | No CVEs | None |
| zxcvbn | 1.9.0 | library | 📦 Nulab Source: maven_group |
MIT License MAVEN |
0 | 0.0 | No CVEs | None |
| xmlpull | 1.1.3.1 | library | 📦 Maven Community Source: ecosystem |
Public Domain MAVEN |
0 | 0.0 | No CVEs | None |
| xpp3_min | 1.1.4c | library | 📦 Maven Community Source: ecosystem |
Indiana University Extreme! Lab Software License, vesion 1.1.1 MAVEN |
0 | 0.0 | No CVEs | None |
| junit | 3.8.1 | library | 📦 Maven Community Source: ecosystem |
Common Public License Version 1.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jmock | 1.0.1 | library | 📦 Maven Community Source: ecosystem |
MIT NPM |
0 | 0.0 | No CVEs | None |
| cglib-nodep | 3.3.0 | library | 📦 CGLIB Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| xml-resolver | 1.2 | library | 📦 Apache Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| jjwt | 0.9.1 | library | 📦 JJWT Project Source: maven_group |
Apache License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jackson-annotations | 2.9.0 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jwks-rsa | 0.23.0 | library | 📦 Auth0 Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| jackson-databind | 2.15.0 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jackson-annotations | 2.15.0 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| guava | 32.1.2-jre | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| failureaccess | 1.0.1 | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| listenablefuture | 9999.0-empty-to-avoid-conflict-with-guava | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| jsr305 | 3.0.2 | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| checker-qual | 3.33.0 | library | 📦 Maven Community Source: ecosystem |
The MIT License MAVEN |
0 | 0.0 | No CVEs | None |
| error_prone_annotations | 2.18.0 | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| j2objc-annotations | 2.8 | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| java-jwt | 4.5.0 | library | 📦 Auth0 Source: maven_group |
The MIT License (MIT) MAVEN |
0 | 0.0 | No CVEs | None |
| jackson-core | 2.15.4 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jackson-databind | 2.15.4 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jackson-annotations | 2.15.4 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| guava | 33.5.0-jre | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| failureaccess | 1.0.3 | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| jspecify | 1.0.0 | library | 📦 Maven Community Source: ecosystem |
The Apache License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| error_prone_annotations | 2.41.0 | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| j2objc-annotations | 3.1 | library | Apache-2.0 | 0 | 0.0 | No CVEs | None | |
| commons-io | 2.20.0 | library | 📦 Apache Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| commons-text | 1.14.0 | library | 🏭 Apache | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| commons-lang3 | 3.18.0 | library | 🏭 Apache | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| slf4j-api | 1.7.21 | library | 🏭 QOS.ch | MIT | 0 | 0.0 | No CVEs | None |
| bootstrap | 5.3.5 | library | 📦 WebJars Source: maven_group |
Apache License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| jquery | 3.7.1 | library | 📦 WebJars Source: maven_group |
MIT License MAVEN |
0 | 0.0 | No CVEs | None |
| webjars-locator-core | 0.59 | library | 📦 WebJars Source: maven_group |
MIT MAVEN |
0 | 0.0 | No CVEs | None |
| slf4j-api | 2.0.13 | library | 🏭 QOS.ch | MIT | 0 | 0.0 | No CVEs | None |
| classgraph | 4.8.173 | library | 📦 ClassGraph Source: maven_group |
The MIT License (MIT) MAVEN |
0 | 0.0 | No CVEs | None |
| jackson-core | 2.17.1 | library | 🏭 FasterXML | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| jakarta.xml.bind-api | 4.0.2 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| jakarta.activation-api | 2.1.3 | library | 🏭 Eclipse Foundation | EPL-2.0 | 0 | 0.0 | No CVEs | None |
| jaxb-impl | UNKNOWN | library | 📦 Oracle Source: maven_group |
Unknown | 0 | 0.0 | No CVEs | None |
| wiremock-standalone | 3.13.1 | library | 📦 WireMock Source: maven_group |
The Apache Software License, Version 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
| spring-boot-properties-migrator | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| spring-boot-configuration-metadata | 3.5.6 | library | 🏭 VMware | Apache-2.0 | 0 | 0.0 | No CVEs | None |
| android-json | 0.0.20131108.vaadin1 | library | 📦 Maven Community Source: ecosystem |
Apache License 2.0 MAVEN |
0 | 0.0 | No CVEs | None |
Report Generation Details
Technical Details
Generated: 2026-03-18 18:13:02
Source File: 1goat.json
Enhancement: Not enhanced
Vulnerability Database
CISA KEV Integration: Active Exploitation Detection
Processing: Local Database (Fast)
Coverage: Standard
FDA/NTIA Compliance
📋 Supplier Field Coverage: 197/197 components (100.0%)
FDA requires supplier identification for medical device SBOM submissions
FDA requires supplier identification for medical device SBOM submissions
🏥 VEX - Vulnerability Exploitability Assessment
FDA Compliance: Patient harm assessment and mitigation timelines documented per FDA Section 524B(b)(1)
109
Total Vulnerabilities Assessed
84
Affected (Require Action)
25
Not Affected (Risk Accepted)
Sample VEX Assessments (First 10):
CVE-2021-39144 ⚠️ AFFECTED
HIGH PRIORITY: xstream is actively exploited in the wild (CISA KEV). Severity: HIGH (CVSS 8.5). Update recommended within 48 hours.
Patient Harm: High
Mitigation Target: 2026-04-17
CVE-2020-26217 ⚠️ AFFECTED
Runtime component xstream has HIGH vulnerability (CVSS 8). Schedule update in next maintenance cycle.
Patient Harm: Medium
Mitigation Target: 2026-06-16
CVE-2021-29505 ⚠️ AFFECTED
Runtime component xstream has HIGH vulnerability (CVSS 7.5). Schedule update in next maintenance cycle.
Patient Harm: Medium
Mitigation Target: 2026-06-16
CVE-2021-39141 ⚠️ AFFECTED
Runtime component xstream has HIGH vulnerability (CVSS 8.5). Schedule update in next maintenance cycle.
Patient Harm: Medium
Mitigation Target: 2026-06-16
CVE-2020-9548 ⚠️ AFFECTED
Runtime component jackson-databind has CRITICAL vulnerability (CVSS 9.8). Requires security review and update planning.
Patient Harm: High
Mitigation Target: 2026-04-17
CVE-2020-26258 ✅ NOT AFFECTED
MEDIUM severity vulnerability in xstream (CVSS 6.3). Risk accepted for current use case. Monitor for updates.
Patient Harm: Low
Controls:
• Attack Surface Reduction: Network isolation and access controls limit exposure
• Runtime Monitoring: Continuous monitoring for anomalous behavior
CVE-2020-26259 ✅ NOT AFFECTED
MEDIUM severity vulnerability in xstream (CVSS 6.8). Risk accepted for current use case. Monitor for updates.
Patient Harm: Low
Controls:
• Attack Surface Reduction: Network isolation and access controls limit exposure
• Runtime Monitoring: Continuous monitoring for anomalous behavior
CVE-2020-11113 ⚠️ AFFECTED
Runtime component jackson-databind has HIGH vulnerability (CVSS 8.8). Schedule update in next maintenance cycle.
Patient Harm: Medium
Mitigation Target: 2026-06-16
CVE-2021-39152 ⚠️ AFFECTED
Runtime component xstream has HIGH vulnerability (CVSS 8.5). Schedule update in next maintenance cycle.
Patient Harm: Medium
Mitigation Target: 2026-06-16
CVE-2021-21351 ✅ NOT AFFECTED
MEDIUM severity vulnerability in xstream (CVSS 5.4). Risk accepted for current use case. Monitor for updates.
Patient Harm: Low
Controls:
• Attack Surface Reduction: Network isolation and access controls limit exposure
• Runtime Monitoring: Continuous monitoring for anomalous behavior
Complete VEX document: 1goat_VEX.json
ESL SBOMator
Professional SBOM Solution
Engineering Software Lab
Security & Compliance Tools