^.*$ CVE-2018-1000840 ^.*$ CVE-2015-2808 ^.*$ CVE-2013-2566 ^.*$ CVE-2015-9097 ^javax\.servlet\.jsp:javax\.servlet\.jsp-api:.*$ CVE-2011-5035 ^javax\.validation:validation-api:.*$ CVE-2013-4499 ^mysql:mysql-connector-java:.*$ .* Jetty is currently only used for developer experimentations ^org\.eclipse\.jetty:.*$ cpe:/a:org.eclipse.jetty: ^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$ CVE-2017-14867 ^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$ CVE-2015-7545 ^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$ CVE-2015-7082 ^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$ CVE-2010-2542 ^org\.mariadb\.jdbc:mariadb-java-client:.*$ cpe:/a:mariadb:mariadb ^org\.springframework\.ldap:spring-ldap-core:.*$ CVE-2014-6232 ^org\.apache\.tomcat:tomcat-annotations-api:.*$ CVE-2017-6056 ^org\.apache\.tomcat:tomcat-annotations-api:.*$ CVE-2016-6325 ^org\.apache\.tomcat:tomcat-annotations-api:.*$ CVE-2016-5425 ^org\.eclipse\.jetty\..*$ cpe:/a:mortbay_jetty:jetty ^org\.postgresql:postgresql:.*$ CVE-2017-8806 ^org\.postgresql:postgresql:.*$ CVE-2017-14798 Does not affect the postgres client ^org\.postgresql:postgresql:.*$ CVE-2018-1115 Does not affect the postgres client ^org\.postgresql:postgresql:.*$ CVE-2016-7048 This is for nodejs ^org\.mariadb\.jdbc:mariadb-java-client:.*$ CVE-2017-16046 ^stax.*$ CVE-2017-16224 ^javax\.xml\.stream:stax.*$ CVE-2017-16224 .*slf4j.* CVE-2018-8088 .*spring.* CVE-2018-1258 This is for an unrelated C library ^com\.sun\.xml\.bind\.external:relaxng-datatype:.* CVE-2018-18749 False positive for jflac-codec .*jflac-codec.* CVE-2018-14948 We do not enable default typing for jackson .*jackson-databind.* CVE-2019-12814 We do not use the liquibase sdk .*liquibase/sdk/.* 9.0 False positive for tomcat vuln in eclipse jetty/jasper compat lib ^org\.mortbay\.jasper:apache-jsp:.*$ CVE-2016-5425 False positive for tomcat vuln in eclipse jetty/jasper compat lib ^org\.mortbay\.jasper:apache-jsp:.*$ CVE-2017-6056 False positive for tomcat vuln in eclipse jetty/jasper compat lib ^org\.mortbay\.jasper:apache-jsp:.*$ CVE-2019-10072 This cve is for apache standard taglibs before 1.2.3. However jstl:1.2 is a separate PROVIDED lib ^javax\.servlet:jstl:.*$ CVE-2015-0254 We do not enable default typing for jackson .*jackson-databind.* CVE-2019-14379 We do not enable default typing for jackson .*jackson-databind.* CVE-2019-14439