Score 10.0 from security scanner due outdated jar File (Apache Struts End of Life (EOL) Detection)

Hi

I'm using OpenVAS for internal security scans.
I got a 10.0 score (high risk)

The "Apache Struts" version on the remote host has reached the end of life.

CPE:               cpe:/a:apache:struts:1.3.8
Installed version: 1.3.8
Location/URL:      /opt/traccar/lib/struts-core-1.3.8.jar
EOL version:       1
EOL date:          2013-04-05

Kind regards
Chris

We don't use it directly, so it must be a transitive dependency. You can try to get gradle dependency graph and see which our dependency uses it.

ok, I'll try
the file is inside the lib directory of the traccar install-directory

I understand that, but it doesn't mean it's a direct dependency. It is a transitive dependency, as I said.

to build a gradle or maven dependency graph I'll need the whole project....

I think it's easier you will check the dependency tree. I'm to weak in reverse engineering to get the dependencies out of your jar files

https://de.wikipedia.org/wiki/Struts

Looks like it's coming from velocity tools dependency.

+--- org.apache.velocity:velocity-tools:2.0
|    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    +--- commons-digester:commons-digester:1.8
|    |    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    |    \--- commons-logging:commons-logging:1.1 -> 1.2
|    +--- commons-chain:commons-chain:1.1
|    |    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    |    +--- commons-digester:commons-digester:1.6 -> 1.8 (*)
|    |    \--- commons-logging:commons-logging:1.0.3 -> 1.2
|    +--- commons-collections:commons-collections:3.2 -> 3.2.1
|    +--- commons-logging:commons-logging:1.1 -> 1.2
|    +--- commons-validator:commons-validator:1.3.1
|    |    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    |    +--- commons-digester:commons-digester:1.6 -> 1.8 (*)
|    |    \--- commons-logging:commons-logging:1.0.4 -> 1.2
|    +--- dom4j:dom4j:1.1
|    +--- oro:oro:2.0.8
|    +--- sslext:sslext:1.2-0
|    +--- org.apache.struts:struts-core:1.3.8
|    |    +--- antlr:antlr:2.7.2
|    |    +--- commons-beanutils:commons-beanutils:1.7.0 -> 1.9.2 (*)
|    |    +--- commons-chain:commons-chain:1.1 (*)
|    |    +--- commons-digester:commons-digester:1.8 (*)
|    |    +--- commons-logging:commons-logging:1.0.4 -> 1.2
|    |    +--- commons-validator:commons-validator:1.3.1 (*)
|    |    \--- oro:oro:2.0.8
|    +--- org.apache.struts:struts-taglib:1.3.8
|    |    \--- org.apache.struts:struts-core:1.3.8 (*)
|    +--- org.apache.struts:struts-tiles:1.3.8
|    |    \--- org.apache.struts:struts-core:1.3.8 (*)
|    \--- org.apache.velocity:velocity:1.6.2 -> 1.7 (*)

I found it on https://velocity.apache.org/tools/2.0/dependencies.html#GenericTools

it seems the actual version is 3.1 https://velocity.apache.org/tools/3.1/