Sonar confuses javax.websocket.javax.websocket-api with

  • SonarQube Version: 7.9.1 (build 27448)
  • Error observed: Sonar reports as security vulnerability that javax.websocket.javax.websocket-api does not have. The vulnerability reported is:
Filename: javax.websocket-api-1.0.jar | Reference: CVE-2020-11050 | CVSS Score: 8.1 | Category: CWE-295 | In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0.

The vulnerability reported refers to

See maven links for both libraries:


Note that javax.websocket.javax.websocket-api latest version is 1.1 and that only has version 1.5.

This can be reproduced by using next dependency:

org.eclipse.jetty.aggregate jetty-all 9.4.27.v20200227 pom test

Hello Xavier
and welcome to SonarSource community forum!

Just to make certain, are you describing a case where SonarQube is wrongly reporting a vulnerability on a third party library on a project you scanned?

If the case, it is worth mentioning that SonarSource does not do any SCA (Software Composition Analysis), there are 3rd party plugins for the aggregation in SonarQube of the results of SCA tools though.
Do you have such plugin installed with your SonarQube?
You may want to report the false positive to the editor of the SCA analyzer tool then.


1 Like

Hello Sylvain,

Yes, I am describing a case where SonarQube is wronlgy reporting a vulnerability on a third party library of a project.

I’ll check the 3 party plugins we use with the service maintainers and let you know.


Hello Sylvain,

The 3rd party plugin we are using is dependency-check.


Hello @Xavier_Baques,

As @Sylvain_Combe stated, we are not the maintainers of dependency-check, I’m afraid we can not help you further.

You should report this issue directly to them.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.