- SonarQube Version: 7.9.1 (build 27448)
- Error observed: Sonar reports as security vulnerability that javax.websocket.javax.websocket-api does not have. The vulnerability reported is:
Filename: javax.websocket-api-1.0.jar | Reference: CVE-2020-11050 | CVSS Score: 8.1 | Category: CWE-295 | In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0.
The vulnerability reported refers to org.java-websocket.ava-WebSocket.
See maven links for both libraries:
Note that javax.websocket.javax.websocket-api latest version is 1.1 and that only org.java-websocket.ava-WebSocket has version 1.5.
This can be reproduced by using next dependency:org.eclipse.jetty.aggregate jetty-all 9.4.27.v20200227 pom test