Update dependency io.buji:buji-pac4j to v9 (main) #247
Security Report
❗️Scan Incomplete: The scan completed with partial failure. The integration encountered issues with one or more projects in this repository, preventing their scan. The errors occurred in the following package managers: gradle,sbt,php. Consequently, there may be gaps in the coverage of open-source dependencies used in the repository.
Scan Details Report
gradle
/tmp/ws-scm/comms-router/test/demo-helper/play-helper/build.gradle
| Step | Level | Description | Details |
|---|---|---|---|
| Preparing the project for scan | ⚠Warn | One or more of the installations failed | failed running mend init script (mendDeps): NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED FAILURE: Build failed with an exception. * Where: Build file '/tmp/ws-scm/comms-router/test/demo-helper/play-helper/build.gradle' line: 2 * What went wrong: Plugin [id: 'play'] was not found in any o... |
https://vonagecc.jfrog.io/artifactory
| Step | Level | Description | Details |
|---|---|---|---|
| Checking registry connectivity | ⚠Warn | Problem occurred while connecting to the private registry host server, private registry returned 401 - Unauthorized | {"errors":[{"code":"UNAUTHORIZED","message":"Invalid token, parse"}]} |
https://vonagecc.jfrog.io/artifactory/maven
| Step | Level | Description | Details |
|---|---|---|---|
| Checking registry connectivity | ⚠Warn | Problem occurred while connecting to the private registry host server, private registry returned 401 - Unauthorized | {"errors":[{"code":"UNAUTHORIZED","message":"Invalid token, parse"}]} |
You have successfully remediated 25 vulnerabilities, but introduced 5 new vulnerabilities in this branch.❌ New vulnerabilities:
| Vulnerability | Severity |  CVSS Score |
Exploit Maturity | EPSS | Vulnerable Library | Direct Library | Suggested Fix | Issue | Reachability |
|---|---|---|---|---|---|---|---|---|---|
CVE-2026-5598Path to dependency file: /web/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.82/bcprov-jdk18on-1.82.jar Dependency Hierarchy: -> buji-pac4j-9.1.1.jar (Root Library) -> shiro-web-2.1.0.jar -> shiro-core-2.1.0.jar -> shiro-crypto-hash-2.1.0.jar -> ❌ bcprov-jdk18on-1.82.jar (Vulnerable Library) |
 Critical |
10.0 | Not Defined | 0.022% | Transitive bcprov-jdk18on-1.82.jar |
buji-pac4j-9.1.1.jar | Transitive 1.84 |
None | |
CVE-2023-25581Path to dependency file: /web/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-core/2.3.1/pac4j-core-2.3.1.jar Dependency Hierarchy: -> buji-pac4j-9.1.1.jar (Root Library) -> pac4j-javaee-6.4.1.jar -> ❌ pac4j-core-2.3.1.jar (Vulnerable Library) |
Critical |
9.8 | Not Defined | 19.032% | Transitive pac4j-core-2.3.1.jar |
buji-pac4j-9.1.1.jar | Transitive org.pac4j:pac4j-core:4.0.0 |
None | |
CVE-2025-14813Path to dependency file: /web/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.82/bcprov-jdk18on-1.82.jar Dependency Hierarchy: -> buji-pac4j-9.1.1.jar (Root Library) -> shiro-web-2.1.0.jar -> shiro-core-2.1.0.jar -> shiro-crypto-hash-2.1.0.jar -> ❌ bcprov-jdk18on-1.82.jar (Vulnerable Library) |
Critical |
9.0 | Not Defined | 0.004% | Transitive bcprov-jdk18on-1.82.jar |
buji-pac4j-9.1.1.jar | Transitive 1.84 |
None | |
CVE-2026-40458Path to dependency file: /web/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-core/2.3.1/pac4j-core-2.3.1.jar Dependency Hierarchy: -> buji-pac4j-9.1.1.jar (Root Library) -> pac4j-javaee-6.4.1.jar -> ❌ pac4j-core-2.3.1.jar (Vulnerable Library) |
 High |
7.1 | Not Defined | 0.006% | Transitive pac4j-core-2.3.1.jar |
buji-pac4j-9.1.1.jar | Transitive https://github.com/pac4j/pac4j.git - pac4j-parent-5.7.10,https://github.com/pac4j/pac4j.git - pac4j-parent-6.4.1 |
None | |
CVE-2026-0636Path to dependency file: /web/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.82/bcprov-jdk18on-1.82.jar Dependency Hierarchy: -> buji-pac4j-9.1.1.jar (Root Library) -> shiro-web-2.1.0.jar -> shiro-core-2.1.0.jar -> shiro-crypto-hash-2.1.0.jar -> ❌ bcprov-jdk18on-1.82.jar (Vulnerable Library) |
 Medium |
5.3 | Not Defined | 0.022% | Transitive bcprov-jdk18on-1.82.jar |
buji-pac4j-9.1.1.jar | Transitive 1.84 |
None |
✔️ Remediated vulnerabilities:
| Vulnerability | Vulnerable Library |
|---|---|
| CVE-2022-40664 | shiro-core-1.4.0.jar |
| CVE-2019-10086 | commons-beanutils-1.9.3.jar |
| CVE-2023-25581 | pac4j-core-2.2.1.jar |
| CVE-2019-12422 | shiro-crypto-cipher-1.4.0.jar |
| CVE-2020-1957 | shiro-core-1.4.0.jar |
| CVE-2023-34478 | shiro-core-1.4.0.jar |
| CVE-2026-23903 | shiro-web-1.4.0.jar |
| CVE-2019-12422 | shiro-core-1.4.0.jar |
| CVE-2023-46749 | shiro-core-1.4.0.jar |
| CVE-2026-23901 | shiro-core-1.4.0.jar |
| CVE-2020-11989 | shiro-web-1.4.0.jar |
| CVE-2014-0114 | commons-beanutils-1.9.3.jar |
| CVE-2020-17523 | shiro-web-1.4.0.jar |
| CVE-2020-11989 | shiro-core-1.4.0.jar |
| CVE-2023-34478 | shiro-web-1.4.0.jar |
| CVE-2023-46749 | shiro-web-1.4.0.jar |
| CVE-2022-40664 | shiro-web-1.4.0.jar |
| CVE-2020-17510 | shiro-web-1.4.0.jar |
| CVE-2021-41303 | shiro-core-1.4.0.jar |
| CVE-2020-13933 | shiro-core-1.4.0.jar |
| CVE-2020-1957 | shiro-web-1.4.0.jar |
| CVE-2026-40458 | pac4j-core-2.2.1.jar |
| CVE-2023-46750 | shiro-web-1.4.0.jar |
| CVE-2025-48734 | commons-beanutils-1.9.3.jar |
| CVE-2022-32532 | shiro-core-1.4.0.jar |
Base branch total remaining vulnerabilities: 197
Base branch commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Total libraries scanned: 239
Scan token: 19286fee048042e08e3df555e5a78d20