Describe the bug
Xray reports 9 Undertow CVEs against our project. However, io.undertow:undertow-core is NOT present in our delivery at all. The project uses Eclipse Jetty (9.4.58) as its HTTP server via Apache Karaf's Pax Web integration. There is no Undertow dependency, no AJP listener, and no XNIO anywhere in the dependency chain.
The scanner appears to be making a broad or incorrect component association.
CVEs incorrectly reported:
To Reproduce
Xray scan a Java application that uses Eclipse Jetty (not Undertow) as its HTTP server. Scanner reports Undertow CVEs despite the artifact not containing any Undertow dependencies.
Expected behavior
These CVEs should not be reported when io.undertow:undertow-core is not present in the scanned artifact's dependency tree. The project uses a completely different HTTP server (Jetty via Pax Web).
Versions
- Package: io.undertow:undertow-core — NOT PRESENT
- HTTP server actually used: org.eclipse.jetty:jetty-server:9.4.58 (via Pax Web 8.0.35)
- Container: Apache Karaf (OSGi)
Additional context
Verified via source code search: zero references to Undertow, XNIO, or AJP listener in the entire project. The scanner may be confusing artifact metadata or making overly broad vendor-level associations.
Describe the bug
Xray reports 9 Undertow CVEs against our project. However, io.undertow:undertow-core is NOT present in our delivery at all. The project uses Eclipse Jetty (9.4.58) as its HTTP server via Apache Karaf's Pax Web integration. There is no Undertow dependency, no AJP listener, and no XNIO anywhere in the dependency chain.
The scanner appears to be making a broad or incorrect component association.
CVEs incorrectly reported:
To Reproduce
Xray scan a Java application that uses Eclipse Jetty (not Undertow) as its HTTP server. Scanner reports Undertow CVEs despite the artifact not containing any Undertow dependencies.
Expected behavior
These CVEs should not be reported when io.undertow:undertow-core is not present in the scanned artifact's dependency tree. The project uses a completely different HTTP server (Jetty via Pax Web).
Versions
Additional context
Verified via source code search: zero references to Undertow, XNIO, or AJP listener in the entire project. The scanner may be confusing artifact metadata or making overly broad vendor-level associations.