org.mortbay.jasper:apache-jsp / apache-el version numbering scheme?

[guusdk]

A partial dependency tree for a project that includes Jetty 12.0.22 shows these transient dependencies:

[INFO] +- org.eclipse.jetty.ee8:jetty-ee8-apache-jsp:jar:12.0.22:compile
[INFO] |  \- org.mortbay.jasper:apache-jsp:jar:9.0.105:compile
[INFO] |     +- org.eclipse.jdt:ecj:jar:3.33.0:compile
[INFO] |     \- org.mortbay.jasper:apache-el:jar:9.0.105:compile
...
[INFO] +- org.eclipse.jetty.ee8:jetty-ee8-apache-jsp:jar:12.0.22:compile
[INFO] |  \- org.mortbay.jasper:apache-jsp:jar:9.0.105:compile
[INFO] |     +- org.eclipse.jdt:ecj:jar:3.33.0:compile
[INFO] |     \- org.mortbay.jasper:apache-el:jar:9.0.105:compile

Can you please explain if / how the version numbering of the org.mortbay.jasper:apache-el and org.mortbay.jasper:apache-jsp artifacts relate to the version numbering of Jetty itself?

Am I right to assume that there is no correlation?

The background of my question: a security scanner is generating alerts for Jetty 12.0.22, because of these two artifacts. I'm confident that these are false alerts, but I am wondering why the security scanner is raising these alerts. The only correlation that I can find is that the version numbers of those artifacts (9.0.105) correspond with versions of Jetty for which CVEs are generated. I wonder if the scanner is bluntly identifying every artifact that has jetty or mortbay anywhere in the artifactId or groupId as being the Jetty project.

The 'evidence' as presented by the vulnerability scanner.

All of the 'evidence' that's stated in the report points at CVEs that are raised against very old versions of Jetty, which all seem to be valid for Jetty 9.0.15.

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
apache-el-9.0.105.jar	cpe:2.3:a:eclipse:jetty:9.0.105:*:*:*:*:*:*:* cpe:2.3:a:jetty:jetty:9.0.105:*:*:*:*:*:*:* cpe:2.3:a:mortbay:jetty:9.0.105:*:*:*:*:*:*:* cpe:2.3:a:mortbay_jetty:jetty:9.0.105:*:*:*:*:*:*:*		CRITICAL*	17	Low	25
apache-jsp-9.0.105.jar	cpe:2.3:a:apache:tomcat:9.0.105:*:*:*:*:*:*:*	pkg:maven/org.mortbay.jasper/[email protected]	HIGH	3	Low	35

• CVE-2017-7657
• CVE-2017-7658
• CVE-2017-7656
• CVE-2017-9735
• CVE-2021-28165
• CVE-2022-2048
• CVE-2023-44487
• CVE-2020-27216
• CVE-2018-12536
• CVE-2021-28169
• CVE-2023-26048
• CVE-2023-26049
• CVE-2023-40167
• CVE-2024-6763
• CVE-2021-34428
• CVE-2023-36479
• CVE-2022-2047
• CVE-2025-49124
• CVE-2025-48988
• CVE-2025-49125

[olamy]

org.mortbay.jasper:apache-el and org.mortbay.jasper:apache-jsp are repackaging of Apache Tomcat jars.
The version is the corresponding version of the Apache Tomcat jars.
There is nothing related to Jetty version itself, it is totally separated.
You can find the corresponding changelog on Apache Tomcat project https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
I can cut a release based on 9.0.107 version.

[olamy]

FYI 9.0.107 has been released.

[olamy]

see #13354

[guusdk]

Thanks Olivier! As these artifacts (and their numbering) isn't related to Jetty at all, I believe it can be left at that.

As an aside: I don't expect that the new versions that you released will make this particular security scanner happy. Any version number of those artifacts that resembles an old Jetty version numbers would likely trigger the alert. Somehow, this scanner believes that org.martbay.jasper:apache-el:9.0.x is 'proof' that Jetty of the same version number is being used. As you already confirmed: that's simply false.

[olamy]

At least this will avoid having org.mortbay.jasper:apache-jsp:jar:9.0.105 (which has a recent CVE) in the dependency tree but now org.mortbay.jasper:apache-jsp:jar:9.0.107

[guusdk]

What CVE do you mean? Can you provide a link?

[olamy]

Just check the Apache Tomcat changelog I have provided above and the fixes for 9.0.107.
My first thought was you were asking because of this :)

[guusdk]

Ah, that is CVE-2025-49125. That CVE is also listed as 'evidence' by the scanner. Would that CVE also affect org.mortbay.jasper:apache-jsp:jar:9.0.105? I'm not sure what part of tomcat is repackaged by that artifact?

[olamy]

oh right reading this link GHSA-wc4r-xq3c-5cf3 we are fine apache-jsp and apache-el are not concerned