Page 1 of 1
Addressing CVEs in 1.13.0
Posted: 10 Feb 2026, 19:52
by javaapp
There is concern expressed by a group that has scanned the openwebstart codebase for vulnerabilities from CVEs. From looking at their reports it seems like the vulnerabilities are primarily in the tools/plugins used as part of the maven build and not with the delivered artifacts of OWS (ie the jars that get deployed to end-user machines). Can you provide any statements regarding plans to address these CVEs and whether or not they are impactful to current end-user machines?
I'm attempting to attach the reports here
Thank you,
John
Re: Addressing CVEs in 1.13.0
Posted: 11 Feb 2026, 09:04
by Janak Mulani
Sure we can provide a statement.
Can you please tell me :
Which company do you belong to?
Which company/group is interested in the vulnerability report?
Which tool was used to produce the report? Is the tool available in github?
Was the tool run from within github on the codebase in github?
Was the tool run on the codebase of both icedtea-web and openwebstart in github?
Thanks
Re: Addressing CVEs in 1.13.0
Posted: 16 Feb 2026, 10:50
by Janak Mulani
Hi John,
Can you please tell me which SAST tool was used So that I can also check for myself, do the fixes and verify them by running the tool again?
Thanks
Re: Addressing CVEs in 1.13.0
Posted: 08 Apr 2026, 21:27
by TechGuy47
@Janak - I have a similar concerns as John above. Based on my own experience, these seem to be consistent with the results I see for OpenWebStart using Snyk as the SAST. Would you be still be willing to verify and fix the findings, as offered above? Would love to have these issues resolved!
Thanks in Advance!
Re: Addressing CVEs in 1.13.0
Posted: 09 Apr 2026, 07:35
by Janak Mulani
Thanks for suggesting Snyk. We will verify and fix.
Re: Addressing CVEs in 1.13.0
Posted: 28 Apr 2026, 14:36
by TechGuy47
@Janak - Thank you for the response above. Has there been any progress in resolving these issues? Is there an ETA for the resolutions to be deployed?
Re: Addressing CVEs in 1.13.0
Posted: 28 Apr 2026, 19:01
by Janak Mulani
We will include this in the next release, scheduled for the end of May,
Re: Addressing CVEs in 1.13.0
Posted: 29 Apr 2026, 14:41
by Janak Mulani
TechGuy47 wrote: 08 Apr 2026, 21:27
@Janak - I have a similar concerns as John above. Based on my own experience, these seem to be consistent with the results I see for OpenWebStart using Snyk as the SAST. Would you be still be willing to verify and fix the findings, as offered above? Would love to have these issues resolved!
Thanks in Advance!
@TechGuy47 I tried
snyk and ran it on the source code for OWS and ITW. But I did not get the same report as mentioned above. Do you get the same reports as mentioned above in ows_cve_report_1.png, ows_cve_report_2.png and ows_cve_report_3.png? If yes then how did you run snyk i.e. with what commandline options? Is it necessary to have the licensed version of snyk to get a reports like the ones mentioned above?
Re: Addressing CVEs in 1.13.0
Posted: 01 May 2026, 14:36
by Janak Mulani
I was able to run snyk test locally on OWS and ITW codebase and it has generated reports. Will try to fix the vulnerabilities.