Why is a vuln ID'd by OWASP Dependency-Check 4.4.0 if not really for that version?

Investigating Vulnerabilities in Mule Runtime 4.4.0

My mule application is built using Mule Runtime 4.4.0. In the pom.xml of the application, I have specified the mule-http-connector@1.7.3 dependency:


To check for any vulnerabilities, I am using the OWASP Dependency-Check plugin with the following command:

mvn org.owasp:dependency-check-maven:8.2.1:check

The dependency-check HTML report generated by this plugin shows mule-module-cors-kernel-1.1.2.jar as a vulnerable dependency which is a transitive dependency of mule-http-connector@1.7.3.

The following vulnerabilities were identified:

  • cpe:2.3🅰️mulesoft:api_gateway:1.1.2:::::::*
  • cpe:2.3🅰️mulesoft:mule_runtime:1.1.2:::::::*


I am not sure if these vulnerabilities apply to Mule Runtime 4.4.0. Is the report generated by the OWASP Dependency-Check tool a false positive? If the vulnerability is valid, what measures should be taken to fix it?

The report generated by the OWASP Dependency-Check tool is not a false positive. The vulnerabilities identified in the report are valid and should be addressed.

To fix the vulnerabilities, you have a few options:

  1. Upgrade the mule-http-connector dependency to a newer version that does not have the vulnerabilities. Check the available versions and their release notes to ensure that the vulnerabilities have been fixed in the newer versions.

  2. Reach out to the maintainers of the mule-http-connector dependency and inquire about their plans to address the vulnerabilities. They may have a patch or a recommended course of action.

  3. If the vulnerabilities are critical and cannot be easily fixed, consider finding an alternative library or connector that does not have the vulnerabilities and is compatible with Mule Runtime 4.4.0.

Remember to thoroughly test your application after making any changes to ensure that it functions correctly with the updated dependencies.