Virtually all CVE's reported against the Java Buildpack or applications built by the Java Buildpack are going to be against dependencies bundled by the Java Buildpack, like the JVM or APM tools, not the Java Buildpack itself.

To help track down security issues, the Cloud Foundry Java buildpack publishes details on security fixes and patch versions in Java Buildpack, refer to Release Notes - Java Buildpack v4.48. 

If a scanner reports a problem with the Java Buildpack or an application built by the Java Buildpack, check the details reported by the scanner and see which files it believes are impacted. This will often point to one of the dependencies that are bundled with the Java Buildpack.

You can then use the links on the release notes page to jump to the security notices for the impacted component.

Reference the following table for information on CVE's in Java Buildpack dependencies:
 

For vulnerabilities in other software such as the Spring Framework, you can view the details on known vulnerabilities for Tanzu products at Tanzu Security.

Notes

1. As mentioned above, offline Java Buildpack bundles with it the dependencies that it installs. If you run a security scanner against the Java Buildpack itself, you may get issues reported against all of the dependencies bundled with the Java Buildpack. If your application does not use a dependency, even if the scanner says there is a problem, then you will not be impacted. As a result, VMware does not recommend scanning the Java Buildpack itself. It creates a high incidence of false positives. If you are going to scan, VMware recommends scanning your applications and droplets. This will produce targeted results.
2. When scanning a droplet, a security scanner may also be identifying a CVE in custom application code and not Java buildpack itself. It is important to inspect the result from your security scanner to see what triggered the problem that it's reporting. This will help you to understand if the problem is related to your application code or a dependency installed by the Java Buildpack.
3. If you are seeing issues flagged by your scanner, ensure that you have upgraded to the latest version of the offline Java buildpack. When using the offline Java buildpack, dependencies are bundled with the buildpack and the only way to get updated dependencies with security fixes is to upgrade your buildpack. Also make sure that after updating your buildpack, you restage the application that you are scanning. A restage is required so that the buildpack runs and installs the latest versions of software.

Need More Help?

If you are still uncertain regarding a CVE flagged on a Java Builpack or application built by the Java Buildpack, collect the following:

• Full output from security scanner.
• Version of Java Buildpack being used.
• Application manifest and confirm any environment variables relevant to buildpack.
• Information on dependencies utilized by application.

The above artifacts should be attached to a support case when requesting support for a CVE found in Java Buildpack.