False alarms in scanners due to mismatch in Jdom maven version and Implementation-Version in MANIFEST.MF

[ramtech123]

We consume org.jdom:jdom2-2.0.6.1.jar. This version of the library is not vulnerable to CVE-2021-33813. (I went through the related issue #189).

The Implementation-Version value found in MANIFEST.MF file inside the 2.0.6.1 jar is 2.x-2021.11.08.17.25.

Due to the above mismatch in jar version and the implementation-version field inside MANIFEST.MF file, scanners are unable to determine right version of this jar and continue to flag it for the above CVE.

Expectation: The version should be consistent so as to avoid any such inconveniences.

[ar]

Just tried to build it with a little change in build.xml and confirmed that it would fix this problem. I'm afraid 2.0.6.1 is already released, so this would require a new build and push to maven central, perhaps using version 2.0.6.2.

-       <property name="version" value="2.x-${snapshot.time}"/>
+       <property name="version" value="2.0.6.1"/>

[ramtech123]

I understand 2.0.6.1 is already released and can't be modified. This submission was to get it corrected for future releases. Thanks.