Tooling has marked the following jars as high or critical security risks
- Xalan-2.7.2.jar (CVE-2022-34169) https://mvnrepository.com/artifact/xalan/xalan/2.7.2
- snakeyaml-1.20.jar (8 vulnerabilities) https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.20
- jstl-1.2.jar (CVE-2015-0254)

These jars are dependencies of the DXA framework.

The latest DXA release (2.2.31) addresses the following.

• Xalan 2.7.2
• snakeyml-1.20
• jettison-1.4.0

The exception is the jstl-1.2 because there is no update available for this dependency. An alternative would be to replace this with the latest Jakarta Servlet dependencies, but this would require updating Spring to version 6 which in turn requires updating to JDK 17.

Verified the CVE-2015-0254 is related to jstl-1.2 and can confirm that it does not apply to the DXA since it doesn't utilize the x:parse or x:transform JSTL tags.