The scanner shows that we're vulnerable if rebuilt or run using any Java version other than 7

[ait-maksymp]

As Java 7 is getting harder to install on newer Linux distributions, I was forced to try the scanner with Java 8 and later. Even if I rebuild the jar file using Java other than 7 and then run the new jar file using Java other than 7, the scanner would report false positives. In fact, it looks like every possible pattern is found somehow when run with Java 8 (for example). I have filtering rules in AWS WAF in front of the actual IIS server which block any HTTP request with tilde symbol in it, but somehow the scanner thinks it found the pattern. The list of "found" 8dot3 patterns would go way beyond the scrollback of my terminal. An example:

File: %$%%$%~3.Z
File: %$%$$~1.1W1
File: %$$S~2.4WZ
File: %S$%%~3.1
File: %$`~2.4Z1
Dir: %$%%$))~1
File: %$$%$~1.W4Z
File: %$$%$`~1.11
Dir: %$%%$%`~1
File: %$%%)~1.1W
Dir: %S$%%)~1W4
File: %$%%$)~3.7
File: %$`~2.4Z4
File: %S$%~2.7Z
Dir: %$%%$))~2
File: %$%%$)~1.Z
File: %$%%)~2.14
File: %$`~2.741

There are no files in wwwroot that would match these patterns, I am 100% sure of it.

The scanner works as expected when using Java 7, no vulnerabilities are found (I know that, I've applied all the recommendations for mitigation of this vulnerability). But my customer is using Java 8 and keeps telling me that I did a bad job because the scanner on his machine (using Java 8) shows that the server is still vulnerable.

Please advise. Thank you.

[JeffreyShran]

I'm not sure what you're expecting the developer to do here? It clearly says use only Java 6 or 7.... so tell your client to use the correct version.

[irsdl]

I have released a new version to work with Java17, give it a go