-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: Many false positives in netty-tcnative-classes #6077
Comments
Maven Coordinates <dependency>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-classes</artifactId>
<version>2.0.62.Final</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6077
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-classes@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6910231618 |
Maven Coordinates <dependency>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-classes</artifactId>
<version>2.0.62.Final</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6077
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-classes@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6910234098 |
Maven Coordinates <dependency>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-classes</artifactId>
<version>2.0.62.Final</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6077
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-classes@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6910238234 |
If you were to use up-to-date dependencyCheck you would have no false positive. Update your dependencyCheck to a current version before reporting a long-solved positive. |
We use the latest 9.0.10 version of dependency checker and still see the above list of vulnerabilities in netty-tcnative while the io.netty is in 4.1.100. |
@karthickm512 then your way of invoking dependencycheck is likely unable to link them to the corresponding maven artifacts. Filtering FPs by ODC is done using package URL, taking advantage of the hostedSuppressions file to distribute suppressions. |
Package URl
pkg:maven/io.netty/[email protected]
CPE
cpe:2.3:a:netty:netty:2.0.62:*:*:*:*:*:*:*
CVE
CVE-2014-3488
ODC Integration
None
ODC Version
6.0.5
Description
There are a lot of false positives due to netty-tcnative-classes having a different version number than the rest of the library - 2.0.62Final is the current version, included in Netty 4.1.100Final
Example CVE https://nvd.nist.gov/vuln/detail/CVE-2014-3488
Has CPE:
{"vulnerable":true,"criteria":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*","versionEndIncluding":"3.9.1.1","matchCriteriaId":"C25A1DCE-E327-4BB4-9689-FCFEC8D605EA"}
The text was updated successfully, but these errors were encountered: