[FP]: Many false positives in netty-tcnative-classes

[nhamer]

Package URl

pkg:maven/io.netty/[email protected]

CPE

cpe:2.3:a:netty:netty:2.0.62:*:*:*:*:*:*:*

CVE

CVE-2014-3488

ODC Integration

None

ODC Version

6.0.5

Description

There are a lot of false positives due to netty-tcnative-classes having a different version number than the rest of the library - 2.0.62Final is the current version, included in Netty 4.1.100Final

Example CVE https://nvd.nist.gov/vuln/detail/CVE-2014-3488

Has CPE:
{"vulnerable":true,"criteria":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*","versionEndIncluding":"3.9.1.1","matchCriteriaId":"C25A1DCE-E327-4BB4-9689-FCFEC8D605EA"}

<suppress>
        <notes><![CDATA[
            False positive, many Netty CVEs which are fixed by or before Netty 4.1.100,
            but netty-tcnative-classes has a different version (2.0.62Final at the moment)
            which is caught by wildcards similar to:
            cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* versions up to (including) 3.9.1.1
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-classes@.*$</packageUrl>
        <cve>CVE-2014-3488</cve>
        <cve>CVE-2015-2156</cve>
        <cve>CVE-2019-16869</cve>
        <cve>CVE-2019-20444</cve>
        <cve>CVE-2019-20445</cve>
        <cve>CVE-2021-21290</cve>
        <cve>CVE-2021-21295</cve>
        <cve>CVE-2021-21409</cve>
        <cve>CVE-2021-37136</cve>
        <cve>CVE-2021-37137</cve>
        <cve>CVE-2021-43797</cve>
        <cve>CVE-2022-24823</cve>
        <cve>CVE-2022-41881</cve>
        <cve>CVE-2023-34462</cve>
        <cve>CVE-2023-44487</cve>
    </suppress>

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.netty</groupId>
   <artifactId>netty-tcnative-classes</artifactId>
   <version>2.0.62.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6077
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-classes@.*$</packageUrl>
   <cpe>cpe:/a:netty:netty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6910231618

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.netty</groupId>
   <artifactId>netty-tcnative-classes</artifactId>
   <version>2.0.62.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6077
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-classes@.*$</packageUrl>
   <cpe>cpe:/a:netty:netty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6910234098

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.netty</groupId>
   <artifactId>netty-tcnative-classes</artifactId>
   <version>2.0.62.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6077
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-classes@.*$</packageUrl>
   <cpe>cpe:/a:netty:netty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6910238234

[aikebah]

If you were to use up-to-date dependencyCheck you would have no false positive. Update your dependencyCheck to a current version before reporting a long-solved positive.

[karthickm512]

We use the latest 9.0.10 version of dependency checker and still see the above list of vulnerabilities in netty-tcnative while the io.netty is in 4.1.100.

[aikebah]

@karthickm512 then your way of invoking dependencycheck is likely unable to link them to the corresponding maven artifacts.

Filtering FPs by ODC is done using package URL, taking advantage of the hostedSuppressions file to distribute suppressions.