Dependencycheck: False Positive on spring-boot-starter-reactor-netty-2.1.8.RELEASE.jar and reactor-netty-0.8.11.RELEASE.jar

Created on 1 Oct 2019  路  3Comments  路  Source: jeremylong/DependencyCheck

We are now getting false positives on cpe:2.3:a:netty:netty:2.1.8:*:*:*:*:*:*:* and cpe:2.3:a:netty:netty:0.8.11:*:*:*:*:*:*:* that we weren't getting before.

spring-boot-starter-reactor-netty-2.1.8.RELEASE.jar (pkg:maven/org.springframework.boot/[email protected], cpe:2.3:a:netty:netty:2.1.8:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869
reactor-netty-0.8.11.RELEASE.jar (pkg:maven/io.projectreactor.netty/[email protected], cpe:2.3:a:netty:netty:0.8.11:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869

Example

False positive on library spring-boot-starter-reactor-netty-2.1.8.RELEASE.jar - reported as cpe:2.3:a:netty:netty:2.1.8:*:*:*:*:*:*:*
False positive on library reactor-netty-0.8.11.RELEASE.jar - reported as cpe:2.3:a:netty:netty:0.8.11:*:*:*:*:*:*:*

plugins {
    id 'java'
    id 'org.springframework.boot' version '2.1.8.RELEASE'
    id 'io.spring.dependency-management' version '1.0.8.RELEASE'
    id 'org.owasp.dependencycheck' version '5.2.2'
}
//...

// Bump Netty to address https://nvd.nist.gov/vuln/detail/CVE-2019-16869
ext['netty.version'] = '4.1.42.Final'

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-reactor-netty:2.1.8.RELEASE'
}
FP Report
Source
picture chadlwilson
👍2

Most helpful comment

@chadlwilson thank you for identifying the issue with the suppression rule for netty. I have updated this and it will be included in the next release.

picture jeremylong on 2 Nov 2019
🚀1 🎉1

All 3 comments

OK, I think it's to do with the 30 Sep CPE deprecation remaps in
https://nvd.nist.gov/vuln/detail/CVE-2014-3488#VulnChangeHistorySection
https://nvd.nist.gov/vuln/detail/CVE-2015-2156#VulnChangeHistorySection
https://nvd.nist.gov/vuln/detail/CVE-2019-16869VulnChangeHistorySection

The previous FP suppressions baked into OWASP dependency check for netty_project need to be updated to netty I think; and may need to be expanded as perhaps more FPs will be incoming with the more generic names here :-(

chadlwilson picture chadlwilson on 1 Oct 2019

Same happens with netty-reactive-streams-2.0.3.jar and async-http-client-netty-utils-2.10.3.jar.

For example, in async-http-client-netty-utils cpe:2.3:a:netty:netty:2.10.3:*:*:*:*:*:*:*; which triggers the false positive.

reidrac picture reidrac on 10 Oct 2019
👍1

@chadlwilson thank you for identifying the issue with the suppression rule for netty. I have updated this and it will be included in the next release.

jeremylong picture jeremylong on 2 Nov 2019
🚀1 🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

amandel picture amandel  路  3Comments
benji picture benji  路  3Comments
fabio-boldrini picture fabio-boldrini  路  4Comments
KevinMcT picture KevinMcT  路  3Comments
aravindparappil46 picture aravindparappil46  路  4Comments