Skip to content
This repository has been archived by the owner on Apr 5, 2024. It is now read-only.

Commit

Permalink
Re-add suppression in for false positive CVE-2023-4586
Browse files Browse the repository at this point in the history
  • Loading branch information
siladu committed Oct 27, 2023
1 parent cea5614 commit 7283423
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 3 deletions.
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ buildscript {
dependencies {
// custom license-reporter used by com.github.jk1.dependency-license-report plugin
classpath 'tech.pegasys.internal.license.reporter:license-reporter:1.0.1'
classpath 'org.owasp:dependency-check-gradle:8.4.0'
classpath 'org.owasp:dependency-check-gradle:8.4.2'
}
}

Expand Down
14 changes: 13 additions & 1 deletion gradle/owasp-suppression.xml
Original file line number Diff line number Diff line change
@@ -1,9 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
<suppress until="2023-12-16">
<suppress until="2024-01-16">
<notes><![CDATA[
Temporary suppression, as it's arguably a false positive: https://github.com/netty/netty/issues/8537#issuecomment-1527896917
The correct thing to do is ensure hostname verification is enabled: https://codetinkering.com/enable-hostname-verification-netty/
This is indeed the case for Azure, which is the netty-handler: https://github.com/Azure/azure-sdk-for-java/issues/18286#issuecomment-947958978
The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
file name: netty-handler-4.1.100.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty*@*.*$</packageUrl>
<vulnerabilityName>CVE-2023-4586</vulnerabilityName>
</suppress>
<suppress until="2024-01-16">
<notes><![CDATA[
Suppress CVE-2023-36415 as this should only be applicable on version up to but excluding 1.10.2.
https://github.com/jeremylong/DependencyCheck/issues/5992
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$</packageUrl>
<vulnerabilityName>CVE-2023-36415</vulnerabilityName>
Expand Down
2 changes: 1 addition & 1 deletion gradle/versions.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ dependencyManagement {
entry 'protobuf-java'
entry 'protobuf-java-util'
}
dependencySet(group: 'io.grpc', version: '1.57.2') {
dependencySet(group: 'io.grpc', version: '1.59.0') {
entry 'grpc-api'
entry 'grpc-context'
entry 'grpc-core'
Expand Down

0 comments on commit 7283423

Please sign in to comment.