Uploaded image for project: 'Build'
  1. Build
  2. BUILD-1096

Dismiss false positive about grpc-context

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Neutral
    • None
    • BOM 5.7.27, BOM 6.2.35
    • None
    • Yes

    Description

       

      [ERROR] grpc-context-1.53.0.jar: CVE-2023-32731(7.5)
      

      https://nvd.nist.gov/vuln/detail/CVE-2023-32731

      magnolia-dx-core-demo-webapp-6.3-SNAPSHOT.war: grpc-context-1.27.2.jar (cpe:2.3:a:grpc:grpc:1.27.2:*:*:*:*:*:*:*) : CVE-2023-32732
      

      https://nvd.nist.gov/vuln/detail/CVE-2023-32732

      This looks like a false positive, as the issue actually concerns the C based gRPC library. Magnolia pulls in grpc-context which is the part of the Java flavour of gRPC and is not affected.
      See https://github.com/grpc/grpc/releases/tag/v1.53.1

      The library comes transitively via google-http-client:jar -> opencensus-api both at their latest version at the moment of writing.

      [INFO] |  +- info.magnolia:magnolia-module-mail:jar:5.6:compile
      [INFO] |  |  +- com.google.http-client:google-http-client:jar:1.43.2:compile
      [INFO] |  |  |  +- io.opencensus:opencensus-api:jar:0.31.1:compile
      [INFO] |  |  |  |  \- io.grpc:grpc-context:jar:1.53.0:compile
      

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              fgrilli Federico Grilli
              fgrilli Federico Grilli
              Foundation
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                Work Started:

                Checklists

                  Task DoR