Uploaded image for project: 'Build'
  1. Build
  2. BUILD-1131

Suppress false positive about vulnerable gRPC transitive dependency

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Neutral
    • None
    • BOM 6.2.38
    • None
    • Yes

    Description

      https://nvd.nist.gov/vuln/detail/CVE-2023-33953
      https://nvd.nist.gov/vuln/detail/CVE-2023-4785

      The issue actually concerns the C++ implementations of that library, Java one being unaffected https://cloud.google.com/support/bulletins#gcp-2023-022


      The vulnerable gRPC dependency comes transitively via google-http-client > opencensus which are already at their latest version at the time of writing – gRPC fixed the issue in version 1.54.3
      Preferably wait for the next google-http-client release to update their own dependencies
      https://issuetracker.google.com/issues/296826431?pli=1

      [INFO] |  +- info.magnolia:magnolia-module-mail:jar:5.6.1-SNAPSHOT:compile
      [...]
      [INFO] |  |  +- com.google.http-client:google-http-client:jar:1.43.3:compile
      [INFO] |  |  |  +- io.opencensus:opencensus-api:jar:0.31.1:compile
      [INFO] |  |  |  |  \- io.grpc:grpc-context:jar:1.54.1:compile

       

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              fgrilli Federico Grilli
              fgrilli Federico Grilli
              Peter Florian
              Foundation
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                Work Started:

                Checklists

                  Task DoR