[BUILD-1096] Dismiss false positive about grpc-context Created: 20/Jun/23 Updated: 28/Jun/23 Resolved: 21/Jun/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | BOM 5.7.27, BOM 6.2.35 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Template: |
|
||||
| Acceptance criteria: |
Empty
|
||||
| Task DoR: |
Empty
|
||||
| Team: | |||||
| Work Started: | |||||
| Approved: |
Yes
|
||||
| Description |
|
[ERROR] grpc-context-1.53.0.jar: CVE-2023-32731(7.5) https://nvd.nist.gov/vuln/detail/CVE-2023-32731 magnolia-dx-core-demo-webapp-6.3-SNAPSHOT.war: grpc-context-1.27.2.jar (cpe:2.3:a:grpc:grpc:1.27.2:*:*:*:*:*:*:*) : CVE-2023-32732 https://nvd.nist.gov/vuln/detail/CVE-2023-32732 This looks like a false positive, as the issue actually concerns the C based gRPC library. Magnolia pulls in grpc-context which is the part of the Java flavour of gRPC and is not affected. The library comes transitively via google-http-client:jar -> opencensus-api both at their latest version at the moment of writing. [INFO] | +- info.magnolia:magnolia-module-mail:jar:5.6:compile [INFO] | | +- com.google.http-client:google-http-client:jar:1.43.2:compile [INFO] | | | +- io.opencensus:opencensus-api:jar:0.31.1:compile [INFO] | | | | \- io.grpc:grpc-context:jar:1.53.0:compile |