[BUILD-1096] Dismiss false positive about grpc-context Created: 20/Jun/23  Updated: 28/Jun/23  Resolved: 21/Jun/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: BOM 5.7.27, BOM 6.2.35
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Team: Foundation
Work Started:
Approved:
Yes

 Description   

 

[ERROR] grpc-context-1.53.0.jar: CVE-2023-32731(7.5)

https://nvd.nist.gov/vuln/detail/CVE-2023-32731

magnolia-dx-core-demo-webapp-6.3-SNAPSHOT.war: grpc-context-1.27.2.jar (cpe:2.3:a:grpc:grpc:1.27.2:*:*:*:*:*:*:*) : CVE-2023-32732

https://nvd.nist.gov/vuln/detail/CVE-2023-32732

This looks like a false positive, as the issue actually concerns the C based gRPC library. Magnolia pulls in grpc-context which is the part of the Java flavour of gRPC and is not affected.
See https://github.com/grpc/grpc/releases/tag/v1.53.1

The library comes transitively via google-http-client:jar -> opencensus-api both at their latest version at the moment of writing.

[INFO] |  +- info.magnolia:magnolia-module-mail:jar:5.6:compile
[INFO] |  |  +- com.google.http-client:google-http-client:jar:1.43.2:compile
[INFO] |  |  |  +- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO] |  |  |  |  \- io.grpc:grpc-context:jar:1.53.0:compile

Generated at Sun Feb 11 23:48:06 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.