[BUILD-1131] Suppress false positive about vulnerable gRPC transitive dependency Created: 18/Aug/23 Updated: 01/Nov/23 Resolved: 11/Sep/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | BOM 6.2.38 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoR: |
Empty
|
| Visible to: |
Peter Florian
|
| Team: | |
| Work Started: | |
| Approved: |
Yes
|
| Description |
|
https://nvd.nist.gov/vuln/detail/CVE-2023-33953 The issue actually concerns the C++ implementations of that library, Java one being unaffected https://cloud.google.com/support/bulletins#gcp-2023-022
[INFO] | +- info.magnolia:magnolia-module-mail:jar:5.6.1-SNAPSHOT:compile [...] [INFO] | | +- com.google.http-client:google-http-client:jar:1.43.3:compile [INFO] | | | +- io.opencensus:opencensus-api:jar:0.31.1:compile [INFO] | | | | \- io.grpc:grpc-context:jar:1.54.1:compile
|