[BUILD-1203] Dismiss CVE about gRPC 1.59.0 Created: 19/Dec/23 Updated: 20/Dec/23 Resolved: 20/Dec/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | BOM 6.2.41 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Carlos Cantalapiedra | Assignee: | Federico Grilli |
| Resolution: | Not an issue | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoR: |
Empty
|
||||||||
| Team: | |||||||||
| Work Started: | |||||||||
| Description |
|
grpc-api-1.59.0.jar and Afffects till 1.59.2 and Magnolia 6.2.41 uses grpc-api-1.59.0 Dependency tree: [INFO] --- dependency:3.6.1:tree (default-cli) @ magnolia-dx-core-webapp --- [INFO] info.magnolia.dx:magnolia-dx-core-webapp:war:6.2-SNAPSHOT [INFO] \- info.magnolia.bundle:magnolia-community-webapp:pom:6.2-SNAPSHOT:compile [INFO] \- info.magnolia:magnolia-module-mail:jar:5.6.2:compile [INFO] \- com.google.http-client:google-http-client:jar:1.43.3:compile [INFO] \- io.opencensus:opencensus-api:jar:0.31.1:compile [INFO] \- io.grpc:grpc-context:jar:1.59.0:compile [INFO] \- io.grpc:grpc-api:jar:1.59.0:runtime
Dev notes:The allegedly vulnerable library comes transitively via google-http-client which is already at its latest stable version at the time writing. This is a false positive: gRPC comes in different flavours and the one affected is the Go language implementation whereas Magnolia uses the Java implementation. |