[BUILD-1203] Dismiss CVE about gRPC 1.59.0 Created: 19/Dec/23  Updated: 20/Dec/23  Resolved: 20/Dec/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: BOM 6.2.41
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Carlos Cantalapiedra Assignee: Federico Grilli
Resolution: Not an issue Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
relation
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Team: Foundation
Work Started:

 Description   

grpc-api-1.59.0.jar and
grpc-context-1.59.0.jar: CVE-2023-44487
 

Afffects till 1.59.2 and Magnolia 6.2.41 uses grpc-api-1.59.0

Dependency tree:

[INFO] --- dependency:3.6.1:tree (default-cli) @ magnolia-dx-core-webapp ---
[INFO] info.magnolia.dx:magnolia-dx-core-webapp:war:6.2-SNAPSHOT
[INFO] \- info.magnolia.bundle:magnolia-community-webapp:pom:6.2-SNAPSHOT:compile
[INFO]    \- info.magnolia:magnolia-module-mail:jar:5.6.2:compile
[INFO]       \- com.google.http-client:google-http-client:jar:1.43.3:compile
[INFO]          \- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO]             \- io.grpc:grpc-context:jar:1.59.0:compile
[INFO]                \- io.grpc:grpc-api:jar:1.59.0:runtime

 


Dev notes:

The allegedly vulnerable library comes transitively via google-http-client which is already at its latest stable version at the time writing.

This is a false positive: gRPC comes in different flavours and the one affected is the Go language implementation whereas Magnolia uses the Java implementation.
See also https://github.com/grpc/grpc-java/issues/10726#issuecomment-1845628563


Generated at Sun Feb 11 23:49:06 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.