-
Notifications
You must be signed in to change notification settings - Fork 962
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-41881 in shaded netty in micrometer-registry-statsd #3571
Comments
CVE-2022-41881 is for the io.netty.codec:codec-haproxy module, which we do not shade in micrometer-registry-statsd. It looks like there is an issue with the dependency checker that it is considering ANY netty module vulnerable, when that is not the case. This is a false positive and should be fixed by the dependency checker to only flag things that contain the affected module. Let me know if I've missed something. |
@shakuzen : Thank you for your quick reply 🙇
|
Sorry for the noise / raising a false-positive. |
No problem. I wonder where vulnerability scanners are sourcing their patterns of affected code. It would be nice if this could be made more precise going forward, since GitHub is publishing the more specific info. I'm not sure where is best to attack the problem. |
I submitted an MR to address these false positives in the GitLab Advisory Database: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/merge_requests/21374 |
Describe the bug
According to the owasp-dependency check there is a new CVE in the shadded netty dependency.
Environment
To Reproduce
Run owasp-dependency-check on a project with micrometer as a dependency.
Expected behavior
No vulnerabilities found.
Additional context
Add any other context about the problem here, e.g. related issues.
The text was updated successfully, but these errors were encountered: