GHSA-q4h9-7rxj-7gx2 is a false positive report of a Netty vulnerability against a Lettuce artifact

[seanwalbran]

Advisory GHSA-q4h9-7rxj-7gx2 reports a Netty vulnerability against the Lettuce artifact. This is a false positive report.

The advisory asserts that the Lettuce package is vulnerable only because it expresses a dependency on a vulnerable version of Netty -- but Lettuce itself does not have this vulnerability: it does not actually package or shade the vulnerable Netty code. The Netty vulnerability already has its own CVE/advisory. This advisory incorrectly flags the usage of Lettuce even when a consuming project has otherwise overridden or excluded the actually-vulnerable Netty package.

[JonathanLEvans]

Hi @seanwalbran, thank you for your report. GHSA-q4h9-7rxj-7gx2 comes from Lettuce's advisory about the vulnerability. You should contact Lettuce to get the advisory withdrawn.

[seanwalbran]

Sure thing, filed redis/lettuce#3093 , thanks!