False Positive on protoc-gen-grpc-kotlin

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.31k stars 1.26k forks source link

False Positive on protoc-gen-grpc-kotlin #3920

Open peterfigure opened 2 years ago

peterfigure commented 2 years ago

https://mvnrepository.com/artifact/io.grpc/protoc-gen-grpc-kotlin/1.2.0

CPEs:

cpe:2.3:a:grpc:grpc:::::::: versions up to (including) 1.2.1
cpe:2.3:a:grpc:grpc:::::::: versions up to (including) 1.2.2
cpe:2.3:a:grpc:grpc::::::-::* versions up to (excluding) 1.24.2

peterfigure commented 2 years ago

more details:

protoc-gen-grpc-kotlin-1.2.0-jdk7.jar (pkg:maven/io.grpc/protoc-gen-grpc-kotlin@1.2.0, cpe:2.3:a:grpc:grpc:1.2.0:*:*:*:*:*:*:*) : CVE-2017-8359, CVE-2017-9431, CVE-2020-7768

was able to squash with (please check, I'm new to this):

    <suppress base="true">
        <notes><![CDATA[
        FP per #3920
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/io\.grpc/protoc-gen-grpc-kotlin.*$</packageUrl>
        <cpe>cpe:/a:grpc:grpc</cpe>
    </suppress>

Wayhayland commented 2 years ago

I'm seeing a similar false positive on library opentracing-grpc-0.2.3.jar - reported as cpe:2.3:a:grpc:grpc:0.2.3:::::::*

<dependency>
  <groupId>io.opentracing.contrib</groupId>
  <artifactId>opentracing-grpc</artifactId>
  <version>0.2.3</version>
</dependency>

From brief testing it appears that anything with grpc in the jar name is matched.