Open peterfigure opened 2 years ago
more details:
protoc-gen-grpc-kotlin-1.2.0-jdk7.jar (pkg:maven/io.grpc/protoc-gen-grpc-kotlin@1.2.0, cpe:2.3:a:grpc:grpc:1.2.0:*:*:*:*:*:*:*) : CVE-2017-8359, CVE-2017-9431, CVE-2020-7768
was able to squash with (please check, I'm new to this):
<suppress base="true">
<notes><![CDATA[
FP per #3920
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/protoc-gen-grpc-kotlin.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
I'm seeing a similar false positive on library opentracing-grpc-0.2.3.jar - reported as cpe:2.3:a:grpc:grpc:0.2.3:::::::*
<dependency>
<groupId>io.opentracing.contrib</groupId>
<artifactId>opentracing-grpc</artifactId>
<version>0.2.3</version>
</dependency>
From brief testing it appears that anything with grpc in the jar name is matched.
https://mvnrepository.com/artifact/io.grpc/protoc-gen-grpc-kotlin/1.2.0
CPEs: