[FP]: CVE-2023-4586 and sonatype-2020-0026 reported in io.netty:netty-handler:4.1.109.Final

[SwapnaAnchuri]

Package URl

pkg:maven/io.netty/netty-handler@4.1.109.Final

CPE

cpe:2.3:a:netty:netty:4.1.109:::::::*

CVE

CVE-2023-4586 and sonatype-2020-0026

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

8.4.0

Description

CVE-2023-4586 and sonatype-2020-0026 are reported in io.netty:netty-handler:4.1.109.Final. Official reports such as https://github.com/advisories/GHSA-57m8-f3v5-hm5m flags up to 4.1.99.Final but it is still reporting in 4.1.109 also. Can one of the maintainers confirm whether 4.1.109.Final is vulnerable or not?

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>io.netty</groupId>
   <artifactId>netty-handler</artifactId>
   <version>4.1.109.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6677
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.netty/netty-handler@.*$</packageUrl>
   <cpe>cpe:/a:netty:netty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9158865238

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>io.netty</groupId>
   <artifactId>netty-handler</artifactId>
   <version>4.1.109.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6677
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.netty/netty-handler@.*$</packageUrl>
   <cpe>cpe:/a:netty:netty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9158999976

[aikebah]

We can confirm nor deny, DependencyCheck simply reports on the information retrieved from OSSIndex and NVD data. Our automated scan however did not surface the issues, so it appears the attribution to unrelated versions has been fixed in the meanwhile in the OSSINDEX API. I would expect on the next cache expiry of the OSSINDEX cache entry your false positive would disappear