[FP]: netty-tcnative-boringssl-static

[gmariotti]

Package URl

pkg:maven/io.netty/netty-tcnative-boringssl-static@2.0.48.Final

CPE

cpe:2.3:a:chromium:chromium:2.0.48:*:*:*:*:*:*:*
cpe:2.3:a:chromium_project:chromium:2.0.48:*:*:*:*:*:*:*

CVE

• CVE-2011-1797
• CVE-2015-1346
• CVE-2015-1205
• CVE-2017-7000

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.0.0

Description

As far as I understand from #4065, version 7.0.0 should contain already the fix for this case but it doesn't seem to be the case

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.0.0:check (default) on project ***REDACTED***: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
[ERROR] 
[ERROR] netty-tcnative-boringssl-static-2.0.48.Final-osx-x86_64.jar: CVE-2015-1346(7.5), CVE-2011-1797(9.3), CVE-2017-7000(8.8), CVE-2015-1205(7.5)
[ERROR] 
[ERROR] See the dependency-check report for more details.
[ERROR] -> [Help 1]

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.netty</groupId>
   <artifactId>netty-tcnative-boringssl-static</artifactId>
   <version>2.0.48.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4154
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-boringssl-static@.*$</packageUrl>
   <cpe>cpe:/a:chromium:chromium</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/1933595668

[hezhangjian]

@jeremylong I use version 7.0.4 trying to solve the FP, but it seems not work, could please take a look when you have time :)
Any help will be greatful.

<plugin>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
            <version>${dependency-check-maven.version}</version>
            <configuration>
              <suppressionFiles>
                <suppressionFile>src/owasp-dependency-check-suppressions.xml</suppressionFile>
              </suppressionFiles>
              <failBuildOnCVSS>7</failBuildOnCVSS>
              <msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>
              <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
              <yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
              <pyDistributionAnalyzerEnabled>false</pyDistributionAnalyzerEnabled>
              <pyPackageAnalyzerEnabled>false</pyPackageAnalyzerEnabled>
              <pipAnalyzerEnabled>false</pipAnalyzerEnabled>
              <pipfileAnalyzerEnabled>false</pipfileAnalyzerEnabled>
              <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>
              <msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>
              <mixAuditAnalyzerEnabled>false</mixAuditAnalyzerEnabled>
              <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
              <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
            </configuration>
            <executions>
              <execution>
                <goals>
                  <goal>aggregate</goal>
                </goals>
              </execution>
            </executions>
          </plugin>

[tisonkun]

It seems this issue reactive as https://github.com/apache/pulsar/runs/7942966298?check_suite_focus=true

CVE-2011-1797

Error:  Failed to execute goal org.owasp:dependency-check-maven:7.1.0:aggregate (default) on project pulsar: 
Error:  
Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
Error:  
Error:  netty-tcnative-boringssl-static-2.0.52.Final-osx-x86_64.jar: CVE-2011-1797(9.3)