[FP]: Multiple false positives against grpc-netty-shaded-1.62.2.jar

[sadeesh89]

Package URl

pkg:maven/io.grpc/grpc-netty-shaded@1.62.2

CPE

cpe:2.3:a:grpc:grpc:1.62.2:::::::*

CVE

CVE-2019-20444,CVE-2019-20445,CVE-2015-2156,CVE-2019-16869,CVE-2021-37136,CVE-2021-37137,CVE-2022-41881,CVE-2023-44487,CVE-2021-43797,CVE-2023-34462,CVE-2021-21295,CVE-2021-21409,CVE-2021-21290,CVE-2022-24823,CVE-2014-3488

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.1.3

Description

Hi Team,
grpc-netty-shaded-1.62.2.jar has dependency with netty as 4.1.100.Final, but the tool matches with identifiers as "netty:netty::::". Hence we concluded this CVEs are false positive in our case.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/16644967815

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/16645064448

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.grpc</groupId>
   <artifactId>grpc-netty-shaded</artifactId>
   <version>1.62.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7844
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.grpc/grpc-netty-shaded@.*$</packageUrl>
   <cpe>cpe:/a:grpc:grpc</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/16645129320

[chadlwilson]

The suggested suppression here is inappropriate, as since GRPC shades netty, if there are vulnerabilities in their netty version which affect GRPC, they would potentially be reported against GRPC itself, which this suppression would obscure.

What you probably want is to suppress for the netty CPE, not the grpc CPE as raised here. Please raise a new FP if the problem persists as there have been many other such issues for netty.