[FP]: CVE-2019-20444 on netty-core

[rpaasche]

Package URl

pkg:maven/io.projectreactor.netty/reactor-netty-core@1.2.9

CPE

cpe:2.3:a:netty:netty:1.2.9:::::::*

CVE

CVE-2019-20444

ODC Integration

{"label" => "Gradle Plugin"}

ODC Version

latest on dockerhub

Description

No response

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.projectreactor.netty</groupId>
   <artifactId>reactor-netty-core</artifactId>
   <version>1.2.9</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7891
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty/reactor-netty-core@.*$</packageUrl>
   <cpe>cpe:/a:netty:netty</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/17262039563

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.projectreactor.netty</groupId>
   <artifactId>reactor-netty-core</artifactId>
   <version>1.2.9</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7891
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty/reactor-netty-core@.*$</packageUrl>
   <cpe>cpe:/a:netty:netty</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/17262063598

[marcelstoer]

Are you sure this is not a duplicate? I remember we've had many (closed) reports on this: https://github.com/dependency-check/DependencyCheck/issues?q=is%3Aissue%20state%3Aclosed%20CVE-2019-20444

[rpaasche]

At least it is not suppressed by the publishedSuppressions.xml downloaded around 20 mins ago.

[marcelstoer]

It is: https://github.com/dependency-check/DependencyCheck/blob/generatedSuppressions/generatedSuppressions.xml#L2388-L2394

Maybe you need to enable the Artifactory analyzer as I had to, see #7814.

[rpaasche]

This gives an error, since we do not have an artifactory:
[ERROR] There was an issue connecting to Artifactory . Disabling analyzer.

[rpaasche]

The debug build even includes:

hosted.suppressions.enabled='true'
hosted.suppressions.validforhours='2'
hosted.suppressions.url='https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml'

The file in the cache directory gets updated too, so I guess it is used.

[rpaasche]

@marcelstoer
Ok the weired thing is, there is no pkg-id in our report for this jar file:

But other have one:

Seems like a new Problem on all dependencies comming from the Spring gradle integration, ophhhh

[balone1988]

Same for us too; it looks like the checker is assuming com.azure:azure-core-http-netty:1.16.0 is actually Netty and thus prior to version 4.1.44.

With a simple upgrade from com.azure.azure-identity:1.16.2 to com.azure.azure-identity:1.17.0 we have just

Forgive my ignorance if I am misunderstanding something here... Hope this is helpful.

---

Identifier shows Netty 1.16.0 detected, which is actually the version of the Azure Core HTTP Netty library which uses Netty 4.1.123.Final:

Evidence correctly shows the Azure Core HTTP Netty library.

The 16x4 additional CVEs in this update:

[marcelstoer]

Same for us too

It's not, this issue is about reactor-netty-core being mistaken for netty (yours is about azure-core-http-netty). I guess you need to file a new FP issue from which a new suppression rule can be generated.

As I said earlier, my best guess is that this is a dup of #7814. If so, one would need to enable the Artifactory/Nexus/Central analyzer depending on which repository you use.

[balone1988]

@marcelstoer Thanks. Isn't the Central Analyzer enabled by default?