-
Notifications
You must be signed in to change notification settings - Fork 600
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive vulnerabilities on reactor-netty-core
and reator-netty-http
#1009
Comments
I have created a sample to test this. You can take a look and play with it here: https://github.com/cezapata/appconfiguration-sample I have noticed two things that seem strange to me:
Any clarification or guidance on these issues would be greatly appreciated. On the meantime, I am peppering exclusions to grype as per cezapata/appconfiguration-sample#1 but unsure if this is the proper way forward. Thanks! |
Regarding the false positives: @cezapata is right that this is due to CPE generation. CPE is definitely the largest source of false positives, but these are very challenging because the CPEs chosen for NVD mean it is difficult to map any arbitrary software to an accurate CPE, which is why a lot of derivations are generated -- which leads to fewer missed vulnerabilities but increases the false positives. We are actively investigating ways to improve this. Regarding the |
Thank you so much for looking into this @kzantow! I see now there was already an ongoing thread about handling CPEs and similar problems here: As a mitigation, I will just use the ignore field and a combination of package names and vulnerabilities to handle these. Two suggestions that would improve the developer experience when working with the ignore setting on the yaml configuration would be:
I can imagine the complexity of adding those conditions (basically having to have nested conditions with and ors, and also some grammar to implement the comparison among versions, I can see how those are not easy fixes to implement, but just suggestions :) Finally, I have created an independent issue for the parent version: I do believe it will map to the parent's Thanks again for your quick reply and your help! |
We've confirmed that this has been fixed in the latest version of grype
|
Running the latest
grype
tool on an application takes a dependency onio.projectreactor.netty:reactor-netty-http:jar:1.0.24:compile
which along withio.projectreactor.netty:reactor-netty-core:jar:1.0.24:compile
and complaints on those vulnerabilities.Found those vulnerabilities should have already been fixed in the earlier version of reactor netty . such as CVE-2019-20445 which fixed on 4.1.44 but reactor-netty-core:jar:1.0.24 already use 4.1.84 which is a newer version than 4.1.44.
Those vulnerabilities error should be false positives.
Can someone have a look and help? Thank you.
The text was updated successfully, but these errors were encountered: