DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: CVE-2017-1000028 grizzly-http
Package URl
pkg:maven/org.glassfish.grizzly/[email protected]
CPE
cpe:2.3:a:oracle:glassfish_server:4.1::::open_source:::
CVE
CVE-2017-1000028
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
7.1.0
Description
Maven Coordinates
<dependency>
<groupId>org.glassfish.grizzly</groupId>
<artifactId>grizzly-http</artifactId>
<version>2.3.28</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #4541
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.grizzly/grizzly-http@.*$</packageUrl>
<cpe>cpe:/a:oracle:glassfish_server</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2389005510
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
From a brief look at the evidences it looks like it's a FP caused by OSSINDEX vulnerability data and grizzly-http is only involved in a workaround to the issue. However, given the nature of the work-around mentioned, it might be that Sonatype has a point in linking this issue also to the grizzly-http library itself. Needs deeper evaluation before accepting it as a true FP.
https://github.com/javaee/glassfish/pull/22042 indicates that the Grizzly library was at the root of the issue, which is likely attributable to https://github.com/javaee/grizzly/commit/5326c5101c5278dc0f5c742306323e3abfc42d77, which means it is indeed only resolved in grizzly-http 2.4.0_beta11 and later.
Looks like it's sensible for OSSIndex to flag the grizzly-http library as vulnerable.