Search code examples
javaspringspring-bootjettynetty

Springboot Jetty and Netty vulnarabilities

I need to 'solve' all of the vulnarabilities in my Springboot app.

I use Springboot 2.7.14. Sadly I can not go to newer versions. I need to exclude the current Netty, but if I include the newest, it has still vulnarabilities, even critical ones according to grype tests. I can include Jetty, but it is the same. (reactor-netty-http)

reactor-netty-core  1.1.9                java-archive  CVE-2019-20445       Critical  
reactor-netty-core  1.1.9                java-archive  CVE-2019-20444       Critical  
reactor-netty-core  1.1.9                java-archive  CVE-2022-41881       High      
reactor-netty-core  1.1.9                java-archive  CVE-2021-37137       High      
reactor-netty-core  1.1.9                java-archive  CVE-2021-37136       High      
reactor-netty-core  1.1.9                java-archive  CVE-2019-16869       High      
reactor-netty-core  1.1.9                java-archive  CVE-2015-2156        High      
reactor-netty-core  1.1.9                java-archive  CVE-2023-34462       Medium    
reactor-netty-core  1.1.9                java-archive  CVE-2022-24823       Medium    
reactor-netty-core  1.1.9                java-archive  CVE-2021-43797       Medium    
reactor-netty-core  1.1.9                java-archive  CVE-2021-21409       Medium    
reactor-netty-core  1.1.9                java-archive  CVE-2021-21295       Medium    
reactor-netty-core  1.1.9                java-archive  CVE-2021-21290       Medium    
reactor-netty-core  1.1.9                java-archive  CVE-2014-3488        Medium

I need some kind of ClientHttpConnector.

Do you have any suggestion to have less vulnarabilities, or another lib instead of those two? What would you do?

exclude, jetty, netty etc........

Solution

  • Neither reactor-netty-core nor reactor-netty-http contains any Maven information inside the JAR file (files pom.xml and pom.properties in folder META-INF/maven/<groupId>/<artifactId>). Therefore, the OWASP dependency check (and possibly other tools) does not recognize them as reactor-netty-core or reactor-netty-http but as Netty itself (cpe:/a:netty:netty). That has some vulnerabilities in versions 1.x, so a false positive is triggered.

    Depending on your tool, you need to add one or more suppressions. Unfortunately this cannot be done using Maven coordinates, so you'll need to do this based on the file hash for each version in use. For instance, in an OWASP dependency check suppression file for version 1.0.31 (included by some Quarkus 2.x version):

       <suppress>
      <notes><![CDATA[
      file name: reactor-netty-core-1.0.31.jar
      ]]></notes>
      <!-- No POM information available, so use sha1 matching instead -->
      <sha1>8f71cedfc447352d251148825a887b4a5968dd65</sha1>
      <cpe>cpe:/a:netty:netty</cpe>
   </suppress>
   <suppress>
      <notes><![CDATA[
      file name: reactor-netty-http-1.0.31.jar
      ]]></notes>
      <!-- No POM information available, so use sha1 matching instead -->
      <sha1>4b1aa019f0fb4724752237a2d2a156e6ba4eeca6</sha1>
      <cpe>cpe:/a:netty:netty</cpe>
   </suppress>