CODEWITHSUNDEEP
springspring-bootnettyspring-webfluxreactor-netty
Georgian
Georgian

Reputation: 8960

Spring Cloud embedded netty server with security vulnerabilities

I'm using spring-cloud-starter-gateway and spring-boot-starter-webflux from spring-cloud-dependencies:2020.0.4, packing everything in a docker image.

All my routes are written with RouteLocatorBuilder from spring cloud.

Scanning the image with Grype, I get the following vulnerabilites: enter image description here

Latest reactor-netty-http:1.0.13 still doesn't have these fixed.

I'd like to resolve these issues. Any suggestions?

[UPDATE]

Wrote to Grype's Github for further investigation. It does seem these are false positives, as Andreas mentioned below. Enforcing latest netty in my BOM for now.

Upvotes: 0

Views: 1398

Answers (1)

Andreas
Andreas

Reputation: 5309

I suppose these are false positives as reactor-netty-http did not had the vulnerability it was HttpObjectDecoder.java in Netty before 4.1.44. The regex provided by https://nvd.nist.gov/vuln/detail/CVE-2019-20444 are sometimes too unspecific.

According to the docs you can suppress the false positives following this guide: https://github.com/anchore/grype#specifying-matches-to-ignore

If you are using maven you could just add (but you don't have to because these are false positives):

    <project>
      ...
      <dependencyManagement>
        <dependencies>
          <dependency>
            <groupId>io.netty</groupId>
            <artifactId>netty-bom</artifactId>
            <version>4.1.70.Final</version>
            <type>pom</type>
            <scope>import</scope>
          </dependency>
        </dependencies>
      </dependencyManagement>
      ...
    </project>

And the fixes are in reactor-netty-http:1.0.13 as netty 4.1.70 does not have any commonly known security flaws:

POM Screenshot..

Upvotes: 2

Related Questions