symat commented on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1038779798
I merged this to the following branches:
- master
- branch-3.8.0
- branch-3.8
- branch-3.7
- branch-3.6
On branch 3.5 I don't see we use netty
symat commented on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036195421
OK, I double-checked all the CVE errors detected by the latest OWASP 6.5.3.
All of these are false positive. Also I checked the maven dependency tree to
make sure we don't
symat commented on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036176185
I tried again, purging my local CVE database this time before running the
new OWASP check with latest OWASP 6.5.3. It still reports the same 11 netty and
3 other CVEs that I
symat commented on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036170324
I think the nicest would be to update to the latest OWASP, then go through
the reported CVEs one-by-one to see if they are really false positives.
--
This is an automated
symat commented on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036169071
yeah... although even the latest OWASP version seems to find false positives:
```
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check
symat commented on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036141751
I checked the maven dependency tree, and we don't have any old netty on our
class path. These CVEs should not have appeared. Maybe OWASP is mixing the
netty-tcnative version
symat commented on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036133003
> I see in the pom.xml file that we use a quite recent netty, but a very old
netty-tcnative-classes
never mind, I see 2.0.48.Final is actually the latest netty-tcnative.
symat commented on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036119664
Are we absolutely sure we can simply skip these checks for the
netty-tcnative library? Isn't this something we use through netty when we do
ClientTLS or QuorumTLS?
I