[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1038779798 I merged this to the following branches: - master - branch-3.8.0 - branch-3.8 - branch-3.7 - branch-3.6 On branch 3.5 I don't see we use netty

[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036195421 OK, I double-checked all the CVE errors detected by the latest OWASP 6.5.3. All of these are false positive. Also I checked the maven dependency tree to make sure we don't

[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036176185 I tried again, purging my local CVE database this time before running the new OWASP check with latest OWASP 6.5.3. It still reports the same 11 netty and 3 other CVEs that I

[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036170324 I think the nicest would be to update to the latest OWASP, then go through the reported CVEs one-by-one to see if they are really false positives. -- This is an automated

[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036169071 yeah... although even the latest OWASP version seems to find false positives: ``` [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check

[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036141751 I checked the maven dependency tree, and we don't have any old netty on our class path. These CVEs should not have appeared. Maybe OWASP is mixing the netty-tcnative version

[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036133003 > I see in the pom.xml file that we use a quite recent netty, but a very old netty-tcnative-classes never mind, I see 2.0.48.Final is actually the latest netty-tcnative.

[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036119664 Are we absolutely sure we can simply skip these checks for the netty-tcnative library? Isn't this something we use through netty when we do ClientTLS or QuorumTLS? I