Fix OWASP false positive for Netty (#395)

finos · Sep 11, 2023 · 19441b8 · 19441b8
1 parent 6181d84
commit 19441b8
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/dev/compliance/owasp-false-positives.xml b/dev/compliance/owasp-false-positives.xml
@@ -228,4 +228,13 @@
         <vulnerabilityName>CVE-2020-21469</vulnerabilityName>
     </suppress>
 
+    <!-- Netty does not do host name verification for SSL by default, it has to be enabled in code -->
+    <!-- There is a discussion whether to change the default before Netty 5 -->
+    <!-- https://github.com/netty/netty/issues/8537 -->
+
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty\-handler@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+    </suppress>
+
 </suppressions>