Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lettuce-reported GHSA-q4h9-7rxj-7gx2 is a false positive report of a Netty vulnerability against a Lettuce artifact #3093

Open
seanwalbran opened this issue Dec 20, 2024 · 2 comments

Comments

@seanwalbran
Copy link

seanwalbran commented Dec 20, 2024

Bug Report

(Reported upstream at github/advisory-database#5116 but they sent me here 😄 )

Advisory GHSA-q4h9-7rxj-7gx2 reports a Netty vulnerability against the Lettuce artifact. This is a false positive report for Lettuce artifacts.

The advisory asserts that the Lettuce package is vulnerable only because it expresses a dependency on a vulnerable version of Netty -- but Lettuce itself does not have this vulnerability: it does not actually package or shade the vulnerable Netty code. The Netty vulnerability already has its own CVE/advisory. As a result, this advisory incorrectly results in tools like Dependabot flagging the usage of Lettuce even when a consuming project has otherwise overridden or excluded an actually-vulnerable Netty transitive dependency version.

Please retract the advisory reported against the lettuce artifacts, the existing advisory against actually-affected Netty artifacts is already sufficient for detection.

@tishun
Copy link
Collaborator

tishun commented Dec 20, 2024

Thanks for the report. I agree the advisory needs to be retracted.
I've initiated a ticket with Github support on this topic.

@tishun
Copy link
Collaborator

tishun commented Dec 21, 2024

... apologies for the confusion too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants