Skip to content

fix(fp): suppress FP from grpc-go; migrating grpc CVE-by-CVE suppressions to hosted suppressions#8504

Merged
nhumblot merged 1 commit into
dependency-check:generatedSuppressionsfrom
chadlwilson:generatedSuppressions-grpc
May 17, 2026
Merged

fix(fp): suppress FP from grpc-go; migrating grpc CVE-by-CVE suppressions to hosted suppressions#8504
nhumblot merged 1 commit into
dependency-check:generatedSuppressionsfrom
chadlwilson:generatedSuppressions-grpc

Conversation

@chadlwilson
Copy link
Copy Markdown
Collaborator

@chadlwilson chadlwilson commented May 14, 2026

Description of Change

Migrates the GRPC CVE-by-CVE suppressions to hosted for easier maintenance; and suppresses additional vuln CVE-2026-33186 (another grpc-go CVE)

For reference:

DependencyCheck/core/src/main/resources/dependencycheck-base-suppression.xml

Lines 282 to 301 in 5b8a493

<suppress base="true">
<notes><![CDATA[
FP per #3002 and #5890 - CVE are for GRPC C/ruby/python etc. Suppressing individual CVEs because ODC cannot understand the target SW
field. NVD search to review in future (not that some are marked incorrectly as affecting all languages)
--> https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=1&sortDirection=1&cpeFilterMode=applicability&cpeName=cpe:2.3:a:grpc:grpc:*:*:*:*:*:*:*:*&resultType=records
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
<cve>CVE-2017-7860</cve>
<cve>CVE-2017-7861</cve>
<cve>CVE-2017-8359</cve>
<cve>CVE-2017-9431</cve>
<cve>CVE-2020-7768</cve>
<cve>CVE-2023-1428</cve>
<cve>CVE-2023-32731</cve>
<cve>CVE-2023-32732</cve>
<cve>CVE-2023-33953</cve>
<cve>CVE-2023-4785</cve>
<cve>CVE-2024-11407</cve>
<cve>CVE-2024-7246</cve>
</suppress>

Related issues

Have test cases been added to cover the new functionality?

N/A

@chadlwilson chadlwilson mentioned this pull request May 14, 2026
Open
@chadlwilson
fix(fp): suppress FP from grpc-go; migrating grpc CVE-by-CVE suppress…
ae15ea6 
…ions to hosted suppressions

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson chadlwilson force-pushed the generatedSuppressions-grpc branch from 64b751e to ae15ea6 Compare May 14, 2026 09:21
nhumblot
nhumblot approved these changes May 17, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@nhumblot nhumblot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your help!

@nhumblot nhumblot merged commit 4067d81 into dependency-check:generatedSuppressions May 17, 2026
1 check passed
@chadlwilson chadlwilson deleted the generatedSuppressions-grpc branch May 17, 2026 15:05
@chadlwilson
Copy link
Copy Markdown
Collaborator Author

chadlwilson commented May 17, 2026
edited
Loading

Thanks! Could you please manually trigger the publish suppressions workflow so this is visible to users?

https://github.com/dependency-check/DependencyCheck/actions/workflows/publish-suppressions.yml

We haven't got this workflow auto-triggering on the branch update just yet - it only runs via the automated approval workflow at the moment (been meaning to submit a PR for that).

I've also marked the cleanup PRs as ok to review/merge (removed the duplicate rules from base suppressions that this PR creates, since these two sets of suppressions are essentially aggregated together for every install now)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nhumblot nhumblot nhumblot approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chadlwilson @nhumblot