[FP]: FP for netty-transport

[kaniskavarsinipd]

Package URl

pkg:maven/io.netty/netty-transport@4.1.122.Final

CPE

cpe:2.3:a:netty:netty:4.1.122:::::::*

CVE

No response

ODC Integration

None

ODC Version

12.2.0

Description

CVE-2025-58057 not applicable for netty-transport
The vulnerable component is netty-codec-compression but here it is reported for netty-transport as it contains word netty.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>io.netty</groupId>
  <artifactId>netty-transport</artifactId>
  <version>4.1.122.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8270
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.netty/netty-transport@.*$</packageUrl>
    <cpe>cpe:/a:netty:netty</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/21587084634

[chadlwilson]

NVD doesn't track vulnerabilities at a package level, only product level, and they don't split attribution by transport/codec etc. https://nvd.nist.gov/vuln/detail/CVE-2025-58057 - they mark.all of Netty of a given version as vulnerable.

This cannot be addressed by ODC with its current design and the NVD data source.