[FP]: False Positive Detection for Netty CVEs (CVE-2025-55163, CVE-2025-58056, CVE-2025-58057) due to Broad CPE Matching

[beardo-sid]

Package URl

pkg:maven/io.projectreactor.netty/reactor-netty@1.2.11

CPE

cpe:2.3:a:netty:netty::::::::

CVE

CVE-2025-58056

ODC Integration

None

ODC Version

10.0.3

Description

Dependency Check is reporting Netty related CVEs against the artifact:

io.projectreactor.netty:reactor-netty:1.2.11

The CVEs being reported are:

CVE-2025-55163
CVE-2025-58056
CVE-2025-58057

However reactor-netty is not the affected component. These CVEs apply only to specific Netty modules:

netty-codec
netty-codec-http
netty-codec-http2
netty-codec-compression

Our application resolves Netty dependencies to:

io.netty:netty-codec:4.1.128.Final
io.netty:netty-codec-http:4.1.128.Final
io.netty:netty-codec-http2:4.1.128.Final

These versions are newer than the fixed versions listed in the advisories:

CVE-2025-55163 fixed in 4.1.125.Final
CVE-2025-58056 fixed in 4.1.124.Final
CVE-2025-58057 fixed in 4.1.125.Final

The issue appears to occur because Dependency Check maps the package to a generalized CPE:

cpe:2.3:a:netty:netty

This causes Reactor Netty artifacts to be flagged even though the vulnerable Netty modules and versions are not present.

Expected behavior:
The CVEs should only match the affected Netty modules (netty-codec, netty-codec-http, netty-codec-http2, netty-codec-compression) and vulnerable version ranges.

Actual behavior:
reactor-netty artifacts are flagged due to broad CPE matching.

Evidence:
Dependency tree resolves Netty modules to 4.1.128.Final which is above all fixed versions.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>io.projectreactor.netty</groupId>
  <artifactId>reactor-netty</artifactId>
  <version>1.2.11</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8348
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty/reactor-netty@.*$</packageUrl>
    <cpe>cpe:/a:netty:netty</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/22753155002

[chadlwilson]

NVD does not track vulnerabilities at component level, as you note yourself - it uses a "generalized CPE". ODC cannot magically fix problems with granularity of upstream data. So it is likely it will match all netty components.

However, reactor-netty is a separate project to netty, which should not match.

You haven't selected an ODC integration, so it's possible the issue here is because you are scanning with the CLI or Docker image.

When scanning this way, ODC does not know the proper maven co-ordinates for the reactor-netty artifacts, since as a Gradle project they do not publish POMs inside their jar files. It thus has to guess them from things like MANIFEST.MF - which is possibly not working for the reactor-netty* artifacts.

Without sufficient metadata to determine the PURL/package-URL, ODC cannot apply its existing suppressions. Can you share the contents of your report and/or confirm if there are package URLs displaying for all of the reactor-netty components - and share the "Evidence" section?

If you are in fact using the Maven or Gradle implementation, or the PURLs are being correctly determined, I can see a reason that reactor-netty (alone) might not be suppressed correctly, which I can fix. For some reason they are publishing an empty jar for this artifact even though it's probably supposed to be POM-only, so is likely confusing non-Gradle consumers.

[chadlwilson]

Also please note that ODC 10.0.3 is wildly out of date and not supported. You need to update to the latest version.

[chadlwilson]

Will assume the issue is only reactor-netty generic artifact which has been fixed now. Ensure you update your hosted suppressions source and try again, see if it cleans up.