[FP]: CVE-2007-0061 spring-grpc-boot-starter identified as vmware

[profhenry]

Package URl

pkg:maven/org.springframework.grpc/spring-grpc-spring-boot-starter@1.0.2

CPE

cpe:2.3:a:vmware:server:1.0.2:*:*:*:*:*:*:*

CVE

CVE-2007-0061

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.1.6

Description

The spring-grpc-boot-starter artifact is identified as vmware, so all sorts of CVEs reported against vmware are reported for spring-grpc-boot-starter :-/.

I get 49 findings for spring-grpc-boot-starter which seem all be a FP

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.springframework.grpc</groupId>
  <artifactId>spring-grpc-spring-boot-starter</artifactId>
  <version>1.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8396
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.springframework\.grpc/spring-grpc-spring-boot-starter@.*$</packageUrl>
    <cpe>cpe:/a:vmware:server</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/23840035158

[chadlwilson]

Approved

In some configurations of ODC, the spring grpc starters/autoconfigure are being identified as Spring Boot itself as well; which is probably not correct, so we might need some more sophisticated rules for these.

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.