Version 2.2.0 brings in dependencies with CVE

[sbyrnes-weblogix]

Expected behavior

Dependencies that have been shared and included should not have security issues.
This seems to be fixed in version v1.16.1 (https://github.com/grpc/grpc-java/releases) of grpc-java.
v1.16.0 brought in "Updated to Netty 4.1.30 and Netty tcnative 2.0.17" and broke ABI and is fixed in version 1.16.1

Actual behavior

grpc-netty-shaded-1.14.0.jar/META-INF/maven/io.netty/netty-tcnative-boringssl-static/pom.xml (io.netty:netty-tcnative-boringssl-static:2.0.12.Final, cpe:/a:netty_project:netty:2.0.12) : CVE-2015-2156, CVE-2014-3488
https://nvd.nist.gov/vuln/detail/CVE-2015-2156

To Reproduce

Maven build scanning dependencies through build using "dependency-check-maven:3.3.1:check (owasp-enforce)" with a CVE level of less than 4

System information

Please provide the following information:

• SDK Version: 2.2.0 (did not exist in 2.1.2)
• OS type and version: Java (1.8) on Linux (ubuntu 16.04)
• Application Server type and version (if applicable): Java Application at compile time
• Using spring-boot? No, Maven and Dropwizard
• Additional relevant libraries (with version, if applicable):

Logs

Not relevant as this is at compile time

Screenshots

Not relevant as this is at compile time

[littleaj]

Thank you for bringing this to our attention. We are upgrading grpc in the next release.