Package URl
pkg:maven/(?!io.grpc/).*
CPE
cpe:2.3:a:grpc:grpc::::::::
CVE
multiple
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
11.1.1
Description
I propose using a negative regex in a suppression rule for gRPC. We already had numerous FPs for this one, because having grpc in a package name is relatively common in the wild. OTOH, the CPEs using grpc in the co-ord are limited to io.grpc group in Maven ecosystem. The benefit of switching would be twofold:
- no need to manually add suppressions for those cases in the future,
- possibility of removing existing redundant suppression rules for it
Example rule:
<suppress base="true">
<notes><![CDATA[
Match only actual `io.grpc` Maven packages to this CPE
]]></notes>
<packageUrl regex="true">^pkg:maven\/(?!io.grpc\/).*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
We do have a precedent of having this kind of rules in the base suppression file, so I think changing this would be reasonable.
Package URl
pkg:maven/(?!io.grpc/).*
CPE
cpe:2.3:a:grpc:grpc::::::::
CVE
multiple
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
11.1.1
Description
I propose using a negative regex in a suppression rule for gRPC. We already had numerous FPs for this one, because having
grpcin a package name is relatively common in the wild. OTOH, the CPEs usinggrpcin the co-ord are limited toio.grpcgroup in Maven ecosystem. The benefit of switching would be twofold:Example rule:
We do have a precedent of having this kind of rules in the base suppression file, so I think changing this would be reasonable.