I need to analyze sbom generated from my multi-module spring boot project.
I have configured cyclonedx maven plugin in my root pom with
version:2.8.1, schemaVersion:1.5, goal:makeAggregateBom, outputFormat:json
Now mvn install generates bom.json inside the target folder of each and every maven module.
I have used bomber to generate <YYYY_MM_DD-HH-MM-SS>-bomber-results.html as follows:
bomber scan --output html target/bom.json
The html ( sample) file includes 5 high vulnerabilities due to some older versions of netty even though bom.json-s contains version 4.1.112.final throughout, e.g.,
"pkg:maven/io.netty/[email protected]?type=jar"
An example of the vulnerabilities from the html is purveyed below:
HTTP Request Smuggling in Netty
Severity: HIGH
Reference Documentation
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
Similar issues are reported for pkg:maven/org.yaml/snakeyaml against version before 1.31 even though the genearted bom.json-s contain only the following
"bom-ref" : "pkg:maven/org.yaml/[email protected]?type=jar"
Any help or direction towards the resolution will be more than welcome