Describe the bug
Xray reports CVE-2023-5685 (JBoss XNIO buffer overflow) against our project. However, org.jboss.xnio:xnio-api is not present in our delivery. The scanner appears to have confused standard Java NIO (part of the JDK) with JBoss XNIO (a separate third-party library).
To Reproduce
Xray scan flags CVE-2023-5685 against a project that uses Java NIO but does NOT contain org.jboss.xnio:xnio-api in its dependency tree.
Expected behavior
CVE-2023-5685 should only be reported when org.jboss.xnio:xnio-api is actually present in the scanned artifacts. Java NIO (java.nio.*) from the JDK is a different component.
Versions
- Package: org.jboss.xnio:xnio-api — NOT PRESENT
- Scanner likely confused with: java.nio (JDK built-in)
Additional context
Red Hat advisory: https://issues.redhat.com/browse/WFCORE-6738
Describe the bug
Xray reports CVE-2023-5685 (JBoss XNIO buffer overflow) against our project. However, org.jboss.xnio:xnio-api is not present in our delivery. The scanner appears to have confused standard Java NIO (part of the JDK) with JBoss XNIO (a separate third-party library).
To Reproduce
Xray scan flags CVE-2023-5685 against a project that uses Java NIO but does NOT contain org.jboss.xnio:xnio-api in its dependency tree.
Expected behavior
CVE-2023-5685 should only be reported when org.jboss.xnio:xnio-api is actually present in the scanned artifacts. Java NIO (java.nio.*) from the JDK is a different component.
Versions
Additional context
Red Hat advisory: https://issues.redhat.com/browse/WFCORE-6738