Vulnerability scan issue with an awssdk dependency - netty handler

[polianamorishigue1-nhs]

Hi all,

Please, could someone shed me some light what's the impact on excluding an awssdk's dependency - netty-handler from the pom file?
We run vulnerability scans with Nexus IQ and because of it, all the pipelines were failing in CodePipeline. As an emergency for the release, we've excluded the netty-handler for now.

I would appreciate if someone could help me in identifying the impact in awssdk when we exclude netty-handler.

Thanks : )

[debora-ito]

We don't recommend removing a dependency, you can run into some weird runtime errors. Netty is the lib used in the async client.

Can you show what was the vulnerability reported? Depending on the vulnerability we can upgrade the netty version.

[polianamorishigue1-nhs]

Hi Debora,

I hope you're well.
Many thanks for getting back to me! It's something that were being an issue to unblock pipelines, so we've temporarily added netty to exclusions.
Also, sorry for taking a little long to reply to you, it's been quite a month in my squad.
I've just checked the error we see when running nexus iq

And this is what I get in nexus iq report

Please, would you help us in sorting out this scan failure? As you've advised, currently our aplication might be vulnerable to runtime errors because we've excluded netty from AWSSDK package in pom file.

Thank you so much,

Poliana Yukari

[debora-ito]

We upgraded the netty version to 4.1.86.Final in yesterday's release.

aws-sdk-java-v2/pom.xml

Line 106 in 46f9321

<netty.version>4.1.86.Final</netty.version>

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.