Merge pull request #140 from IABTechLab/bmz-UID2-6837-upgrade-netty

BehnamMozafari · web-flow · commit 0af15b98a8a9 · 2026-03-31T16:03:54.000+11:00
UID2-6837: Upgrade Netty to 4.1.132.Final (CVE-2026-33870, CVE-2026-33871)
diff --git a/.trivyignore b/.trivyignore
@@ -1,3 +1,7 @@
 # List any vulnerability that are to be accepted
 # See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ 
 # for more details
+
+# UID2-6837
+# plexus-utils directory traversal - comes from Maven installation in base image (maven:3.9.11-eclipse-temurin-21), not from our code dependencies. Not exploitable at runtime.
+CVE-2025-67030 exp:2026-10-01
diff --git a/pom.xml b/pom.xml
@@ -12,7 +12,8 @@
         <maven.compiler.source>21</maven.compiler.source>
         <maven.compiler.target>21</maven.compiler.target>
         <vertx.version>4.5.21</vertx.version>
-        <uid2-shared.version>11.4.0</uid2-shared.version>
+        <uid2-shared.version>11.4.16</uid2-shared.version>
+        <netty.version>4.1.132.Final</netty.version>
     </properties>
 
     <repositories>
@@ -36,6 +37,13 @@
 
     <dependencyManagement>
         <dependencies>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
             <dependency>
                 <groupId>org.junit</groupId>
                 <artifactId>junit-bom</artifactId>
