Issue Mapping Java Libraries: Incorrect Vulnerability Reporting for io.grpc:grpc-netty-shaded and netty-codec-http2

[avula-sudheer]

IDs

CVE-2025-55163

Description

Trivy is reporting CVE-2025-55163 (netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability) as affecting io.grpc:grpc-netty-shaded (version 1.69.1), but this is a false positive. The scan output shows:

However, grpc-netty-shaded only shades netty-codec-http2 and does not directly expose the vulnerable code. The vulnerability should only be reported for io.netty:netty-codec-http2 itself, not for libraries that shade it.

Expected behavior:
Trivy should not report CVE-2025-55163 for io.grpc:grpc-netty-shaded unless it is confirmed that the shaded code is actually exploitable in this context.

Example:

We are using quarkus-bom LTS version 3.27.0, which introduces multiple transitive dependencies with similar or partially matching package names.

Below is a partial dependency graph highlighting packages with overlapping or similar names:

+--- io.quarkus.platform:quarkus-bom:{strictly 3.27.0} -> 3.27.0
| +--- io.grpc:grpc-netty-shaded:1.69.1 (c)
+--- io.quarkus:quarkus-kubernetes-client -> 3.27.0
| +--- io.quarkus:quarkus-kubernetes-client-internal:3.27.0
| | +--- io.quarkus:quarkus-arc:3.27.0 ()
| | --- io.quarkus:quarkus-tls-registry:3.27.0
| | +--- io.quarkus:quarkus-tls-registry-spi:3.27.0
| | | --- io.quarkus:quarkus-vertx:3.27.0
| | | +--- io.netty:netty-codec-haproxy:4.1.127.Final
| | | | +--- io.vertx:vertx-core:4.5.21
| | | | | +--- io.netty:netty-codec-http:4.1.125.Final -> 4.1.127.Final ()
| | | | | +--- io.netty:netty-codec-http2:4.1.125.Final -> 4.1.127.Final (*)

The following package names are incorrectly mapped by the vulnerability scanner:

• io.grpc:grpc-netty-shaded:1.69.1 (affected)
• io.netty:netty-codec-http2:4.1.125.Final → 4.1.127.Final (expected target)

Reproduction Steps

Scan a container or project including io.grpc:grpc-netty-shaded with Trivy.
Observe that CVE-2025-55163 is reported for grpc-netty-shaded.

Detailed steps: 
1) Add quarkus-bom version 3.27.0 to a Gradle project.
2) Execute the build task: ./gradlew clean classes
3) Run the assemble task: ./gradlew assemble -Dquarkus.package.jar.type=fast-jar
4) Build a Docker image, copying files from build/quarkus-app/lib/boot to a directory in the image (e.g., dest).
4) Perform a Trivy scan on the resulting Docker image.
5) Review the Trivy report for incorrect vulnerability mapping.

Target

Container Image

Scanner

Vulnerability

Target OS

openSuSE

Debug Output

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh
sh -s -- -b /tmp
aquasecurity/trivy info checking GitHub for latest tag
aquasecurity/trivy info found version: 0.67.0 for v0.67.0/Linux/64bit
aquasecurity/trivy info installed /tmp/trivy
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl
/tmp/trivy image --output trivy_scan_results.html --format template --template @html.tpl --no-progress corp-artifactory/app-image:latest
INFO [vulndb] Need to update DB
INFO [vulndb] Downloading vulnerability DB...
INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
INFO [vuln] Vulnerability scanning is enabled
INFO [secret] Secret scanning is enabled
INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
INFO [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
INFO [javadb] Downloading Java DB...
INFO [javadb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-java-db:1"
INFO [javadb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-java-db:1"
INFO [javadb] Java DB is cached for 3 days. If you want to update the database more frequently, "trivy clean --java-db" command clears the DB cache.
INFO Detected OS family="opensuse-leap" version="15.6"
INFO [opensuse-leap] Detecting vulnerabilities... os_version="15.6" pkg_num=170
INFO Number of language-specific files num=1
INFO [jar] Detecting vulnerabilities...
/tmp/trivy image --severity CRITICAL,HIGH --ignore-unfixed --exit-code 1 --vuln-type os,library --no-progress corp-artifactory/app-image:latest
WARN '--vuln-type' is deprecated. Use '--pkg-types' instead.
INFO [vuln] Vulnerability scanning is enabled
INFO [secret] Secret scanning is enabled
INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
INFO [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
INFO Detected OS family="opensuse-leap" version="15.6"
INFO [opensuse-leap] Detecting vulnerabilities... os_version="15.6" pkg_num=170
INFO Number of language-specific files num=1
INFO [jar] Detecting vulnerabilities...
INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Report Summary

┌────────────────────────────────────────────────┬───────────────┬─────────────────┬─────────┐
│                Target                          │     Type      │ Vulnerabilities │ Secrets │
├────────────────────────────────────────────────┼───────────────┼─────────────────┼─────────┤
│ corp-artifactory/app-image:latest              │ opensuse-leap │        0        │    -    │
├────────────────────────────────────────────────┼───────────────┼─────────────────┼─────────┤
│ io.grpc.grpc-netty-shaded-1.69.1.jar           │      jar      │        1        │    -    │
├────────────────────────────────────────────────┼───────────────┼─────────────────┼─────────┤
│ io.netty.netty-codec-http2-4.1.127.Final.jar   │      jar      │        0        │    -    │
├────────────────────────────────────────────────┼───────────────┼─────────────────┼─────────┤
│ ...                                            │      jar      │        0        │    -    │
└────────────────────────────────────────────────┴───────────────┴─────────────────┴─────────┘



For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/v0.67/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


Java (jar)
==========
Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│                Library                 │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ io.grpc:grpc-netty-shaded              │ CVE-2025-55163 │ HIGH     │ fixed  │ 1.69.1            │ 1.75.0        │ netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS │
│ (io.grpc.grpc-netty-shaded-1.69.1.jar) │                │          │        │                   │               │ Vulnerability                                            │
│                                        │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-55163               │
└────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

Version

0.67.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

GitHub Advisory reports that the issue affects grpc-netty-shaded. If you believe this is incorrect, please report it to GitHub.
GHSA-prj3-ccx8-p6x4