{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:6da4551d-6275-5ce8-9cc1-a23ad5170780",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1",
      "type": "library",
      "group": "io.projectreactor.netty",
      "name": "reactor-netty",
      "version": "1.0.7-tuxcare.1",
      "purl": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:456ef1b1-6fed-5f91-b6b0-2a25bace01bf",
      "id": "CVE-2021-22929",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2021-22929 is a false positive for io.projectreactor.netty:reactor-netty 1.0.7-tuxcare.1."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:585ede9b-04f1-5e83-bbbe-3090cb080b28",
      "id": "CVE-2022-30334",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2022-30334 is a false positive for io.projectreactor.netty:reactor-netty 1.0.7-tuxcare.1."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b49ea2ed-55a1-569a-ad93-0cdbabb8633e",
      "id": "CVE-2022-31684",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2022-31684 does not affect version 1.0.7-tuxcare.1 of io.projectreactor.netty:reactor-netty. CVE-2022-31684 affects Reactor Netty HTTP Server versions 1.0.11\u20131.0.23 per Snyk and NVD. The vulnerability involves WARN-level logging of raw HTTP request headers during invalid request handling. In version 1.0.7, the HTTP server code paths (HttpTrafficHandler, HttpOperations, ChannelOperationsHandler) use only log.debug \u2014 there are no log.warn calls in the server module at all. The vulnerable WARN-level logging was introduced in a later release (between 1.0.7 and 1.0.11). The vulnerable code paths are absent from this version, making it not affected."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:60fda37b-edb6-5489-bb7d-ac9f044891b4",
      "id": "CVE-2022-47932",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2022-47932 is a false positive for io.projectreactor.netty:reactor-netty 1.0.7-tuxcare.1."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:170b50a5-f309-5f09-9c6e-1f830a229176",
      "id": "CVE-2022-47933",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2022-47933 is a false positive for io.projectreactor.netty:reactor-netty 1.0.7-tuxcare.1."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:07c3d0c5-0aee-57ad-a9fd-5ec84e9733ad",
      "id": "CVE-2022-47934",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2022-47934 is a false positive for io.projectreactor.netty:reactor-netty 1.0.7-tuxcare.1."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:59f36a1e-c54a-5e0d-a625-0bdb1aeb98f2",
      "id": "CVE-2023-28360",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2023-28360 is a false positive for io.projectreactor.netty:reactor-netty 1.0.7-tuxcare.1."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2544ae7e-9a2f-55d9-af00-8f53b8005ba1",
      "id": "CVE-2023-34054",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2023-34054 affects version 1.0.7-tuxcare.1 of io.projectreactor.netty:reactor-netty."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a0939dde-1b76-5a5d-82ad-65c80aaf0b9c",
      "id": "CVE-2023-34062",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2023-34062 is fixed in version 1.0.7-tuxcare.1 of io.projectreactor.netty:reactor-netty."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:97444edb-fbaa-5c06-a041-29713c26ba4f",
      "id": "CVE-2025-22227",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-22227 affects version 1.0.7-tuxcare.1 of io.projectreactor.netty:reactor-netty."
      },
      "affects": [
        {
          "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:maven/io.projectreactor.netty/reactor-netty@1.0.7-tuxcare.1"
    }
  ]
}