[FP]: gRPC-Go CVE-2026-33186 reported against grpc-binary Swift Package Manager library

[kapitoshka438]

Package URl

pkg:swift/grpc-binary@1.69.1

CPE

cpe:2.3:a:grpc:grpc::::::go::*

CVE

CVE-2026-33186

ODC Integration

{"label" => "CLI"}

ODC Version

12.2.2

Description

Package.resolved contents:

...
    {
      "identity" : "grpc-binary",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/grpc-binary.git",
      "state" : {
        "revision" : "75b31c842f664a0f46a2e590a570e370249fd8f6",
        "version" : "1.69.1"
      }
    },
...

[github-actions]

Error parsing package url: pkg:swift/grpc-binary@1.69.1.

Error: Error: Invalid purl: swift requires a "namespace" component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/26030260485

[chadlwilson]

As the automation says, the PURL is not valid here. Needs to be corrected, as we need to be able to replicate it. We can't suppress FPs against invented PURLs.

Please also share ODC's JSON, XML or html report.

[kapitoshka438]

As the automation says, the PURL is not valid here. Needs to be corrected, as we need to be able to replicate it. We can't suppress FPs against invented PURLs.

Please also share ODC's JSON, XML or html report.

Sorry, I don't know what PURL is valid here, but here are html and json reports

dependency-check-report.html
dependency-check-report.json

[chadlwilson]

Hmm, yeah, the PURL you added is as reported by ODC, but it's invalid which might mean ODC needs a fix to generate that correctly first. We probably need to fix that in ODC before we can think about managing a suppression for this.on behalf of users.

Also, note that generally speaking we dont maintain CVE-by-CVE suppressions (as needed for grpc) as they are unmaintainable at scale. Grpc is treated specially just due to how widespread it is. But it's also the worst because there are so many impls and some share code (cpp, ruby, python, others) and some do not (java, golang, js?) and it's easy to create false negatives.

In the short term you might want to maintain your own suppression.