graphql-kotlin-schema-generator 1.2.2 contains security issue

[sgohlke]

Library Version
com.expediagroup:graphql-kotlin-schema-generator:1.2.2

Describe the bug
Sub-dependency org.reflections:reflections:0.9.11 contains com.google.guava:guava:20.0 which results in following seucrity issue:

com.expediagroup:graphql-kotlin-schema-generator:1.2.2 introduces com.google.guava:guava:20.0 which has 1 vulnerabilities
=> [CVE-2018-10237]  Deserialization of Untrusted Data (see https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0) 

To Reproduce
In a new Kotlin project:

• Add as dependency
  implementation("com.expediagroup:graphql-kotlin-schema-generator:1.2.2")
• Add as plugin
  id("net.ossindex.audit") version "0.4.11"
• Run Gradle task audit

Expected behavior
Audit should not find any security issue.

Possible Fix
In graphql-kotlin-schema-generator/pom.xml exclude dependency guava for org.reflections:reflections, then add guava version 28.1-jre as new dependency.

[smyrick]

Thank you for reporting, I am working on a fix that will replace the reflections lib with the following instead of doing dep management:

https://github.com/classgraph/classgraph