Remove guava dependency from indexer-core #75
Conversation
indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
Outdated
Show resolved
Hide resolved
It suffers from multiple CVEs: * guava < 24.1.1 is vulnerable to CVE-2018-10237. * guava < 30.0 is vulnerable to CVE-2020-8908. Moving to guava 30.1 will require moving to Java 8 so it's actually simpler to just remove the dependency altogether. Signed-off-by: Alexander Kurtakov <akurtako@redhat.com>
|
Running through jenkins at https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/ If it passes, I'll merge |
There was a problem hiding this comment.
This missed some usages:
[ERROR] /Users/elharo/maven-indexer/indexer-reader/src/test/java/org/apache/maven/index/reader/TestUtils.java:[25,30] package com.google.common.base does not exist
[ERROR] /Users/elharo/maven-indexer/indexer-reader/src/test/java/org/apache/maven/index/reader/TestUtils.java:[28,40] package com.google.common.collect does not exist
[ERROR] /Users/elharo/maven-indexer/indexer-reader/src/test/java/org/apache/maven/index/reader/TestUtils.java:[28,1] static import only from classes and interfaces
|
I don't understand the request. It points to failure to compile in indexer-reader tests but that module has test dependency on guava. My patches removes the usages only from indexer-core. |
|
This PR failed in jenkins with the error messages pasted above. |
|
I don't see any build at https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/ . Can you please share the link to the full log so I can look at it? |
|
The builds expire after some period of time. I'll have to run this through again. |
It suffers from multiple CVEs:
Moving to guava 30.1 will require moving to Java 8 so it's actually
simpler to just remove the dependency altogether.
Signed-off-by: Alexander Kurtakov akurtako@redhat.com