New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove guava dependency from indexer-core #75
Conversation
indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
Outdated
Show resolved
Hide resolved
It suffers from multiple CVEs: * guava < 24.1.1 is vulnerable to CVE-2018-10237. * guava < 30.0 is vulnerable to CVE-2020-8908. Moving to guava 30.1 will require moving to Java 8 so it's actually simpler to just remove the dependency altogether. Signed-off-by: Alexander Kurtakov <akurtako@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Guava 30.1-android does support Java 7. However, it's still better to remove this.
Running through jenkins at https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/ If it passes, I'll merge |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This missed some usages:
[ERROR] /Users/elharo/maven-indexer/indexer-reader/src/test/java/org/apache/maven/index/reader/TestUtils.java:[25,30] package com.google.common.base does not exist
[ERROR] /Users/elharo/maven-indexer/indexer-reader/src/test/java/org/apache/maven/index/reader/TestUtils.java:[28,40] package com.google.common.collect does not exist
[ERROR] /Users/elharo/maven-indexer/indexer-reader/src/test/java/org/apache/maven/index/reader/TestUtils.java:[28,1] static import only from classes and interfaces
I don't understand the request. It points to failure to compile in indexer-reader tests but that module has test dependency on guava. My patches removes the usages only from indexer-core. |
This PR failed in jenkins with the error messages pasted above. |
I don't see any build at https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/ . Can you please share the link to the full log so I can look at it? |
The builds expire after some period of time. I'll have to run this through again. |
It suffers from multiple CVEs:
Moving to guava 30.1 will require moving to Java 8 so it's actually
simpler to just remove the dependency altogether.
Signed-off-by: Alexander Kurtakov akurtako@redhat.com