gson CVE-2022-25647

[antonmos]

Description

gson 2.8.5 has the aforementioned CVE. gson 2.8.9 fixes the issue
However, this comment says that gson cannot be updated until google/gson#1597 is fixed (it's not)

Seems like some workaround is necessary.

[bruno-garcia]

We no longer have a dependency on Gson starting on version 6.0.0. We plan to GA this very soon.

[marandaneto]

As a quick workaround, you can add the dependency of gson directly:

implementation 'com.google.code.gson:gson:2.9.0'

Gradle and/or Maven will actually prefer this version instead of Sentry's transitive dependency.

[bruno-garcia]

Unfortunately bumping Gson to 2.9.0 will break a ton of different things so we're not able to merge and ship this on 5.x.
The CVE-2022-25647 was resolved on version 6.0.0 of the SDK though which is already completed and in its final form. We have a Release Candidate out, and if no bug reports come in, we'll release as GA: https://github.com/getsentry/sentry-java/releases/tag/6.0.0-rc.1

Please give this version a try and let us know if you encounter any issues. If you can't release with an RC, bumping only to get your CI pipeline to run and do some manual tests is helpful enough for us to get the feedback we need to GA this.

[antonmos]

Unfortunately bumping Gson to 2.9.0 will break a ton of different things so we're not able to merge and ship this on 5.x. The CVE-2022-25647 was resolved on version 6.0.0 of the SDK though which is already completed and in its final form. We have a Release Candidate out, and if no bug reports come in, we'll release as GA: https://github.com/getsentry/sentry-java/releases/tag/6.0.0-rc.1

Please give this version a try and let us know if you encounter any issues. If you can't release with an RC, bumping only to get your CI pipeline to run and do some manual tests is helpful enough for us to get the feedback we need to GA this.

I don't have time to experiment with 6.x at the moment, but hope to do that eventually.

FWIW, I added a direct dependency on gson 2.9.0 in my project and my test exception got delivered to sentry correctly.
Could you elaborate what the expected breakage is? is it for android projects only?

[bruno-garcia]

Yeah it's only on Android, but I'll need to ask the team for details on the issue