New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency version updates #3239
Comments
|
Graphql Java is not affected by this as only certain packages of guava are shaded. Afaiu the vuln affects File operations, which is not shaded by graphql Java. That being said it I am not sure the security scanners are able to understand this nuance. |
|
Hi @andimarek, I understand and expected that there's no real vulnerability in graphql-java as it probably has no reason to create temporary files/dirs using Guava... but our problem is that we cannot exclude Guava from transitive dependencies of graphql-java and as you say it, the scanner is not sophisticated enough to look into anything more specific than at library level... hence, there's no way for us to "fix" the problem (other than going extreme and patching the graphql-java jar). I would appreciate, for this reason, a patch release updating dependencies if possible. Otherwise, we (and I believe others also doing this sort of scanning) will have to ignore the Guava CVE for now (even after already upgrading it on our side), which could open the door to mistakes. |
|
Hi @renatoathaydes, so I can understand, how does your scanner detect Guava? Does your scanner read GraphQL Java's POM file or does it read the gradle build file? In GraphQL Java, after shading in selected Guava classes, we remove Guava off the POM |
|
@dondonz The Guava pom is embedded inside your jar. I believe that's why our tool flags it. Perhaps you could remove that pom and only embed the LICENSE file to be compliant with their license? Or is there a need to keep that pom in the jar? |
|
For the record : The github dependabot updated this version in #1c11a4ae591cc46c449fab57ec89f58523e9b754 master is now on 32.0.0 and a new release of graphql-java is now imminent |
|
And could the Guava upgrade be backported to 18 and 19 as well? |
|
Hi @barchetta yes we will backport this upgrade to v18 and v19 as well. Coming soon! |
|
Today I've released v18.6, v19.6, and v20.4, all releases only contain this Guava update and no other changes. These versions have already landed in Maven, so please update whenever you can. |
Summary
Even though this is about a Guava vulnerability, because graphql-java shades the Guava library, vulnerabilities-scanning software is flagging graphql-java as also being vulnerable.
If I understand correctly, Guava has been updated already in graphql-java, but a "stable" release has not been made yet(?).
I am creating this ticket to ask if you could release a patch version including this update.
The Guava vulnerability reported at CVE-2023-2976 has been fixed in Guava version 32.0.0.
The latest stable version of graphql-java seems to be 20.3 as of writing, but that version is using Guava 31.0.1-jre.
The CVE is not published as of writing. But it's referenced in Guava's CHANGELOG.
The impact of the Guava vulnerability is explained here.
The text was updated successfully, but these errors were encountered: