From 8a5ceb629b54308513323bfbcaa7aaebdc73c380 Mon Sep 17 00:00:00 2001 From: "Mark S. Lewis" Date: Sat, 3 Jun 2023 12:12:38 +0100 Subject: [PATCH 1/3] Update guava dependency to address CVE-2023-2976 --- examples/example-debug/pom.xml | 2 +- examples/example-hostname/pom.xml | 2 +- examples/pom.xml | 2 +- gradle/libs.versions.toml | 4 ++-- repositories.bzl | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/example-debug/pom.xml b/examples/example-debug/pom.xml index f720880e616..f3822123220 100644 --- a/examples/example-debug/pom.xml +++ b/examples/example-debug/pom.xml @@ -58,7 +58,7 @@ com.google.guava guava - 31.1-jre + 32.0.0-jre junit diff --git a/examples/example-hostname/pom.xml b/examples/example-hostname/pom.xml index 0bcfd56207f..728cecdcac1 100644 --- a/examples/example-hostname/pom.xml +++ b/examples/example-hostname/pom.xml @@ -58,7 +58,7 @@ com.google.guava guava - 31.1-jre + 32.0.0-jre junit diff --git a/examples/pom.xml b/examples/pom.xml index 8733d7dd553..c65d24f99b2 100644 --- a/examples/pom.xml +++ b/examples/pom.xml @@ -63,7 +63,7 @@ com.google.guava guava - 31.1-jre + 32.0.0-jre org.apache.tomcat diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index cc725c4986a..59d69203fd4 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -2,7 +2,7 @@ # Compatibility problem with internal version getting onto 1.5.3. # https://github.com/grpc/grpc-java/pull/9118 googleauth = "1.4.0" -guava = "31.1-android" +guava = "32.0.0-android" netty = '4.1.87.Final' nettytcnative = '2.0.56.Final' opencensus = "0.31.1" @@ -36,7 +36,7 @@ gson = "com.google.code.gson:gson:2.10.1" guava = { module = "com.google.guava:guava", version.ref = "guava" } guava-betaChecker = "com.google.guava:guava-beta-checker:1.0" guava-testlib = { module = "com.google.guava:guava-testlib", version.ref = "guava" } -guava-jre = "com.google.guava:guava:31.1-jre" +guava-jre = "com.google.guava:guava:32.0.0-jre" hdrhistogram = "org.hdrhistogram:HdrHistogram:2.1.12" javax-annotation = "org.apache.tomcat:annotations-api:6.0.53" jetty-alpn-agent = "org.mortbay.jetty.alpn:jetty-alpn-agent:2.0.10" diff --git a/repositories.bzl b/repositories.bzl index eb393c95a97..f4d7e868fc3 100644 --- a/repositories.bzl +++ b/repositories.bzl @@ -20,7 +20,7 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [ "com.google.code.gson:gson:2.10.1", "com.google.errorprone:error_prone_annotations:2.18.0", "com.google.guava:failureaccess:1.0.1", - "com.google.guava:guava:31.1-android", + "com.google.guava:guava:32.0.0-android", "com.google.re2j:re2j:1.7", "com.google.truth:truth:1.0.1", "com.squareup.okhttp:okhttp:2.7.5", From 14739e18c8173d502b77cc5baecc5c5a831a0cf5 Mon Sep 17 00:00:00 2001 From: "Mark S. Lewis" Date: Wed, 7 Jun 2023 00:15:18 +0100 Subject: [PATCH 2/3] Align requireUpperBoundDepsMatch to Maven requireUpperBoundDeps Maven requireUpperBoundDeps checks that the version for each dependency resolved during a build, is equal to or higher than all transitive dependency declarations. It is not required for a resolved dependency to exactly match all transitive dependency declarations. As a proof-of-concept, this implementation uses Gradle's VersionNumber utility, which is deprecated and scheduled to be removed in Gradle 9. An alternative (or custom) version comparison utility should be used. --- build.gradle | 4 ++-- examples/pom.xml | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 42e008e80d6..dda2ae0b558 100644 --- a/build.gradle +++ b/build.gradle @@ -498,9 +498,9 @@ def requireUpperBoundDepsMatch(Configuration conf, Project project) { version = ((ModuleComponentSelector) result.requested).version } String goldenVersion = golden[artifact] - if (goldenVersion != version && "[$goldenVersion]" != version) { + if (VersionNumber.parse(version) > VersionNumber.parse(goldenVersion)) { throw new RuntimeException( - "Maven version skew: $artifact ($version != $goldenVersion) " + "Maven version skew: $artifact ($version > $goldenVersion) " + "Bad version dependency path: " + depAndParents.parents + " Run './gradlew $project.path:dependencies --configuration $conf.name' " + "to diagnose") diff --git a/examples/pom.xml b/examples/pom.xml index c65d24f99b2..476eea4e000 100644 --- a/examples/pom.xml +++ b/examples/pom.xml @@ -65,6 +65,11 @@ guava 32.0.0-jre + + com.google.j2objc + j2objc-annotations + 2.8 + org.apache.tomcat annotations-api From de683475f66c6dabe0b26524a667e3ef8cf2fb35 Mon Sep 17 00:00:00 2001 From: "Mark S. Lewis" Date: Mon, 12 Jun 2023 17:12:48 +0100 Subject: [PATCH 3/3] Explicit dependencies to keep versions in step with newer Guava Revert change to requireUpperBoundDepsMatch since explicit dependencies are the correct way to resolve the version inconsistency in transitive dependencies. --- build.gradle | 4 ++-- examples/example-debug/pom.xml | 2 +- examples/example-hostname/pom.xml | 2 +- examples/pom.xml | 2 +- gcp-observability/build.gradle | 4 +++- gradle/libs.versions.toml | 6 ++++-- repositories.bzl | 2 +- services/build.gradle | 3 ++- 8 files changed, 15 insertions(+), 10 deletions(-) diff --git a/build.gradle b/build.gradle index dda2ae0b558..42e008e80d6 100644 --- a/build.gradle +++ b/build.gradle @@ -498,9 +498,9 @@ def requireUpperBoundDepsMatch(Configuration conf, Project project) { version = ((ModuleComponentSelector) result.requested).version } String goldenVersion = golden[artifact] - if (VersionNumber.parse(version) > VersionNumber.parse(goldenVersion)) { + if (goldenVersion != version && "[$goldenVersion]" != version) { throw new RuntimeException( - "Maven version skew: $artifact ($version > $goldenVersion) " + "Maven version skew: $artifact ($version != $goldenVersion) " + "Bad version dependency path: " + depAndParents.parents + " Run './gradlew $project.path:dependencies --configuration $conf.name' " + "to diagnose") diff --git a/examples/example-debug/pom.xml b/examples/example-debug/pom.xml index f3822123220..b0750a19e8b 100644 --- a/examples/example-debug/pom.xml +++ b/examples/example-debug/pom.xml @@ -58,7 +58,7 @@ com.google.guava guava - 32.0.0-jre + 32.0.1-jre junit diff --git a/examples/example-hostname/pom.xml b/examples/example-hostname/pom.xml index 728cecdcac1..5520ffe201a 100644 --- a/examples/example-hostname/pom.xml +++ b/examples/example-hostname/pom.xml @@ -58,7 +58,7 @@ com.google.guava guava - 32.0.0-jre + 32.0.1-jre junit diff --git a/examples/pom.xml b/examples/pom.xml index 476eea4e000..b928e5be074 100644 --- a/examples/pom.xml +++ b/examples/pom.xml @@ -63,7 +63,7 @@ com.google.guava guava - 32.0.0-jre + 32.0.1-jre com.google.j2objc diff --git a/gcp-observability/build.gradle b/gcp-observability/build.gradle index 6f80ba1f7a4..9cef17fcd84 100644 --- a/gcp-observability/build.gradle +++ b/gcp-observability/build.gradle @@ -59,7 +59,9 @@ dependencies { libraries.animalsniffer.annotations, // Use our newer version libraries.guava.jre, // Use our newer version libraries.protobuf.java.util, // Use our newer version - libraries.re2j // Use our newer version + libraries.re2j, // Use our newer version + libraries.checker.qual, // Explicit dependency to keep in step with version used by guava + libraries.j2objc.annotations // Explicit dependency to keep in step with version used by guava testImplementation testFixtures(project(':grpc-context')), project(':grpc-testing'), diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 59d69203fd4..31acfd13432 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -2,7 +2,7 @@ # Compatibility problem with internal version getting onto 1.5.3. # https://github.com/grpc/grpc-java/pull/9118 googleauth = "1.4.0" -guava = "32.0.0-android" +guava = "32.0.1-android" netty = '4.1.87.Final' nettytcnative = '2.0.56.Final' opencensus = "0.31.1" @@ -21,6 +21,7 @@ animalsniffer = "org.codehaus.mojo:animal-sniffer:1.23" animalsniffer-annotations = "org.codehaus.mojo:animal-sniffer-annotations:1.23" auto-value = "com.google.auto.value:auto-value:1.10.1" auto-value-annotations = "com.google.auto.value:auto-value-annotations:1.10.1" +checker-qual = "org.checkerframework:checker-qual:3.33.0" checkstyle = "com.puppycrawl.tools:checkstyle:8.28" commons-math3 = "org.apache.commons:commons-math3:3.6.1" conscrypt = "org.conscrypt:conscrypt-openjdk-uber:2.5.2" @@ -36,9 +37,10 @@ gson = "com.google.code.gson:gson:2.10.1" guava = { module = "com.google.guava:guava", version.ref = "guava" } guava-betaChecker = "com.google.guava:guava-beta-checker:1.0" guava-testlib = { module = "com.google.guava:guava-testlib", version.ref = "guava" } -guava-jre = "com.google.guava:guava:32.0.0-jre" +guava-jre = "com.google.guava:guava:32.0.1-jre" hdrhistogram = "org.hdrhistogram:HdrHistogram:2.1.12" javax-annotation = "org.apache.tomcat:annotations-api:6.0.53" +j2objc-annotations = " com.google.j2objc:j2objc-annotations:2.8" jetty-alpn-agent = "org.mortbay.jetty.alpn:jetty-alpn-agent:2.0.10" jsr305 = "com.google.code.findbugs:jsr305:3.0.2" junit = "junit:junit:4.13.2" diff --git a/repositories.bzl b/repositories.bzl index f4d7e868fc3..7d3bdb49894 100644 --- a/repositories.bzl +++ b/repositories.bzl @@ -20,7 +20,7 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [ "com.google.code.gson:gson:2.10.1", "com.google.errorprone:error_prone_annotations:2.18.0", "com.google.guava:failureaccess:1.0.1", - "com.google.guava:guava:32.0.0-android", + "com.google.guava:guava:32.0.1-android", "com.google.re2j:re2j:1.7", "com.google.truth:truth:1.0.1", "com.squareup.okhttp:okhttp:2.7.5", diff --git a/services/build.gradle b/services/build.gradle index 76a767dce8a..b834fcd2d79 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -23,7 +23,8 @@ dependencies { implementation libraries.protobuf.java.util, libraries.guava.jre // JRE required by protobuf-java-util - runtimeOnly libraries.errorprone.annotations + runtimeOnly libraries.errorprone.annotations, + libraries.j2objc.annotations // Explicit dependency to keep in step with version used by guava compileOnly libraries.javax.annotation testImplementation project(':grpc-testing'),