Remove Guava

[yahavi]

• All tests have passed. If this feature is not already covered by the tests, new tests have been added.

---

Fix #792.

Remove Guava entirely from build-info.
Replace Guava's ArrayListMultimap with Apache Commons collection's ArrayListValuedHashMap.
Replace Guava's HashMultimap with Apache Commons collection's HashSetValuedHashMap.

[github-actions]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	Not Applicable	org.mock-server:mockserver-netty:5.15.0	com.google.guava:guava 31.1-jre	[32.0.0-android]	CVE-2023-2976
High	Not Applicable	org.apache.maven:maven-core:3.8.6	com.google.guava:guava 25.1-android	[32.0.0-android]	CVE-2023-2976
High	Not Applicable	com.github.docker-java:docker-java:3.3.3	com.google.guava:guava 19.0	[32.0.0-android]	CVE-2023-2976
Medium	Not Applicable	com.github.docker-java:docker-java:3.3.3	com.google.guava:guava 19.0	[24.1.1-android]	CVE-2018-10237
Low	Not Applicable	com.github.docker-java:docker-java:3.3.3	com.google.guava:guava 19.0	[32.0.0-android]	CVE-2020-8908
Low	Not Applicable	org.apache.maven:maven-core:3.8.6	com.google.guava:guava 25.1-android	[32.0.0-android]	CVE-2020-8908
Low	Not Applicable	org.mock-server:mockserver-netty:5.15.0	com.google.guava:guava 31.1-jre	[32.0.0-android]	CVE-2020-8908

🔬 Research Details

[ CVE-2023-2976 ] com.google.guava:guava 31.1-jre

Description:
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

[ CVE-2023-2976 ] com.google.guava:guava 25.1-android

Description:
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

[ CVE-2023-2976 ] com.google.guava:guava 19.0

Description:
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

[ CVE-2018-10237 ] com.google.guava:guava 19.0

Description:
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

[ CVE-2020-8908 ] com.google.guava:guava 19.0

Description:
Guava is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more. It is widely used on most Java projects within Google, and widely used by many other companies as well.

The com.google.common.io.Files.createTempDir() function creates a temporary directory according to the java.io.tmpdir system property, which points to the default temporary directory path. Thus, an attacker having access to the local filesystem, and specifically to the java.io.tmpdir directory can read all contents created under the directory returned from com.google.common.io.Files.createTempDir(). On Linux, by default, java.io.tmpdir points to /tmp which is world-readable.

Remediation:

Deployment mitigations

Set the java.io.tmpdir property to a secure folder.
Add this option when running Java: java -Djava.io.tmpdir=/path/to/secure/tmpdir

Development mitigations

Use the secure alternative API call java.nio.file.Files.createTempDirectory().

Replace:

Path temp = Files.createTempDir();

With:

Path temp = Files.createTempDirectory("random-directory");

[ CVE-2020-8908 ] com.google.guava:guava 25.1-android

Description:
Guava is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more. It is widely used on most Java projects within Google, and widely used by many other companies as well.

The com.google.common.io.Files.createTempDir() function creates a temporary directory according to the java.io.tmpdir system property, which points to the default temporary directory path. Thus, an attacker having access to the local filesystem, and specifically to the java.io.tmpdir directory can read all contents created under the directory returned from com.google.common.io.Files.createTempDir(). On Linux, by default, java.io.tmpdir points to /tmp which is world-readable.

Remediation:

Deployment mitigations

Set the java.io.tmpdir property to a secure folder.
Add this option when running Java: java -Djava.io.tmpdir=/path/to/secure/tmpdir

Development mitigations

Use the secure alternative API call java.nio.file.Files.createTempDirectory().

Replace:

Path temp = Files.createTempDir();

With:

Path temp = Files.createTempDirectory("random-directory");

[ CVE-2020-8908 ] com.google.guava:guava 31.1-jre

Description:
Guava is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more. It is widely used on most Java projects within Google, and widely used by many other companies as well.

The com.google.common.io.Files.createTempDir() function creates a temporary directory according to the java.io.tmpdir system property, which points to the default temporary directory path. Thus, an attacker having access to the local filesystem, and specifically to the java.io.tmpdir directory can read all contents created under the directory returned from com.google.common.io.Files.createTempDir(). On Linux, by default, java.io.tmpdir points to /tmp which is world-readable.

Remediation:

Deployment mitigations

Set the java.io.tmpdir property to a secure folder.
Add this option when running Java: java -Djava.io.tmpdir=/path/to/secure/tmpdir

Development mitigations

Use the secure alternative API call java.nio.file.Files.createTempDirectory().

Replace:

Path temp = Files.createTempDir();

With:

Path temp = Files.createTempDirectory("random-directory");

---

🐸 JFrog Frogbot