Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade guava to avoid CWE-379 #694

Closed
Tracked by #598
t0yv0 opened this issue Jun 23, 2022 · 4 comments
Closed
Tracked by #598

Upgrade guava to avoid CWE-379 #694

t0yv0 opened this issue Jun 23, 2022 · 4 comments
Labels
area/build dependencies Pull requests that update a dependency file kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed size/S Estimated effort to complete (1-2 days).
Milestone
0.76

Comments

@t0yv0
Copy link
Member

t0yv0 commented Jun 23, 2022

What happened?

https://ossindex.sonatype.org/vulnerability/sonatype-2020-0926?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0

Steps to reproduce

Expected Behavior

Actual Behavior

Versions used

No response

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@t0yv0 t0yv0 added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Jun 23, 2022
@dixler dixler added size/S Estimated effort to complete (1-2 days). dependencies Pull requests that update a dependency file and removed needs-triage Needs attention from the triage team language/java labels Jun 24, 2022
@pawelprazak
Copy link
Contributor

From the upstream issue: google/guava#4011

Updating to Guava 30.0 does not fix this security vulnerability. The method is merely deprecated. There currently exits no fix for this vulnerability.

@t0yv0
Copy link
Member Author

t0yv0 commented Jul 6, 2022

This is very unfortunate. Just skimming through, it looks like there is no way to get rid of the warning that we get when publishing to Maven Central, but we can opt to ignore it. It seems to me our code might not really be vulnerable.

Is there a way to get rid of Guava dependency or this is not practical? If it's not practical we should defer it and ignore the warning for now.

@pawelprazak
Copy link
Contributor

AFAIK gRPC depends on guava, it would also be quite impractical for our code base
what we could do would be to shade the deps, as mentioned while back as a nice to have future change

@t0yv0
Copy link
Member Author

t0yv0 commented Jul 7, 2022

Ah, definitely a problem then. OK let's just keep it in the backlog I'll ignore this warning for now during releases.

@t0yv0 t0yv0 added this to the 0.76 milestone Aug 12, 2022
@t0yv0 t0yv0 added the resolution/fixed This issue was fixed label Aug 12, 2022
@t0yv0 t0yv0 closed this as completed Aug 12, 2022
@t0yv0 t0yv0 mentioned this issue Aug 16, 2022
Open
40 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/build dependencies Pull requests that update a dependency file kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed size/S Estimated effort to complete (1-2 days).
Projects
None yet
Milestone
0.76
Development

No branches or pull requests
4 participants
@pawelprazak @t0yv0 @mikhailshilkov @dixler