Upgrade grpc-core Java SDK dependency to avoid CWE-404 #695
Assignees
Labels
area/build
dependencies
Pull requests that update a dependency file
kind/bug
Some behavior is incorrect or out of spec
language/java
resolution/fixed
This issue was fixed
size/S
Estimated effort to complete (1-2 days).
Milestone
Comments
t0yv0
added
kind/bug
dixler
added
size/S
|
Not sure I understand this one, do I understand correctly it was reverted? |
|
I've reverted it because it made our tests fail. We probably need to try again, this time paying attention to why the tests fail and if there is any way to mitigate the problem and upgrade after all. |
|
This is now fixed (dep upgraded) + detailed workaround for the minimal example in #806 |
|
Cannot close issue without required labels: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
https://ossindex.sonatype.org/vulnerability/sonatype-2021-0818?component-type=maven&component-name=io.grpc%2Fgrpc-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0
CWE-404: Improper Resource Shutdown or Release
Note that previously we noticed some issues with tests not passing after upgrading gRPC deps, so this might need some work.
Steps to reproduce
Expected Behavior
Actual Behavior
Versions used
No response
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: