Skip to content

Update library dependencies#459

Merged
thinkingserious merged 2 commits intotwilio:masterfrom
duttonw:cve-fix
Jul 9, 2019
Merged

Update library dependencies#459
thinkingserious merged 2 commits intotwilio:masterfrom
duttonw:cve-fix

Conversation

@duttonw
Copy link
Copy Markdown
Contributor

@duttonw duttonw commented May 23, 2019

Issues found and libraries updated to latest versions:
guava-18.0: CVE-2018-10237
jackson-databind-2.9.8: CVE-2019-12086

Fixes issue #451

Contributing to Twilio

All third party contributors acknowledge that any contributions they provide will be made under the same open source license that the open source project is provided under.

  • [X ] I acknowledge that all my contributions will be made under the project's license.

@childish-sambino
Copy link
Copy Markdown
Contributor

childish-sambino commented May 24, 2019

Build is failing because guava 23 was the last version to support Java 7, unless switching to the -android variant.

@duttonw
Copy link
Copy Markdown
Contributor Author

duttonw commented May 26, 2019
edited
Loading

https://github.com/google/guava/wiki/CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.1

Nice to get to 23 but still in the cve range.

Java 7 is now EOL for the public since 2015 (2022? for people still paying and is still supported in Spring Framework 4.3.x until June 2020)
https://en.wikipedia.org/wiki/Java_version_history#cite_note-ReferenceC-163

thinkingserious
thinkingserious requested changes Jul 2, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@thinkingserious thinkingserious left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR @duttonw!

@duttonw
Update library dependencies
e475e25 
Issues found and libraries updated to latest versions:
guava-18.0: CVE-2018-10237
jackson-databind-2.9.8: CVE-2019-12086, Ignored CVE-2019-12814 until 2.9.9.1 or 2.9.10 is published
@duttonw
Copy link
Copy Markdown
Contributor Author

duttonw commented Jul 3, 2019

Have ignored CVE-2019-12814 due to no release being out to fix this yet. Have included comments as what we are waiting on in the ignore owasp file.

@duttonw
Copy link
Copy Markdown
Contributor Author

duttonw commented Jul 3, 2019

Having to think outside the box to get the owasp checker to run on all versions of Java except 1.7 was interesting.

@thinkingserious thinkingserious merged commit c00c64c into twilio:master Jul 9, 2019
FalguniV pushed a commit to FalguniV/twilio-java that referenced this pull request Oct 13, 2020
@duttonw @FalguniV
Update library dependencies (twilio#459)
3900b86 
* Update library dependencies

Issues found and libraries updated to latest versions:
guava-18.0: CVE-2018-10237
jackson-databind-2.9.8: CVE-2019-12086, Ignored CVE-2019-12814 until 2.9.9.1 or 2.9.10 is published

* Disable owasp for jdk 1.7 builds
FalguniV pushed a commit to FalguniV/twilio-java that referenced this pull request Oct 13, 2020
@duttonw @FalguniV
Update library dependencies (twilio#459)
d5be486 
* Update library dependencies

Issues found and libraries updated to latest versions:
guava-18.0: CVE-2018-10237
jackson-databind-2.9.8: CVE-2019-12086, Ignored CVE-2019-12814 until 2.9.9.1 or 2.9.10 is published

* Disable owasp for jdk 1.7 builds
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thinkingserious thinkingserious thinkingserious requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@duttonw @childish-sambino @thinkingserious