sandeshjkhoros
commented
3 months ago Closed sandeshjkhoros closed 2 months ago
sandeshjkhoros
commented
3 months ago 
suztomo
commented
3 months ago Checking
suztomo
commented
3 months ago https://github.com/GoogleCloudPlatform/appengine-plugins/pull/1014 will address it. Currently blocked by a CI failure.
sandeshjkhoros
commented
3 months ago Thank you for looking into this on priority !
sandeshjkhoros
commented
3 months ago @suztomo Once this change is merged, we will need to uptake the new version of appengine-plugins in https://github.com/GoogleCloudPlatform/appengine-plugins/tree/main/app-maven-plugin and then use the new version of app-maven-plugin in https://github.com/google/libphonenumber. Do I need to raise a separate request for those changes ?
suztomo
commented
3 months ago I've never used https://github.com/google/libphonenumber. Where do you see libphonenumber using appengine-plugins? It's very unlikely a Java library has dependency on an appengine plugin.
sandeshjkhoros
commented
3 months ago I've never used https://github.com/google/libphonenumber. Where do you see libphonenumber using appengine-plugins? It's very unlikely a Java library has dependency on an appengine plugin.
@suztomo It's a transitive dependency. libphonenumber has a dependency on app-maven-plugin which in turn has a dependency on appengine-plugins-core which is using the vulnerable version of commons-compress
suztomo
commented
3 months ago I need to learn more. Where do you see the transitive dependency?
https://central.sonatype.com/artifact/com.googlecode.libphonenumber/libphonenumber => app-maven-plugin does not appear there.
The repository does not have "app-maven-plugin":
suztomo@suztomo2:~$ git clone https://github.com/google/libphonenumber
Cloning into 'libphonenumber'...
remote: Enumerating objects: 60426, done.
remote: Counting objects: 100% (1186/1186), done.
remote: Compressing objects: 100% (587/587), done.
remote: Total 60426 (delta 521), reused 1064 (delta 471), pack-reused 59240
Receiving objects: 100% (60426/60426), 226.39 MiB | 34.27 MiB/s, done.
Resolving deltas: 100% (34469/34469), done.
suztomo@suztomo2:~$ cd libphonenumber/
suztomo@suztomo2:~/libphonenumber$ grep -ir app-maven-plugin .
suztomo@suztomo2:~/libphonenumber$ Sorry, there was a typo Check this in libphonenumber pom.xml
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>appengine-maven-plugin</artifactId>
<version>2.4.4</version>
<configuration>
</configuration>
</plugin>Can you give me the URL of the file you're looking at?
https://central.sonatype.com/artifact/com.googlecode.libphonenumber/libphonenumber/overview does not have it.
sandeshjkhoros
commented
3 months ago @suztomo Here is the file: https://github.com/google/libphonenumber/blob/master/java/demo/pom.xml
suztomo
commented
3 months ago Thank you. That’s a pom.xml for demonstration on how to use the libphonenumber. It’s irrelevant to the dependencies of libphonenumber.
sandeshjkhoros
commented
3 months ago Thank you. That’s a pom.xml for demonstration on how to use the libphonenumber. It’s irrelevant to the dependencies of libphonenumber.
Right, only the demo module has the dependency that leads to the vulnerable library down the dependency graph. We have added the following depedency in our project which pulls in the dependencies of the demo module as well.
<dependency>
<groupId>com.googlecode.libphonenumber</groupId>
<artifactId>libphonenumber</artifactId>
<version>8.13.32</version>
</dependency>That dependency declaration of <artifactId>libphonenumber</artifactId> does not pull the demo module. You can confirm that via “mvn dependency:tree” and https://central.sonatype.com/artifact/com.googlecode.libphonenumber/libphonenumber/overview .
sandeshjkhoros
commented
3 months ago That dependency declaration of
<artifactId>libphonenumber</artifactId>does not pull the demo module. You can confirm that via “mvn dependency:tree” and https://central.sonatype.com/artifact/com.googlecode.libphonenumber/libphonenumber/overview .
This is great news, thank you !