Closed gargshubham49 closed 1 month ago
Can you please share your mvn dependency:tree
output?
google-http-client-protobuf:1.44.1
depends on protobuf-java:1.21.12
, which is not listed as vulnerable.
In any case we override protobuf-java version to 3.25.3
.
Link showing what meltsufin@ mentions above: https://github.com/googleapis/google-http-java-client/blob/v1.44.1/pom.xml#L601
Dependency graph shows protobuf-java version as 3.25.3
But the dependency check is showing the vulnerability for protobuf-java
What tool is that? I would suggest following up with them. Closing. Please re-open if you can confirm that it's not a problem with the tool or interpretation of its output.
We are using GCP dependencies with version 5.4.1 We got the HIGH severity vulnerability(CVE-2022-3171) in the library google-http-client-protobuf-1.44.1.jar which is included by following module: com.google.cloud:spring-cloud-gcp-data-datastore:5.4.1