Version 9.17.3 is still pulling vulnerable okhttp version

[barvek]

I am pulling sdk-core version 9.17.3 and it is still pulling a vulnerable okhttp 4.9.3 dependency into my project which is vulnerable.

The documentation says its updated to 4.10.0 but in reality its still pulling the vulnerable version.

[padamstx]

I double-checked this within my local copy of the java core project (the most recent code) and v4.10 of okhttp is being referenced and not v4.9.3. Are you sure you are not explicitly declaring okhttp as a dependency? Perhaps you are specifying v4.9.3 as an override to what is defined by the java core.

[padams@woodchuck 10:22:50 ~/work/cores/java]
$ mvn dependency:tree | grep okhttp
[INFO] +- com.squareup.okhttp3:okhttp:jar:4.10.0:compile
[INFO] +- com.squareup.okhttp3:logging-interceptor:jar:4.10.0:compile
[INFO] +- com.squareup.okhttp3:okhttp-urlconnection:jar:4.10.0:compile
[INFO] +- com.squareup.okhttp3:mockwebserver:jar:4.10.0:test

[barvek]

No I am not defining it explicitly, I have also cleaned my maven cache (m2 repository) locally but I am still having the same issue. On top of that the Snyk vulnerability assessment tool is also reporting this as vulnerability in my project, hence I am adding the version 4.10.0 manually as no other solution seem to be working for me. I have checked that no other dependency in my pom.xml is adding okhttp older version as well.

[padamstx]

I suspect that the older okhttp version is being pulled in by some other dependency used by your project. Could you provide a link to your project? I'd like to clone it and do some maven experiments, etc.