Remove CVE-2020-8908 workaround

[jakobbraun]

After maven-core fixed CVE-2020-8908 (by updating the guava dependency) we can also remove the explicit exclude (added in 05dc12e) from the pom.xml again.

Additional vulnerability

• com.fasterxml.jackson.core:jackson-core:jar:2.13.4 in compile
  • sonatype-2022-6438: 1 vulnerability (7.5)
• org.yaml:snakeyaml:jar:1.33 in compile
  • CVE-2022-1471, severity CWE-502: Deserialization of Untrusted Data (9.8)

[redcatbear]

According the the CVE the problem was fixed in version 30.0. Latest at the moment is 31.1.

https://search.maven.org/artifact/org.checkerframework.annotatedlib/guava

[jakobbraun]

yes, but mvn-core did not update the dependency yet:

[INFO] +- org.apache.maven:maven-core:jar:3.8.1:compile [INFO] | +- com.google.inject:guice:jar:no_aop:4.2.1:compile [INFO] | | +- com.google.guava:guava:jar:25.1-android:compile

[kaklakariada]

Still not fixed in 3.8.4:

[INFO] +- org.apache.maven:maven-core:jar:3.8.4:provided
...
[INFO] |  +- com.google.inject:guice:jar:no_aop:4.2.2:provided
[INFO] |  |  +- aopalliance:aopalliance:jar:1.0:provided
[INFO] |  |  \- com.google.guava:guava:jar:25.1-android:provided

[kaklakariada]

Still not fixed in 3.8.6:

[INFO] +- org.apache.maven:maven-core:jar:3.8.6:provided
...
[INFO] |  +- com.google.inject:guice:jar:no_aop:4.2.2:provided
[INFO] |  |  +- aopalliance:aopalliance:jar:1.0:provided
[INFO] |  |  \- com.google.guava:guava:jar:25.1-android:provided

[redcatbear]

Version number for guice is not pinned in maven-core. Latests guice is 5.1. And it looks like this guice does not pin Guava. @kaklakariada , what am I overlooking here?

[kaklakariada]

You mean we could explicitly upgrade the transitive dependency guava? That would be an option, you are right. Unblocking this.

[ckunki]

After overriding dependency to guice 4.2.2 by 5.1.0 I still get

• com.google.guava:guava:jar:30.1-jre in compile
  • sonatype-2020-0926: 1 vulnerability (6.2)

I propose to keep the current workaround: exclude dependency to guava.