search

google / closure-compiler

A JavaScript checker and optimizer.
https://developers.google.com/closure/compiler/
Apache License 2.0
7.31k stars 1.15k forks source link

com.google.guava vulnerability issue in closure-compiler-20220502 #4128

Closed vaibhavbhanawat01 closed 8 months ago

vaibhavbhanawat01 commented 8 months ago

We are currently using closure-compiler-20220502. Because of google guava vulnerability we need to update com.google.guava version to 32.0.1-jre. We tried few of the approach but it still showing 31.0.1-jre version. Below is the workspace.bazel. can someone please help here

`workspace(name = "com_google_javascript_jscomp")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "4.2" RULES_JVM_EXTERNAL_SHA = "cd1a77b7b02e8e008439ca76fd34f5b07aecb8c752961f9640dea15e9e5ba1ca"

http_archive( name = "rules_jvm_external", strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG, sha256 = RULES_JVM_EXTERNAL_SHA, url = "https://github.com/bazelbuild/rules_jvm_external/archive/%s.zip" % RULES_JVM_EXTERNAL_TAG, )

http_archive( name = "google_bazel_common",

output from sha256sum on the downloaded zip file

sha256 = "cb37c4977b01311f72157897b1b180b6caf2fc88336ee64b39152af61f8708a9",
strip_prefix = "bazel-common-82a7dd0f4cd8593fdaa40d65a1fa820b14ff3493",
urls = [
  "https://github.com/google/bazel-common/archive/82a7dd0f4cd8593fdaa40d65a1fa820b14ff3493.zip",
],

)

load("@google_bazel_common//:workspace_defs.bzl", "google_common_workspace_rules", "maven_import")

google_common_workspace_rules()

maven_import(

http://args4j.kohsuke.org/index.html

group_id = "args4j",
artifact_id = "args4j",
version = "2.33",
sha256 = "91ddeaba0b24adce72291c618c00bbdce1c884755f6c4dba9c5c46e871c69ed6",
licenses = ["notice"],

)

maven_import(

https://github.com/java-diff-utils/java-diff-utils

group_id = "io.github.java-diff-utils",
artifact_id = "java-diff-utils",
version = "4.0",
sha256 = "810232374e76a954949f0e2185cd7d9515addb918cf3da3481f77e07c356b49a",
licenses = ["notice"],

)

maven_import(

https://github.com/google/gson

group_id = "com.google.code.gson",
artifact_id = "gson",
version = "2.7",
sha256 = "2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32",
licenses = ["notice"],

)

maven_import(

https://github.com/google/re2j

group_id ="com.google.re2j",
artifact_id = "re2j",
version ="1.3",
sha256 = "d8040fa1c54c1ce208199015b6e599ec2ef37b7780f8f55a8b4b4b4299bade19",
licenses = ["notice"],

)

maven_import(

https://ant.apache.org/

group_id ="org.apache.ant",
artifact_id = "ant",
version ="1.10.11",
sha256 = "88c0b89bbbaae01e0d9fcae93be792f5abbe3409106f8eee858fdf365dbc0754",
licenses = ["notice"],

)

maven_import(

https://github.com/google/gson

group_id = "com.google.guava",
artifact_id = "guava-parent",
version = "32.0.1-jre",
sha256 = "dc4e1c8b6fdfe22ac99e1bb4e5421a5e5cf7a311da635330af780aaaec91c4a3",
licenses = ["notice"],

)

maven_import(

https://truth.dev/protobufs

group_id = "com.google.truth.extensions",
artifact_id = "truth-liteproto-extension",
version = "1.1",
sha256 = "f637de4743194a870316a55a1c50c89638355a2323d96b6ced363a22d6ced316",
licenses = ["notice"],

)

maven_import(

https://truth.dev/protobufs

group_id = "com.google.truth.extensions",
artifact_id = "truth-proto-extension",
version = "1.1",
sha256 = "d2fa8736dcb541813f8f4090ecc0d634b85cb82bd6d486f1af975458d0238afe",
licenses = ["notice"],

)

maven_import(

https://github.com/google/jimfs

group_id = "com.google.jimfs",
artifact_id = "jimfs",
version = "1.2",
sha256 = "de16d5c8489729a8512f1a02fbd81f58f89249b72066987da4cc5c87ecb9f72d",
licenses = ["notice"],

)

http_archive( name = "protobuf_proto_rules",

output from sha256sum on the downloaded tar.gz file

sha256 = "66bfdf8782796239d3875d37e7de19b1d94301e8972b3cbd2446b332429b4df1",
strip_prefix = "rules_proto-4.0.0",
urls = [
    "https://mirror.bazel.build/github.com/bazelbuild/rules_proto/archive/refs/tags/4.0.0.tar.gz",
    "https://github.com/bazelbuild/rules_proto/archive/refs/tags/4.0.0.tar.gz",
],

)

load("@protobuf_proto_rules//proto:repositories.bzl", "rules_proto_dependencies", "rules_proto_toolchains") rules_proto_dependencies() rules_proto_toolchains()

http_archive( name = "protobuf_java_rules", url = "https://github.com/bazelbuild/rules_java/releases/download/4.0.0/rules_java-4.0.0.tar.gz",

output from sha256sum on the downloaded tar.gz file

sha256 = "34b41ec683e67253043ab1a3d1e8b7c61e4e8edefbcad485381328c934d072fe",

)

load("@protobuf_java_rules//java:repositories.bzl", "rules_java_dependencies", "rules_java_toolchains") rules_java_dependencies() rules_java_toolchains()

http_archive( name = "com_github_johnynek_bazel_jar_jar",

output from sha256sum on the downloaded zip file

sha256 = "fdf2c5276e5c6f27efa1e0b64a301f5a122d84a4c1c0dd80006dbbc530a16773",
strip_prefix = "bazel_jar_jar-171f268569384c57c19474b04aebe574d85fde0d",
urls = [
  "https://github.com/johnynek/bazel_jar_jar/archive/171f268569384c57c19474b04aebe574d85fde0d.zip",
],

)

load("@com_github_johnynek_bazel_jar_jar//:jar_jar.bzl", "jar_jar_repositories")

jar_jar_repositories() `

lauraharker commented 8 months ago

Have you tried upgrading the google_bazel_common version? At the pinned commit https://github.com/google/bazel-common/blob/82a7dd0f4cd8593fdaa40d65a1fa820b14ff3493/workspace_defs.bzl it's on 31.0.1-jre.

Example: https://github.com/google/allocation-instrumenter/commit/2caee14eaf0a5a87c00a03ce296d0f99d7b302c1

vaibhavbhanawat01 commented 8 months ago

@lauraharker We tried but we are getting below error. Should we use different version of closure-compiler ?

Building libcompiler_lib_no_runtime_libs-class.jar (786 source files) and running annotation processors (AutoAnnotationProcessor, AutoOneOfProcessor, AutoValueProcessor) failed: (Exit 1): java.exe failed: error executing command external/remotejdk11_win/bin/java.exe -XX:+UseParallelOldGC -XX:-CompactStrings --patch-module=java.compiler=external/remote_java_tools_windows/java_tools/java_compiler.jar ... (remaining 15 argument(s) skipped) src\com\google\javascript\rhino\jstype\NamedType.java:336: error: [CheckReturnValue] Ignored return value of method that is annotated with @CheckReturnValue validator.apply(getReferencedType()); ^ (see https://errorprone.info/bugpattern/CheckReturnValue) Did you mean to remove this line? src\com\google\javascript\rhino\jstype\NamedType.java:365: error: [CheckReturnValue] Ignored return value of method that is annotated with @CheckReturnValue validator.apply(type); ^ (see https://errorprone.info/bugpattern/CheckReturnValue) Did you mean to remove this line? src\com\google\javascript\rhino\jstype\NamedType.java:409: error: [CheckReturnValue] Ignored return value of method that is annotated with @CheckReturnValue validator.apply(getReferencedType()); ^ (see https://errorprone.info/bugpattern/CheckReturnValue) Did you mean to remove this line? Target //:compiler_unshaded_deploy.jar failed to build

lauraharker commented 8 months ago

Yes, I'd recommend upgrading your version of Closure Compiler. The latest versions shouldn't have this issue.

vaibhavbhanawat01 commented 8 months ago

@lauraharker thank you.