Closed antonmos closed 1 year ago
Thanks for bringing this to our attention. We'll evaluate the CVE and make a determination.
Same ...
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:8.2.1:aggregate (default-cli) on project brm-parent:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4,0':
[ERROR]
[ERROR] guava-32.0.0-jre.jar: CVE-2023-2976(6.2)
[ERROR]
[ERROR] See the dependency-check report for more details.
@antonmos , this should be resolved now in version 6.2.1. Please let us know if you still see this in your build tooling.
Unfortunately, we are on 5.x. will you be backporting this fix?
And I just now realized you are on 5.X. I'll have to take a look. It seems doable.
@antonmos , should be fixed in 5.10.9 now. Might have a bit of delay before being on the different package repositories.
We have a dependency on our other library (okhttp-eventsource) which I did not update due to not having time to do more testing. The okhttp-eventsource also uses Guava. I think Gradle will auto upgrade its Guava dependency with the default resolution strategy, but let me know if it doesn't and we can consider updating the okhttp-eventsource dependency as well.
Describe the bug CVE-2023-2976 was reported in https://github.com/google/guava/issues/2575 and appears to be fixed in guava 32.0.0
SDK version java 5.10.8
Language version, developer tools Java 11 OS/platform MacOS Ventura
Additional context Add any other context about the problem here.