update to guava 32.0.0 to resolve CVE-2023-2976

[antonmos]

Describe the bug CVE-2023-2976 was reported in https://github.com/google/guava/issues/2575 and appears to be fixed in guava 32.0.0

SDK version java 5.10.8

Language version, developer tools Java 11 OS/platform MacOS Ventura

Additional context Add any other context about the problem here.

[tanderson-ld]

Thanks for bringing this to our attention. We'll evaluate the CVE and make a determination.

[somera]

Same ...

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:8.2.1:aggregate (default-cli) on project brm-parent: 
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4,0': 
[ERROR]
[ERROR] guava-32.0.0-jre.jar: CVE-2023-2976(6.2)
[ERROR]
[ERROR] See the dependency-check report for more details.

[tanderson-ld]

@antonmos , this should be resolved now in version 6.2.1. Please let us know if you still see this in your build tooling.

[antonmos]

Unfortunately, we are on 5.x. will you be backporting this fix?

[tanderson-ld]

And I just now realized you are on 5.X. I'll have to take a look. It seems doable.

[tanderson-ld]

@antonmos , should be fixed in 5.10.9 now. Might have a bit of delay before being on the different package repositories.

We have a dependency on our other library (okhttp-eventsource) which I did not update due to not having time to do more testing. The okhttp-eventsource also uses Guava. I think Gradle will auto upgrade its Guava dependency with the default resolution strategy, but let me know if it doesn't and we can consider updating the okhttp-eventsource dependency as well.