search

openrewrite / rewrite-analysis

OpenRewrite recipes for data flow analysis.
Apache License 2.0
8 stars 8 forks source link

CVE-2023-2976(Guava) - In rewrite-analysis #13

Closed yeikel closed 1 year ago

yeikel commented 1 year ago

I am encountering this while running the Maven plugin because this is a transitive dependency 


<dependency>
    <groupId>org.openrewrite.meta</groupId>
    <artifactId>rewrite-analysis</artifactId>
    <version>2.0.2</version>
</dependency>

CVE-2023-2976 is considered a High risk CVSS score and even if it is not exploitable it is still not allowed in my environment

Upgrading to Guava 32.0.0-jre should fix it. See https://github.com/google/guava/releases/tag/v32.0.0

Additional context :

image https://nvd.nist.gov/vuln/detail/CVE-2023-2976

https://github.com/google/guava/releases/tag/v32.0.0

knutwannheden commented 1 year ago

Thanks for reporting. We will look into it.

knutwannheden commented 1 year ago

@yeikel Just out of curiosity: What tool is that screenshot from? Currently that dependency is only used for tests, so I will look into getting it out of the artifact jar.

yeikel commented 1 year ago

@yeikel Just out of curiosity: What tool is that screenshot from? Currently that dependency is only used for tests, so I will look into getting it out of the artifact jar.

The screenshot is from the "Quarantined Component View" of Nexus IQ Server

See https://help.sonatype.com/fw/next-gen-firewall-features/quarantined-component-view