Update guava and okhttp versions

[usharik]

Describe the bug There are plenty of well-known vulnerable third parties in Sleath. Why is it so and could that be fixed?

[marcingrzejszczak]

Excuse me but i don't understand what you are talking about. What vulnerable third parties?

[usharik]

At least this one https://mvnrepository.com/artifact/com.google.guava/guava/20.0

[marcingrzejszczak]

We're not using Guava and you have not properly created an issue report. I have no idea which libraries are you referring to, what are the vulnerable versions, where do you think we're setting these versions and how we're using those libraries. You're also not mentioning the version of Sleuth that you think is vulnerable.

[usharik]

@marcingrzejszczak you have it specified in the parent pom of the project

        <guava.version>20.0</guava.version>

[marcingrzejszczak]

Ah indeed we have it for the grpc module (we're actually forcing that version to align with brave). Can you provide the whole list of the dependencies you think we should update?

[usharik]

Here are all I manage to find. Hope that's going to be useful.

https://mvnrepository.com/artifact/com.google.guava/guava/20.0 https://mvnrepository.com/artifact/com.h2database/h2/1.4.200 https://mvnrepository.com/artifact/com.squareup.okhttp3/mockwebserver/4.8.0 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.8.0 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.9.0 https://mvnrepository.com/artifact/com.zaxxer/HikariCP/4.0.3 https://mvnrepository.com/artifact/io.github.openfeign/feign-core/11.8 https://mvnrepository.com/artifact/io.github.openfeign.form/feign-form-spring/3.8.0 https://mvnrepository.com/artifact/io.lettuce/lettuce-core/6.1.9.RELEASE https://mvnrepository.com/artifact/io.micrometer/micrometer-core/1.8.9 https://mvnrepository.com/artifact/io.projectreactor.netty/reactor-netty/1.0.22 https://mvnrepository.com/artifact/io.r2dbc/r2dbc-h2/0.8.5.RELEASE https://mvnrepository.com/artifact/io.zipkin.brave/brave-instrumentation-mongodb/5.13.9 https://mvnrepository.com/artifact/io.zipkin.brave/brave-instrumentation-spring-rabbit/5.13.9 https://mvnrepository.com/artifact/io.zipkin.zipkin2/zipkin/2.23.2 https://mvnrepository.com/artifact/net.ttddyy/datasource-proxy/1.7 https://mvnrepository.com/artifact/org.apache.activemq/activemq-client/5.16.5 https://mvnrepository.com/artifact/org.apache.commons/commons-dbcp2/2.8.0 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpasyncclient/4.1.5 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13 https://mvnrepository.com/artifact/org.apache.kafka/kafka-streams/3.0.1 https://mvnrepository.com/artifact/org.awaitility/awaitility/4.0.3 https://mvnrepository.com/artifact/org.jboss.forge.roaster/roaster-api/2.22.3.Final https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure/2.6.11 https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-parent/2.6.11 https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter/2.6.11 https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-config-server/3.1.4 https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-sleuth-autoconfigure/3.1.4 https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-sleuth-instrumentation/3.1.4 https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-starter-config/3.1.4 https://mvnrepository.com/artifact/org.springframework.integration/spring-integration-core/5.5.14 https://mvnrepository.com/artifact/org.springframework.kafka/spring-kafka/2.8.8 https://mvnrepository.com/artifact/org.springframework.security/spring-security-core/5.6.7 https://mvnrepository.com/artifact/org.springframework.security/spring-security-oauth2-client/5.6.7 https://mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2/2.2.0.RELEASE https://mvnrepository.com/artifact/org.springframework.security.oauth.boot/spring-security-oauth2-autoconfigure/2.3.4.RELEASE https://mvnrepository.com/artifact/org.springframework.session/spring-session-data-redis/2.6.3 https://mvnrepository.com/artifact/org.springframework.vault/spring-vault-core/2.3.2

[spencergibb]

Is there anything in that list besides guava that is managed directly by sleuth? I think most are managed by spring boot or spring integration that aren't spring cloud projects

[usharik]

I see also version for this one in yor parent pom https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.9.0

[spencergibb]

Guava may need to wait until brave is updated because it breaks compatibility so often

[usharik]

Honestly, I'm very impressed.

Sleath as a tracing tool is brilliant but also the most loyal software compliance never going to approve a tool with so many vulnerabilities. Do you really never have such problems?

[marcingrzejszczak]

First of all we don't have any reported vulnerabilities and please stop repeating that because you haven't provided any proof for these statements. Also, nobody has reported any problems with the tool.

Second thing is that most of our dependencies are optional.

[spencergibb]

Security vulnerabilities are to be reported here https://spring.io/security-policy as was noted when you created this issue. There are many large projects using sleuth.

[jonatan-ivanov]

Do I understand correctly that the version (20.0) of Guava we use has one low level and one medium level vulnerabilities? The low level does not seem to be fixed (please correct me if I'm wrong), the feature is deprecated. The medium level is only exploitable if you serialize certain classes using Java or GWT serialization. I think there is a very high chance that this is not happening in Sleuth.

The version (4.9.0) of okhttp we use has one high level vulnerability that is only exploitable if you let unsanitized user input into your HTTP headers. Other than this is a bad practice, Sleuth does not do such thing. Also, it seems okhttp is an optional dependency so Sleuth will not bring it to you if you don't explicitly ask for it. When you do, you should be able easily define the patched version: 4.9.2.

Regardless of these, we should upgrade but the fix seems very simple if you are concerned.