twitter / finatra

Fast, testable, Scala services built on TwitterServer and Finagle
https://twitter.github.io/finatra/
Apache License 2.0
2.28k stars 409 forks source link

finatra: Fix Guava vulnerability #498

Closed kittsville closed 5 years ago

kittsville commented 5 years ago

Problem

Google's Guava 19.0 has a medium severity vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Solution

Update Guava to a version not vulnerable

codecov[bot] commented 5 years ago

Codecov Report

Merging #498 into develop will not change coverage. The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop     #498   +/-   ##
========================================
  Coverage    92.49%   92.49%           
========================================
  Files          244      244           
  Lines         3890     3890           
  Branches       288      288           
========================================
  Hits          3598     3598           
  Misses         292      292

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update feb887e...4e5ca33. Read the comment docs.

kittsville commented 5 years ago

Fixed in 826fabb251f06844ad75e65091cda657cb956c01

image

mosesn commented 5 years ago

whoops, sorry, I should have replied to your PR! I think the good news is that looking at the CVE, I think we weren't affected since we didn't use guava's serialization stuff (as far as I know). Thanks for the bug report!