Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-4561

upgrade google.* dependencies

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 9.0.1
    • Fix Version/s: 9.5.0
    • Component/s: General
    • Security Level: Jimmy
    • Labels:

      Description

      Current Behavior

      current google.* dependencies use old versions with potential security vulnerabilities

      [ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.1.0:audit-aggregate (default-cli) on project nexus-proxy: Detected 2 vulnerable components:
      
      [ERROR]   com.google.protobuf:protobuf-java:jar:3.0.2:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/protobuf-java@3.0.2
      
      [ERROR]     * [CVE-2015-5237]  Improper Restriction of Operations within the Bounds of a Memory Buffer (8.8); https://ossindex.sonatype.org/vuln/d47d20ab-eb2a-4cfd-8064-bbf6283649cb
      
      [ERROR]   com.google.guava:guava:jar:20.0:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/guava@20.0
      
      [ERROR]     * [CVE-2018-10237]  Deserialization of Untrusted Data (5.9); https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0
      

      Expected behavior

      regularly scan and update external dependencies for known vulnerabilities

      Workaround

      exclude the "optional" com.google.javascript:closure-compiler-unshaded from your project
      ZK runs without it, it won't be able to generate source maps during development

      maven:

      <exclusions>
          <exclusion>
              <groupId>com.google.javascript</groupId>
              <artifactId>closure-compiler-unshaded</artifactId>
          </exclusion>
      </exclusions>
      

      gradle:

      configurations {
      	implementation.exclude group: "com.google.javascript", module: "closure-compiler-unshaded"
      }
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rudyhuang rudyhuang
              Reporter:
              cor3000 cor3000
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 hour
                  1h
                  Remaining:
                  Time Spent - 30 minutes Remaining Estimate - 30 minutes
                  30m
                  Logged:
                  Time Spent - 30 minutes Remaining Estimate - 30 minutes
                  30m