-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE in transitive dependency of okhttp #1453
Comments
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes minio#1453 Signed-off-by: Bala.FA <[email protected]>
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes minio#1453 Signed-off-by: Bala.FA <[email protected]>
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes minio#1453 Signed-off-by: Bala.FA <[email protected]>
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes minio#1453 Signed-off-by: Bala.FA <[email protected]>
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes minio#1453 Signed-off-by: Bala.FA <[email protected]>
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes minio#1453 Signed-off-by: Bala.FA <[email protected]>
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes minio#1453 Signed-off-by: Bala.FA <[email protected]>
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes minio#1453 Signed-off-by: Bala.FA <[email protected]>
I know you just released 8.5.3 a few weeks ago. Would you be able to release an 8.5.4 soon that includes these dependency upgrades? Also, if you sign up for dependabot, it will automatically recommend library/plugin updates for you, making it easier to keep things up to date. And it will also tell you about security issues in dependencies (privately). Here's an example of my project where dependabot recommends library/plugin upgrades for me automatically: https://github.com/nahsra/antisamy/pulls?q=is%3Apr+is%3Aclosed |
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes minio#1453 Signed-off-by: Bala.FA <[email protected]>
* Gradle v8.1.1 * OkHttp v4.11.0 * Guava v32.0.0 * Jackson v2.15.2 * Apache Commons Compress v1.23.0 Fixes #1453 Signed-off-by: Bala.FA <[email protected]>
Using Snyk, if I run this on io.minio:minio:8.5.3: snyk test --all-sub-projects
It reports:
Testing .../git/test/minio-java...
Tested 54 dependencies for known issues, found 2 issues, 4 vulnerable paths.
Issues with no direct upgrade or patch:
✗ Out-of-bounds Write [High Severity]https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEBCEL-3106013 in org.apache.bcel:[email protected]
introduced by com.github.spotbugs:[email protected] > org.apache.bcel:[email protected]
This issue was fixed in versions: 6.6.0
✗ Information Exposure [Low Severity]https://security.snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744 in org.jetbrains.kotlin:[email protected]
introduced by com.squareup.okhttp3:[email protected] > org.jetbrains.kotlin:[email protected] and 2 other path(s)
No upgrade or patch available
I believe if you upgrade to com.squareup.okhttp3:[email protected], the vulnerable kotlin dependency is upgraded to a fixed version. Do you have plans to do a new release anytime soon that includes this dependency upgrade?
I'm not worried about the spotbugs dependency as that isn't included in the released artifact, but you might want to fix that too.
Do you have dependabot turned on for your GitHub repo? If so, it would tell you when new dependency versions are available, and also would privately tell you if any have known vulns.
The text was updated successfully, but these errors were encountered: