Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE in transitive dependency of okhttp #1453

Closed
davewichers opened this issue Jun 1, 2023 · 1 comment · Fixed by #1454
Closed

CVE in transitive dependency of okhttp #1453

davewichers opened this issue Jun 1, 2023 · 1 comment · Fixed by #1454
Labels

Comments

@davewichers
Copy link

davewichers commented Jun 1, 2023

Using Snyk, if I run this on io.minio:minio:8.5.3: snyk test --all-sub-projects
It reports:
Testing .../git/test/minio-java...
Tested 54 dependencies for known issues, found 2 issues, 4 vulnerable paths.
Issues with no direct upgrade or patch:
✗ Out-of-bounds Write [High Severity]https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEBCEL-3106013 in org.apache.bcel:[email protected]
introduced by com.github.spotbugs:[email protected] > org.apache.bcel:[email protected]
This issue was fixed in versions: 6.6.0
✗ Information Exposure [Low Severity]https://security.snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744 in org.jetbrains.kotlin:[email protected]
introduced by com.squareup.okhttp3:[email protected] > org.jetbrains.kotlin:[email protected] and 2 other path(s)
No upgrade or patch available

I believe if you upgrade to com.squareup.okhttp3:[email protected], the vulnerable kotlin dependency is upgraded to a fixed version. Do you have plans to do a new release anytime soon that includes this dependency upgrade?

I'm not worried about the spotbugs dependency as that isn't included in the released artifact, but you might want to fix that too.

Do you have dependabot turned on for your GitHub repo? If so, it would tell you when new dependency versions are available, and also would privately tell you if any have known vulns.

balamurugana added a commit to balamurugana/minio-java that referenced this issue Jun 2, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes minio#1453

Signed-off-by: Bala.FA <[email protected]>
balamurugana added a commit to balamurugana/minio-java that referenced this issue Jun 2, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes minio#1453

Signed-off-by: Bala.FA <[email protected]>
balamurugana added a commit to balamurugana/minio-java that referenced this issue Jun 2, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes minio#1453

Signed-off-by: Bala.FA <[email protected]>
balamurugana added a commit to balamurugana/minio-java that referenced this issue Jun 2, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes minio#1453

Signed-off-by: Bala.FA <[email protected]>
balamurugana added a commit to balamurugana/minio-java that referenced this issue Jun 2, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes minio#1453

Signed-off-by: Bala.FA <[email protected]>
balamurugana added a commit to balamurugana/minio-java that referenced this issue Jun 2, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes minio#1453

Signed-off-by: Bala.FA <[email protected]>
balamurugana added a commit to balamurugana/minio-java that referenced this issue Jun 2, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes minio#1453

Signed-off-by: Bala.FA <[email protected]>
balamurugana added a commit to balamurugana/minio-java that referenced this issue Jun 2, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes minio#1453

Signed-off-by: Bala.FA <[email protected]>
@davewichers
Copy link
Author

I know you just released 8.5.3 a few weeks ago. Would you be able to release an 8.5.4 soon that includes these dependency upgrades? Also, if you sign up for dependabot, it will automatically recommend library/plugin updates for you, making it easier to keep things up to date. And it will also tell you about security issues in dependencies (privately). Here's an example of my project where dependabot recommends library/plugin upgrades for me automatically: https://github.com/nahsra/antisamy/pulls?q=is%3Apr+is%3Aclosed

balamurugana added a commit to balamurugana/minio-java that referenced this issue Jun 19, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes minio#1453

Signed-off-by: Bala.FA <[email protected]>
harshavardhana pushed a commit that referenced this issue Jun 19, 2023
* Gradle v8.1.1
* OkHttp v4.11.0
* Guava v32.0.0
* Jackson v2.15.2
* Apache Commons Compress v1.23.0

Fixes #1453

Signed-off-by: Bala.FA <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants