Scanning projects that depend on datahub-client shows an unlikely vulnerability due to an old guava dependency #5134
Comments
|
Thanks for the report @markaalvaro ! This is a transient dependency pulled in from one of our other dependencies. Forced an upgrade in the build to the guava version we use in the rest of the code that does not have the high vulnerability. The second vulnerability is a low category and is not exploitable in DataHub as we do not use the com.google.common.io.Files.createTempDir() utility function nor do our usages of the library which brings it in as a transient dependency. |
|
Yeah I imagine what I'm seeing flagged isn't actually a concern, since the actual guava version used is much higher than 15. What I'm seeing, though, specifically is the checker flagging a pom file in: (was using 0.8.26 but updated to 0.8.36 recently) |
|
I believe the pom files are included as a part of the Shadow gradle plugin we use that specifies which dependencies we are leveraging. The file will be there, but it will show the updated version (27.0.1) and shouldn't trigger the warning. |
|
Ah ok. Perfect! |
|
PR with changes has been merged, closing. Let us know if this doesn't resolve your issue and we can either reopen or open a new one 😄 |
Describe the bug
Scanning projects that depend on datahub leads to an unnecessary guava 15 vulnerability flag. It doesn't seem like the dependency actually depends on it, and this is likely only appearing bc internal pom files for building the client artifact are being published in the artifact itself.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Generally I don't think the pom file in META-INF/maven needs to be published with the jar file, which would probably mitigate this issue.
Screenshots
Scanning my project which depends on the datahub-client leads to this output.
Desktop (please complete the following information):
Probably not relevant but:
Additional context
N/A
The text was updated successfully, but these errors were encountered: