Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32381

Upgrade auto-value from 1.4 to 1.10.4

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2023.9
    • Component/s: Security
    • Tags:
    • Upgrade notes:
      Hide

      The following dependency has been upgraded:

      <dependency>
  <groupId>com.google.auto.value</groupId>
  <artifactId>auto-value</artifactId>
</dependency>

      from 1.4.1 to 1.10.4.

      Show
      The following dependency has been upgraded: <dependency> <groupId>com.google.auto.value</groupId> <artifactId>auto-value</artifactId> </dependency> from 1.4.1 to 1.10.4.
    • Sprint:
      nxplatform #108
    • Story Points:
      2

      Description

      Despite no open CVE on auto-value, some scanning tools report it as vulnerable because of an old version of guava referenced as a dependency of auto-value, see NXP-32150.

      The suspect is the META-INF/maven/com.google.guava/guava/pom.xml file located in auto-value-1.4.jar, which contains:

      <parent>
  <groupId>com.google.guava</groupId>
  <artifactId>guava-parent</artifactId>
  <version>19.0</version>
</parent>

      And indeed, in the auto-value 1.4 sources, we can find in the root pom.xml:

      <properties>
  <guava.version>19.0</guava.version>
  <compile.testing.version>0.10</compile.testing.version>
  <exclude.tests>this-matches-nothing</exclude.tests>
</properties>

      The current version of auto-value in 2023 is 1.4, it's a transitive dependency:

      --- maven-dependency-plugin:3.6.1:tree (default-cli) @ nuxeo-runtime-metrics ---
org.nuxeo.runtime:nuxeo-runtime-metrics:jar:2023.9-SNAPSHOT
...
+- io.opencensus:opencensus-exporter-trace-datadog:jar:0.31.1:compile
|  +- com.google.code.gson:gson:jar:2.10.1:compile
|  \- com.google.auto.value:auto-value:jar:1.4:compile

      The latest available version is 1.10.4, let's bump to it.

      We need to check that the OpenCensus trace exporter for Datadog is not impacted.

        Attachments

          Issue Links

          is cloned by

          Task - A task that needs to be done. NXP-32433 Upgrade auto-value from 1.4 to 1.10.4

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-32150 Upgrade guava and auto-value

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: