Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32433

Upgrade auto-value from 1.4 to 1.10.4

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2021.0
    • Fix Version/s: 2021.52
    • Component/s: Security
    • Backlog priority:
      1,000
    • Upgrade notes:
      Hide

      The following dependency has been upgraded:

      <dependency>
        <groupId>com.google.auto.value</groupId>
        <artifactId>auto-value</artifactId>
      </dependency>
      

      from 1.4.1 to 1.10.4.

      Show
      The following dependency has been upgraded: <dependency> <groupId>com.google.auto.value</groupId> <artifactId>auto-value</artifactId> </dependency> from 1.4.1 to 1.10.4.
    • Sprint:
      nxplatform #109, nxplatform #110
    • Story Points:
      2

      Description

      Despite no open CVE on auto-value, some scanning tools report it as vulnerable because of an old version of guava referenced as a dependency of auto-value, see NXP-32150.

      The suspect is the META-INF/maven/com.google.guava/guava/pom.xml file located in auto-value-1.4.jar, which contains:

      <parent>
        <groupId>com.google.guava</groupId>
        <artifactId>guava-parent</artifactId>
        <version>19.0</version>
      </parent>
      

      And indeed, in the auto-value 1.4 sources, we can find in the root pom.xml:

      <properties>
        <guava.version>19.0</guava.version>
        <compile.testing.version>0.10</compile.testing.version>
        <exclude.tests>this-matches-nothing</exclude.tests>
      </properties>
      

      The current version of auto-value in 2021 is 1.4, it's a transitive dependency:

      --- maven-dependency-plugin:3.6.1:tree (default-cli) @ nuxeo-runtime-metrics ---
      org.nuxeo.runtime:nuxeo-runtime-metrics:jar:2023.51-SNAPSHOT
      ...
      +- io.opencensus:opencensus-exporter-trace-datadog:jar:0.31.1:compile
      |  +- com.google.code.gson:gson:jar:2.10.1:compile
      |  \- com.google.auto.value:auto-value:jar:1.4:compile
      

      The latest available version is 1.10.4, let's bump to it.

      We need to check that the OpenCensus trace exporter for Datadog is not impacted.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: