Despite no open CVE on auto-value, some scanning tools report it as vulnerable because of an old version of guava referenced as a dependency of auto-value, see NXP-32150.
The suspect is the META-INF/maven/com.google.guava/guava/pom.xml file located in auto-value-1.4.jar, which contains:
<parent> <groupId>com.google.guava</groupId> <artifactId>guava-parent</artifactId> <version>19.0</version> </parent>
And indeed, in the auto-value 1.4 sources, we can find in the root pom.xml:
<properties> <guava.version>19.0</guava.version> <compile.testing.version>0.10</compile.testing.version> <exclude.tests>this-matches-nothing</exclude.tests> </properties>
The current version of auto-value in 2021 is 1.4, it's a transitive dependency:
--- maven-dependency-plugin:3.6.1:tree (default-cli) @ nuxeo-runtime-metrics --- org.nuxeo.runtime:nuxeo-runtime-metrics:jar:2023.51-SNAPSHOT ... +- io.opencensus:opencensus-exporter-trace-datadog:jar:0.31.1:compile | +- com.google.code.gson:gson:jar:2.10.1:compile | \- com.google.auto.value:auto-value:jar:1.4:compile
The latest available version is 1.10.4, let's bump to it.
We need to check that the OpenCensus trace exporter for Datadog is not impacted.