Skip to content

Update multiple dependencies that have vulnerabilities#40

Merged
acocuzzo merged 1 commit intogoogleapis:mainfrom
Ben10k:main
May 29, 2025
Merged

Update multiple dependencies that have vulnerabilities#40
acocuzzo merged 1 commit intogoogleapis:mainfrom
Ben10k:main

Conversation

@Ben10k
Copy link
Contributor

@Ben10k Ben10k commented May 29, 2025

This PR updates 2 packages that have HIGH or CRITICAL vulnerabilities (CVSS >7) detected by trivy.

The offending packages com.google.code.gson:gson, com.google.oauth-client:google-oauth-client and org.apache.avro:avro that trivy discovered were not present in the pom.xml, so mvn dependency:tree was used to discover which direct dependencies were importing them.
The results were com.google.api-client:google-api-client and io.confluent:kafka-schema-registry-client.

Both packages are updated to the latest minor version.

Additional info:

Trivy scan results on current main branch:

pom.xml (pom)

Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 2, CRITICAL: 1)

┌─────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│                   Library                   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├─────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ com.google.code.gson:gson                   │ CVE-2022-25647 │ HIGH     │ fixed  │ 2.8.6             │ 2.8.9          │ com.google.code.gson-gson: Deserialization of Untrusted Data │
│                                             │                │          │        │                   │                │ in com.google.code.gson-gson                                 │
│                                             │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2022-25647                   │
├─────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ com.google.guava:guava                      │ CVE-2023-2976  │ MEDIUM   │        │ 30.1.1-android    │ 32.0.0-android │ guava: insecure temporary directory creation                 │
│                                             │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-2976                    │
│                                             ├────────────────┼──────────┤        │                   │                ├──────────────────────────────────────────────────────────────┤
│                                             │ CVE-2020-8908  │ LOW      │        │                   │                │ guava: local information disclosure via temporary directory  │
│                                             │                │          │        │                   │                │ created with unsafe permissions                              │
│                                             │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2020-8908                    │
├─────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ com.google.oauth-client:google-oauth-client │ CVE-2021-22573 │ HIGH     │        │ 1.31.5            │ 1.33.3         │ google-oauth-client: Token signature not verified            │
│                                             │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2021-22573                   │
├─────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.avro:avro                        │ CVE-2024-47561 │ CRITICAL │        │ 1.11.3            │ 1.11.4         │ apache-avro: Schema parsing may trigger Remote Code          │
│                                             │                │          │        │                   │                │ Execution (RCE)                                              │
│                                             │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-47561                   │
└─────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

Trivy scan results after

pom.xml (pom)

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ com.google.guava:guava │ CVE-2023-2976 │ MEDIUM   │ fixed  │ 31.1-jre          │ 32.0.0-android │ guava: insecure temporary directory creation                │
│                        │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-2976                   │
│                        ├───────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│                        │ CVE-2020-8908 │ LOW      │        │                   │                │ guava: local information disclosure via temporary directory │
│                        │               │          │        │                   │                │ created with unsafe permissions                             │
│                        │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2020-8908                   │
└────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

  • Make sure to open an issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Follow the Samples Style Guide
  • Ensure the tests and linter pass
  • Communicate test infrastructure changes, i.e. API enablement, secrets
  • Appropriate docs were updated (if necessary)

🛠️ Fixes #34

@Ben10k Ben10k requested a review from a team May 29, 2025 19:24
acocuzzo
acocuzzo approved these changes May 29, 2025
View reviewed changes
Copy link
Collaborator

@acocuzzo acocuzzo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@acocuzzo acocuzzo merged commit b0fd07a into googleapis:main May 29, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acocuzzo acocuzzo acocuzzo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dependency "google-oauth-client" has a known vulnerability

2 participants

@Ben10k @acocuzzo