Skip to content

[fix][build] Suppress Guava CVE-2020-8908 in OWASP dependency check#20005

Merged
lhotari merged 1 commit into
apache:masterfrom
lhotari:lh-suppress-guava-CVE-2020-8908
Apr 4, 2023
Merged

[fix][build] Suppress Guava CVE-2020-8908 in OWASP dependency check#20005
lhotari merged 1 commit into
apache:masterfrom
lhotari:lh-suppress-guava-CVE-2020-8908

Conversation

@lhotari

@lhotari lhotari commented Apr 4, 2023

Copy link
Copy Markdown
Member

Motivation

Modifications

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari
[fix][build] Suppress Guava CVE-2020-8908
f5edcaf 
- The vulnerable method is deprecated in Guava, but isn't removed. It's necessary to suppress this CVE.
  See google/guava#4011
@lhotari lhotari self-assigned this Apr 4, 2023
@github-actions github-actions Bot added the doc-not-needed Your PR changes do not impact docs label Apr 4, 2023
eolivelli
eolivelli approved these changes Apr 4, 2023
View reviewed changes

@eolivelli eolivelli left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@lhotari lhotari merged commit d091675 into apache:master Apr 4, 2023
lhotari added a commit that referenced this pull request Apr 6, 2023
@lhotari
[fix][build] Suppress Guava CVE-2020-8908 in OWASP dependency check (#…
dfe87a4 
…20005)

(cherry picked from commit d091675)
@Technoboy- Technoboy- added this to the 3.0.0 milestone Apr 6, 2023
@FyiurAmron

FyiurAmron commented Apr 20, 2023
edited
Loading

Copy link
Copy Markdown

Frankly, why have you decided to suppress it? If it's your dependency, you'll be transitively including it into any user consuming your library via classpath. There, it creates a (however unlikely) attack surface, since as long as it's loaded from classpath during runtime, a malicious actor might use an innocent-looking call to this deprecated method to e.g. create a backdoor that's mostly indistinguishable from normal code.

I agree that this is completely unlikely (mind me, even the base CVE has a very low severity rating by itself), but it's still possible and valid as a vulnerability, especially when coupled with other attack vectors.

TBH, since it's been confirmed by google/guava#6399 (comment) that they are working on an actual fix (i.e. removing the method or providing a safe fallback), wouldn't it be better if this wouldn't be suppressed at all and just wait for this to be closed at the source?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eolivelli eolivelli eolivelli approved these changes

@michaeljmarshall michaeljmarshall michaeljmarshall approved these changes

@nicoloboschi nicoloboschi Awaiting requested review from nicoloboschi

Assignees

@lhotari lhotari

Labels

area/security cherry-picked/branch-2.11 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.11.1

Projects

None yet

Milestone

3.0.0

Development

Successfully merging this pull request may close these issues.

5 participants

@lhotari @FyiurAmron @eolivelli @michaeljmarshall @Technoboy-