What version of protobuf and what language are you using?
Version: 3.19.4
Language: Java
What operating system (Windows, ...) and version?
Windows 10
What runtime / compiler are you using (e.g., python version or gcc version)
What did you do?
Steps to reproduce the behavior:
- type gradle:dependencies in my project
shows
...
| +--- com.google.protobuf:protobuf-java-util -> 3.19.4
| | +--- com.google.protobuf:protobuf-java:3.19.4
| | +--- com.google.guava:guava:30.1.1-android
| | | +--- com.google.guava:failureaccess:1.0.1
| | | +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
| | | +--- com.google.code.findbugs:jsr305:3.0.2
| | | +--- org.checkerframework:checker-compat-qual:2.5.5
| | | +--- com.google.errorprone:error_prone_annotations:2.5.1
| | | --- com.google.j2objc:j2objc-annotations:1.3
| | +--- com.google.errorprone:error_prone_annotations:2.5.1
| | +--- com.google.j2objc:j2objc-annotations:1.3
| | +--- com.google.code.findbugs:jsr305:3.0.2
| | --- com.google.code.gson:gson:2.8.6
...
- See error
com.google.code.gson:gson:2.8.6 contains high CVE WS-2021-0419
What did you expect to see
no references to library with known CVEs
What did you see instead?
reference to library (com.google.code.gson:gson:2.8.6) with known CVE (WS-2021-0419)
Make sure you include information that can help us debug (full error message, exception listing, stack trace, logs).
Anything else we should know about your project / environment
What version of protobuf and what language are you using?
Version: 3.19.4
Language: Java
What operating system (Windows, ...) and version?
Windows 10
What runtime / compiler are you using (e.g., python version or gcc version)
What did you do?
Steps to reproduce the behavior:
shows
...
| +--- com.google.protobuf:protobuf-java-util -> 3.19.4
| | +--- com.google.protobuf:protobuf-java:3.19.4
| | +--- com.google.guava:guava:30.1.1-android
| | | +--- com.google.guava:failureaccess:1.0.1
| | | +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
| | | +--- com.google.code.findbugs:jsr305:3.0.2
| | | +--- org.checkerframework:checker-compat-qual:2.5.5
| | | +--- com.google.errorprone:error_prone_annotations:2.5.1
| | | --- com.google.j2objc:j2objc-annotations:1.3
| | +--- com.google.errorprone:error_prone_annotations:2.5.1
| | +--- com.google.j2objc:j2objc-annotations:1.3
| | +--- com.google.code.findbugs:jsr305:3.0.2
| | --- com.google.code.gson:gson:2.8.6
...
com.google.code.gson:gson:2.8.6 contains high CVE WS-2021-0419
What did you expect to see
no references to library with known CVEs
What did you see instead?
reference to library (com.google.code.gson:gson:2.8.6) with known CVE (WS-2021-0419)
Make sure you include information that can help us debug (full error message, exception listing, stack trace, logs).
Anything else we should know about your project / environment