Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update library dependencies #459

Merged
merged 2 commits into from
Jul 9, 2019
Merged

Update library dependencies #459

merged 2 commits into from
Jul 9, 2019

Conversation

duttonw
Copy link
Contributor

@duttonw duttonw commented May 23, 2019

Issues found and libraries updated to latest versions:
guava-18.0: CVE-2018-10237
jackson-databind-2.9.8: CVE-2019-12086

Fixes issue #451

Contributing to Twilio

All third party contributors acknowledge that any contributions they provide will be made under the same open source license that the open source project is provided under.

  • [X ] I acknowledge that all my contributions will be made under the project's license.

@childish-sambino
Copy link
Contributor

Build is failing because guava 23 was the last version to support Java 7, unless switching to the -android variant.

@duttonw
Copy link
Contributor Author

duttonw commented May 26, 2019
edited
Loading

https://github.com/google/guava/wiki/CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.1

Nice to get to 23 but still in the cve range.

Java 7 is now EOL for the public since 2015 (2022? for people still paying and is still supported in Spring Framework 4.3.x until June 2020)
https://en.wikipedia.org/wiki/Java_version_history#cite_note-ReferenceC-163

thinkingserious
thinkingserious requested changes Jul 2, 2019
View reviewed changes
Copy link
Contributor

@thinkingserious thinkingserious left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR @duttonw!

pom.xml Outdated Show resolved Hide resolved
pom.xml Show resolved Hide resolved
owasp-dependency-checker-suppressions.xml Show resolved Hide resolved
@duttonw
Update library dependencies
e475e25 
Issues found and libraries updated to latest versions:
guava-18.0: CVE-2018-10237
jackson-databind-2.9.8: CVE-2019-12086, Ignored CVE-2019-12814 until 2.9.9.1 or 2.9.10 is published
@duttonw
Copy link
Contributor Author

duttonw commented Jul 3, 2019

Have ignored CVE-2019-12814 due to no release being out to fix this yet. Have included comments as what we are waiting on in the ignore owasp file.

@duttonw
Copy link
Contributor Author

duttonw commented Jul 3, 2019

Having to think outside the box to get the owasp checker to run on all versions of Java except 1.7 was interesting.

@thinkingserious thinkingserious merged commit c00c64c into twilio:master Jul 9, 2019
FalguniV pushed a commit to FalguniV/twilio-java that referenced this pull request Oct 13, 2020
@duttonw @FalguniV
Update library dependencies (twilio#459)
3900b86 
* Update library dependencies

Issues found and libraries updated to latest versions:
guava-18.0: CVE-2018-10237
jackson-databind-2.9.8: CVE-2019-12086, Ignored CVE-2019-12814 until 2.9.9.1 or 2.9.10 is published

* Disable owasp for jdk 1.7 builds
FalguniV pushed a commit to FalguniV/twilio-java that referenced this pull request Oct 13, 2020
@duttonw @FalguniV
Update library dependencies (twilio#459)
d5be486 
* Update library dependencies

Issues found and libraries updated to latest versions:
guava-18.0: CVE-2018-10237
jackson-databind-2.9.8: CVE-2019-12086, Ignored CVE-2019-12814 until 2.9.9.1 or 2.9.10 is published

* Disable owasp for jdk 1.7 builds
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thinkingserious thinkingserious thinkingserious requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@duttonw @childish-sambino @thinkingserious