[m2e-dev] guava bundled with m2e

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[m2e-dev] guava bundled with m2e

From: "Homer, Tony" <tony.homer@xxxxxxxxx>
Date: Fri, 22 Jan 2021 19:52:17 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1gwsG7BVU4MeSHdBCvTnAB9G8j42xx5erizA4pTyBYo=; b=WTn8f90E8dk4bPi83FXj9PFOi9VLMQ0Bx8TTMjvfKVsyv4D79phlo7HcoMuWaysbKvnGvcTyycAYgcgycAxBnpRFxO3zA6Q5aiTMm2HVV3lmG2qmrBtDHK1jfxl1eszeEuSstxt9okGXjfSbaXuLEZpAdmuSQuerAEy+w2JmSR1hH6ZTWnOYp4hwiijdY9y6RKKcPp7jfuhhS+WS2bE4ZHzOLTOoICMgX309KQiFXnkqixdlKYRzMtDRq3TPToA9PoL6zS9blaN25m7MDCHBM0hLZFnCVxh91cp/agY8kdgCwTGByTwgUOvWFvMFzSFUEIr6IPXgQzX/exbsgd5ppA==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j+QEwZ0pl64OKs1fsnWDr0ZOEMiT8eMkK/4zPbKbSAB/SUl7L0S8Od4b6PCT8+6UgWATFwX5KU2w7paAUrBckKZiixRxiKxA5QLg3RPO92WJLOz7FJmAfisTk4giRuk/13YMnEaVdVZ71w8yxIbIHusf6LpAvWIZbssgf1vVPBJWJ4PpE9rDE14SE/OSeLBdOQKiJZpfNmXqRmFEwn5OtY+/HJveH5jPEQ9vRTzZnXeHz+pJNHTtS1j1ilgC0TCfIAEjZ1WdM70XjFoaw4wnshXVeRwPgASApgsyA7A8pdQfOGqFjmnhM9oxCt46n+gTpbE4DU39XSP8+JaRLmSC2g==
Delivered-to: m2e-dev@xxxxxxxxxxx
Ironport-sdr: Hs/HOU8hgeZVpToL0CiYbtkRMP7EyDN/ktbzZEFjV/kEK7gfMdyvLCsDsTbloKocjQQAO3vJ/v 9rMFUpOnedSg==
Ironport-sdr: UaZ9VjvtKn9vDm4dz964cYZyTytQASeUbaBf9J8wZT45Kx7HEj3Psb8sOiFzGcl7qKCUAhsnoD VxVQi2B6hemw==
List-archive: <https://www.eclipse.org/mailman/private/m2e-dev/>
List-help: <mailto:m2e-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/m2e-dev>, <mailto:m2e-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/m2e-dev>, <mailto:m2e-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHW8PgWNTKjFoETbkOsgrOY+BLrOQ==
Thread-topic: guava bundled with m2e
User-agent: Microsoft-MacOutlook/16.45.21010502

Hi m2e-dev.

Today I noticed that, starting with 1.17.0, guava 20.0 is bundled in org.eclipse.m2e.maven.indexer.

Prior to 1.17.0 there was no guava bundled in org.eclipse.m2e.maven.indexer.

org.eclipse.m2e.maven.runtime bundles guava 25.1-android, at least since 1.16.0 (I did not check older versions).

guava < 24.1.1 is vulnerable to CVE-2018-10237.

guava < 30.0 is vulnerable to CVE-2020-8908.

The newest guava in Orbit is 27.1.0, so I’ll open a bug to add guava 30.1 to Orbit and get it added ASAP.

I’ll open a bug to update m2e to guava 30+ and mark it blocked by the Orbit issue.

I’m not sure that this can all be done in time for 2021-03, so it would be nice to at least remove the exposure to CVE-2018-10237 from guava 20.0.

Was guava 20.0 intentionally added to org.eclipse.m2e.maven.indexer?

Would it be possible to instead depend on the guava bundled with org.eclipse.m2e.maven.runtime?

Thanks!

Tony Homer

Follow-Ups:
- Re: [m2e-dev] guava bundled with m2e
  - From: Mickael Istria

Prev by Date: [m2e-dev] Committer Election for Christoph Laeubrich on Eclipse Maven Integration has started
Next by Date: Re: [m2e-dev] guava bundled with m2e
Previous by thread: [m2e-dev] Committer Election for Christoph Laeubrich on Eclipse Maven Integration has started
Next by thread: Re: [m2e-dev] guava bundled with m2e
Index(es):
- Date
- Thread

Breadcrumbs