Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency on google-http-client with includes a vulnerable version of io.grpc:grpc-context #2416

Closed
rogierslag opened this issue Jan 18, 2024 · 2 comments
Closed

Dependency on google-http-client with includes a vulnerable version of io.grpc:grpc-context #2416

rogierslag opened this issue Jan 18, 2024 · 2 comments
Assignees
@suztomo
Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@rogierslag
Copy link

rogierslag commented Jan 18, 2024
edited

This library has a dependency on google-http-client (version 1.42.3) which ultimately depends on a version of grpc-context (1.27.2) which is vulnerable to several CVEs.

The exact dependency chain is as follows:

[INFO] +- com.google.api-client:google-api-client:jar:2.2.0:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.15:compile
[INFO] |  +- com.google.oauth-client:google-oauth-client:jar:1.34.1:compile
[INFO] |  +- com.google.http-client:google-http-client-gson:jar:1.42.3:compile
[INFO] |  |  \- com.google.code.gson:gson:jar:2.10:compile
[INFO] |  +- com.google.http-client:google-http-client-apache-v2:jar:1.42.3:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] |  |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- com.google.http-client:google-http-client:jar:1.42.3:compile
[INFO] |     +- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO] |     |  \- io.grpc:grpc-context:jar:1.27.2:compile
[INFO] |     \- io.opencensus:opencensus-contrib-http-util:jar:0.31.1:compile

The vulnerable library is ultimately included through opensensus, but that repository has been archived on Github, and the code is since unmaintained. The vulnerable version of grpc is defined here.

Would it be possible to remove the ultimate dependency on this grpc package, or potentially remove the unmaintained code as dependencies altogether?

Also flagged in googleapis/google-http-java-client#1915
@suztomo suztomo added the priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. label Jan 23, 2024
@suztomo suztomo self-assigned this Jan 23, 2024
@suztomo suztomo added the type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. label Jan 23, 2024
@suztomo suztomo mentioned this issue Jan 23, 2024
Merged
@suztomo
Copy link
Member

suztomo commented Jan 29, 2024

The dependency graph of #2422 shows io.grpc:grpc-context:jar:1.60.1:compile.

[INFO] --------------< com.google.api-client:google-api-client >---------------
[INFO] Building Google APIs Client Library for Java 2.2.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.6.1:tree (default-cli) @ google-api-client ---
[INFO] com.google.api-client:google-api-client:jar:2.2.1-SNAPSHOT
[INFO] +- commons-codec:commons-codec:jar:1.16.0:compile
[INFO] +- com.google.oauth-client:google-oauth-client:jar:1.35.0:compile
[INFO] +- com.google.http-client:google-http-client-gson:jar:1.44.1:compile
[INFO] +- com.google.guava:guava:jar:32.0.0-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.33.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.18.0:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
[INFO] +- com.google.http-client:google-http-client-apache-v2:jar:1.44.1:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- com.google.http-client:google-http-client:jar:1.44.1:compile
[INFO] |  +- io.grpc:grpc-context:jar:1.60.1:compile
[INFO] |  |  \- io.grpc:grpc-api:jar:1.60.1:runtime
[INFO] |  +- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO] |  \- io.opencensus:opencensus-contrib-http-util:jar:0.31.1:compile
[INFO] +- com.google.code.gson:gson:jar:2.10.1:test
[INFO] +- com.google.protobuf:protobuf-java:jar:3.25.2:test
[INFO] +- com.google.http-client:google-http-client-protobuf:jar:1.44.1:test
[INFO] \- junit:junit:jar:4.13.2:test
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test

@suztomo suztomo mentioned this issue Jan 29, 2024
Merged
1 task
@suztomo
Copy link
Member

suztomo commented Jan 30, 2024

With the latest release of 2.3.0, the grpc-context is newer version (io.grpc:grpc-context:jar:1.60.1:compile) than the one tagged with vulnerabilities.

[INFO] --------------< com.google.api-client:google-api-client >---------------
[INFO] Building Google APIs Client Library for Java 2.3.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.6.1:tree (default-cli) @ google-api-client ---
[INFO] com.google.api-client:google-api-client:jar:2.3.1-SNAPSHOT
[INFO] +- commons-codec:commons-codec:jar:1.16.0:compile
[INFO] +- com.google.oauth-client:google-oauth-client:jar:1.35.0:compile
[INFO] +- com.google.http-client:google-http-client-gson:jar:1.44.1:compile
[INFO] +- com.google.guava:guava:jar:32.0.0-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.33.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.18.0:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
[INFO] +- com.google.http-client:google-http-client-apache-v2:jar:1.44.1:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- com.google.http-client:google-http-client:jar:1.44.1:compile
[INFO] |  +- io.grpc:grpc-context:jar:1.60.1:compile
[INFO] |  |  \- io.grpc:grpc-api:jar:1.60.1:runtime
[INFO] |  +- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO] |  \- io.opencensus:opencensus-contrib-http-util:jar:0.31.1:compile
[INFO] +- com.google.code.gson:gson:jar:2.10.1:test
[INFO] +- com.google.protobuf:protobuf-java:jar:3.25.2:test
[INFO] +- com.google.http-client:google-http-client-protobuf:jar:1.44.1:test
[INFO] \- junit:junit:jar:4.13.2:test
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test

@suztomo suztomo closed this as completed Jan 30, 2024
@suztomo suztomo mentioned this issue May 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@suztomo suztomo

Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@suztomo @rogierslag