Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using Older Version of Guava that is Vulnerable to CVE-2018-10237 #22

Open
Ghoublai-Khan opened this issue Oct 4, 2019 · 0 comments
Open

Using Older Version of Guava that is Vulnerable to CVE-2018-10237 #22

Ghoublai-Khan opened this issue Oct 4, 2019 · 0 comments

Comments

@Ghoublai-Khan
Copy link

We've been using this plugin for a while along with the latest version of spotbugs and really appreciate the issues that it points out. I noticed that the project is using a version of guava that is vulnerable to CVE-2018-10237.

I noticed that this project has been kept on Java 7 to match the pulled in the version of findbugs. It looks like there is not a version of guava that is built on Java 7 with this issue resolved. Since 24.1.1 is the last version of guava that is vulnerable to this issue and that is after the split to guava-jre and guava-android. What about using one of the guava-android dependencies since those are still on Java 7 to resolve the issue? Or the version of the findbugs library could be updated since the latest is now using Java 8 and then take the latest version of guava-jre. I'd be happy to contribute a pull request if there is interest.

Thanks again!

https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ghoublai-Khan