Guava Transitive Dependency CVE-2023-2976

[mmastika]

Hi,

I'm using: com.google.cloud:cloud-spanner-spring-data-r2dbc:1.2.2 which is affected by CVE-2023-2976 which is subsequently addressed in google/guava#2575. The transitive dependency which brings in the affected guava is from com.google.cloud:google-cloud-spanner:6.42.3.

Forcefully updating/constraining the dependency to com.google.cloud:google-cloud-spanner:6.43.2 results in:

> Could not resolve all files for configuration ':compileClasspath'.
   > Could not resolve com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava.
     Required by:
         project : > com.google.cloud:google-cloud-spanner:6.43.2
         project : > com.google.cloud:google-cloud-spanner:6.43.2 > com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.43.2
         project : > com.google.cloud:google-cloud-spanner:6.43.2 > com.google.api.grpc:proto-google-cloud-spanner-v1:6.43.2
         project : > com.google.cloud:google-cloud-spanner:6.43.2 > com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.43.2
         project : > com.google.cloud:google-cloud-spanner:6.43.2 > com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.43.2
         project : > com.google.cloud:google-cloud-spanner:6.43.2 > com.google.api.grpc:grpc-google-cloud-spanner-v1:6.43.2
         project : > com.google.cloud:google-cloud-spanner:6.43.2 > com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.43.2
      > Module 'com.google.guava:listenablefuture' has been rejected:
           Cannot select module with conflict on capability 'com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava' also provided by [com.google.guava:guava:32.1.1-jre(jreApiElements)]
   > Could not resolve com.google.guava:guava:32.1.1-jre.
     Required by:
         project : > com.google.cloud:google-cloud-spanner:6.43.2
      > Module 'com.google.guava:guava' has been rejected:
           Cannot select module with conflict on capability 'com.google.guava:listenablefuture:1.0' also provided by [com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava(compile)]

Requesting some help to address the CVE.

[mpeddada1]

Thanks for filing this issue!

Adding in some notes from initial analysis:
com.google.cloud:cloud-spanner-spring-data-r2dbc:1.2.2 was released with libraries-bom: 26.16.0 which brings in guava 31.1-jre.

However, running mvn dependency:tree on the current main shows that we are bringing in a newer version of 32.1.1:

[INFO] |  |  \- com.google.cloud:google-cloud-spanner:jar:6.43.2:compile
[INFO] |  |     +- com.google.cloud:grpc-gcp:jar:1.4.1:compile
[INFO] |  |     +- io.grpc:grpc-api:jar:1.55.3:compile
[INFO] |  |     +- com.google.errorprone:error_prone_annotations:jar:2.18.0:compile
[INFO] |  |     +- io.grpc:grpc-auth:jar:1.55.3:compile
[INFO] |  |     +- io.grpc:grpc-context:jar:1.55.3:compile
[INFO] |  |     +- io.grpc:grpc-core:jar:1.55.3:compile
. . .
[INFO] |  |     +- com.google.guava:guava:jar:32.1.1-jre:compile

[meltsufin]

@mmastika Please try version 3.6.1 that was released from the spring-cloud-gcp repo. Future releases of cloud-spanner-spring-data-r2dbc will be published from spring-cloud-gcp. Please also file an issue in that repository, if the new version doesn't help.

[mmastika]

Hi @meltsufin ,

Thanks for the help. I've attempted to upgrade and it doesn't work.

I've also commented here, apparently it's an issue spring-cloud-gcp/issues/2084.

As a side note, will there be a work to remove this repository? Currently the experience to develop using Google product GCP is not very pleasant. One of the major issue is caused by the outdated information scattered on the internet.

[meltsufin]

No plans to remove this repository. We're just migrating the Spring-related module to the Spring Cloud GCP repository where it fits better. We're actively investigating the Guava Gradle issue. Say tuned.