Several high CVEs related to dependency com.google.protobuf:protobuf-java:3.19.2 #3945
Comments
copybara-service bot
pushed a commit
that referenced
this issue
Jun 8, 2023
Upgrade protobuf-java to 3.19.6 to remove presence of CVE-2022-3171, CVE-2022-3509, and CVE-2022-3510. Upgrade protoc-gen-grpc-java to 1.43.3 since it also depends on protobuf-java 3.19.6. Closes #3945. Fixes #3946 FUTURE_COPYBARA_INTEGRATE_REVIEW=#3946 from k-mack:protobuf-java-3.19.6 0039c56 PiperOrigin-RevId: 538782457
copybara-service bot
pushed a commit
that referenced
this issue
Jun 8, 2023
Upgrade protobuf-java to 3.19.6 to remove presence of CVE-2022-3171, CVE-2022-3509, and CVE-2022-3510. Upgrade protoc-gen-grpc-java to 1.43.3 since it also depends on protobuf-java 3.19.6. Closes #3945. Fixes #3946 FUTURE_COPYBARA_INTEGRATE_REVIEW=#3946 from k-mack:protobuf-java-3.19.6 0039c56 PiperOrigin-RevId: 538782457
benkard
pushed a commit
to benkard/jgvariant
that referenced
this issue
Jun 18, 2023
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [com.google.errorprone:error_prone_core](https://errorprone.info) ([source](https://github.com/google/error-prone)) | | minor | `2.19.1` -> `2.20.0` | | [com.google.errorprone:error_prone_annotations](https://errorprone.info) ([source](https://github.com/google/error-prone)) | compile | minor | `2.19.1` -> `2.20.0` | --- ### Release Notes <details> <summary>google/error-prone</summary> ### [`v2.20.0`](https://github.com/google/error-prone/releases/tag/v2.20.0): Error Prone 2.20.0 [Compare Source](google/error-prone@v2.19.1...v2.20.0) Changes: - This release is compatible with early-access builds of JDK 21. New Checkers: - [`InlineTrivialConstant`](https://errorprone.info/bugpattern/InlineTrivialConstant) - [`UnnecessaryStringBuilder`](https://errorprone.info/bugpattern/UnnecessaryStringBuilder) - [`BanClassLoader`](https://errorprone.info/bugpattern/BanClassLoader) - [`DereferenceWithNullBranch`](https://errorprone.info/bugpattern/DereferenceWithNullBranch) - [`DoNotUseRuleChain`](https://errorprone.info/bugpattern/DoNotUseRuleChain) - [`LockOnNonEnclosingClassLiteral`](https://errorprone.info/bugpattern/LockOnNonEnclosingClassLiteral) - [`MissingRefasterAnnotation`](https://errorprone.info/bugpattern/MissingRefasterAnnotation) - [`NamedLikeContextualKeyword`](https://errorprone.info/bugpattern/NamedLikeContextualKeyword) - [`NonApiType`](https://errorprone.info/bugpattern/NonApiType) Fixes issues: [#​2232](google/error-prone#2232), [#​2243](google/error-prone#2243), [#​2997](google/error-prone#2997), [#​3301](google/error-prone#3301), [#​3843](google/error-prone#3843), [#​3903](google/error-prone#3903), [#​3918](google/error-prone#3918), [#​3923](google/error-prone#3923), [#​3931](google/error-prone#3931), [#​3945](google/error-prone#3945), [#​3946](google/error-prone#3946) **Full Changelog**: google/error-prone@v2.19.1...v2.20.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Integrated error-prone into a project today and the dependency scanner returned the following high CVEs:
The project uses
com.google.protobuf:protobuf-java:3.19.2, so bumping to 3.19.6 will fix it. Bumpingio.grpc:protoc-gen-grpc-javato 1.43.3 will keep the two synchronized.The text was updated successfully, but these errors were encountered: