[Snyk] Fix for 11 vulnerabilities #577
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-10734078 - https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754 - https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538 - https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302 - https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424 - https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426 - https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244 - https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-10332631 - https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236 - https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415 - https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-5710356
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| <commons-pool2.version>2.6.2</commons-pool2.version> | ||
| <datanucleus-core.version>4.1.17</datanucleus-core.version> | ||
| <guava.version>14.0.1</guava.version> | ||
| <guava.version>32.0.0-android</guava.version> |
There was a problem hiding this comment.
Updating ${guava.version} to 32.0.0-android here makes Maven builds compile against Guava 32, while the sbt build (see project/SparkBuild.scala:625) still defaults to 14.0.1 via DependencyOverrides, and Guava is marked provided in this POM. As a result the vulnerability fix is silently skipped for the default sbt packaging and Maven vs sbt artifacts are built against different Guava APIs, leaving behaviour and security remediation dependent on the build tool.
Useful? React with 👍 / 👎.
2 participants
Snyk has created this PR to fix 11 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-ORGAPACHECOMMONS-10734078
3.9->3.18.0No Known ExploitSNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754
2.10.0->2.15.0No Known ExploitSNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538
2.10.0->2.15.0No Known ExploitSNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302
2.10.0->2.15.0No Known ExploitSNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424
2.10.0->2.15.0Proof of ConceptSNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426
2.10.0->2.15.0Proof of ConceptSNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244
2.10.0->2.15.0No Known ExploitSNYK-JAVA-COMFASTERXMLJACKSONCORE-10332631
2.10.0->2.15.0Proof of ConceptSNYK-JAVA-COMGOOGLEGUAVA-32236
14.0.1->32.0.0-androidNo Known ExploitSNYK-JAVA-COMGOOGLEGUAVA-1015415
14.0.1->32.0.0-androidProof of ConceptSNYK-JAVA-COMGOOGLEGUAVA-5710356
14.0.1->32.0.0-androidNo Known ExploitImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Information Exposure
🦉 Denial of Service (DoS)
🦉 XML External Entity (XXE) Injection
🦉 More lessons are available in Snyk Learn