Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Upgrade to Guava 32+ to fix CVE-2023-2976 #7525

Closed
ppalaga opened this issue Sep 12, 2023 · 4 comments · Fixed by #7534
Closed

[Bug]: Upgrade to Guava 32+ to fix CVE-2023-2976 #7525

ppalaga opened this issue Sep 12, 2023 · 4 comments · Fixed by #7534
Labels
type/bug

Comments

@ppalaga
Copy link

ppalaga commented Sep 12, 2023

Module

Core

Testcontainers version

1.19.0

Using the latest Testcontainers version?

Yes

Host OS

any

Host Arch

any

Docker version

irelevant

What happened?

I hope my understanding is correct that the shaded org/testcontainers/shaded/com/google/common/io/FileBackedOutputStream.class file in org.testcontainers:testcontainers:1.19.0 comes from guava 30.1.1-jre:
https://github.com/testcontainers/testcontainers-java/blob/1.19.0/build.gradle#L8

Guava versions >= 1.0, < 32.0.0 suffer from CVE-2023-2976 alias google/guava#2575

It would be nice to upgrade the shaded Guava and release

Relevant log output

No response

Additional Information

No response
@eddumelendez eddumelendez mentioned this issue Sep 15, 2023
Merged
@eddumelendez
Copy link
Member

Hi @ppalaga, that guava version is used by japicmp plugin for gradle configuration purposes. The shaded guava library is coming from https://github.com/docker-java/docker-java which is not being used anymore.

@eddumelendez
Copy link
Member

eddumelendez commented Sep 15, 2023
edited

#7534 should fix it but will take a look in more detail once I'm back from vacation.

@eddumelendez
Copy link
Member

you can also exclude it and it should be fine

@ppalaga
Copy link
Author

ppalaga commented Sep 19, 2023

#7534 should fix it but will take a look in more detail once I'm back from vacation.

Thanks, I have built #7534 and the output of javap -c FileBackedOutputStream.class embedded in testcontainers ressembles the one from guava 32.1.2-jre.

When can we expect a release with the above fix?

eddumelendez added a commit that referenced this issue Sep 26, 2023
@eddumelendez
Update guava version to 32.1.2-jre (#7534)
e5df6ef 
Fixes #7525
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update guava version to 32.1.2-jre testcontainers/testcontainers-java
2 participants
@eddumelendez @ppalaga