Uploaded image for project: 'Build'
  1. Build
  2. BUILD-1088

Update to graphQL Java 18.6

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Neutral Neutral
    • BOM 6.2.38
    • BOM 6.2.34
    • None
    • Yes
    • DevX 43
    • Yes 

      [ERROR] One or more dependencies were identified with vulnerabilities: [graphql-java-17.6.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(6.2)[ERROR] magnolia-dx-core-demo-webapp-6.3-SNAPSHOT.war: graphql-java-17.6.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(6.2)

      Not an actual vulnerability, see below why.

      We don't actually use the affected classes in CVE-2023-2976, so this library was never vulnerable to CVE-2023-2976. However, in #3239 we received reports that security scanners have mistakenly flagged graphql-java as vulnerable because we do still include the Guava POM inside the META-INF directory of our jar. 

      https://github.com/graphql-java/graphql-java/pull/3243 

        Acceptance criteria

          1.
          		 Implement Sub-task Completed Federico Grilli
          2.
          		 Review Sub-task Completed Milan Divilek
          3.
          		 piQA Sub-task Completed Milan Divilek
          4.
          		 QA Sub-task Completed Oanh Thai Hoang

              dai.ha Dai Ha
              fgrilli Federico Grilli
              DeveloperX
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved:
                Work Started: