Uploaded image for project: 'Build'
  1. Build
  2. BUILD-1088

Update to graphQL Java 18.6

    XMLWordPrintable

Details

    • Task
    • Resolution: Fixed
    • Neutral
    • BOM 6.2.38
    • BOM 6.2.34
    • None
    • Yes
    • DevX 43
    • Yes

    Description

      [ERROR] One or more dependencies were identified with vulnerabilities: [graphql-java-17.6.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(6.2)[ERROR] magnolia-dx-core-demo-webapp-6.3-SNAPSHOT.war: graphql-java-17.6.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(6.2)
      

      Not an actual vulnerability, see below why.

      We don't actually use the affected classes in CVE-2023-2976, so this library was never vulnerable to CVE-2023-2976. However, in #3239 we received reports that security scanners have mistakenly flagged graphql-java as vulnerable because we do still include the Guava POM inside the META-INF directory of our jar. 

      https://github.com/graphql-java/graphql-java/pull/3243 

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                dai.ha Dai Ha
                fgrilli Federico Grilli
                DeveloperX
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Work Started:

                  Checklists

                    Task DoR