[BUILD-1088] Update to graphQL Java 18.6 Created: 08/Jun/23 Updated: 23/Oct/23 Resolved: 09/Aug/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | BOM 6.2.34 |
| Fix Version/s: | BOM 6.2.38 |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Dai Ha |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | security | ||
| Σ Remaining Estimate: | Not Specified | Remaining Estimate: | Not Specified |
| Σ Time Spent: | Not Specified | Time Spent: | Not Specified |
| Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
| Issue Links: |
|
|||||||||||||||||||||||||
| Sub-Tasks: |
|
|||||||||||||||||||||||||
| Template: |
|
|||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
|||||||||||||||||||||||||
| Task DoR: |
Empty
|
|||||||||||||||||||||||||
| Release notes required: |
Yes
|
|||||||||||||||||||||||||
| Epic Link: | DevX Bucket | |||||||||||||||||||||||||
| Sprint: | DevX 43 | |||||||||||||||||||||||||
| Team: | ||||||||||||||||||||||||||
| Work Started: | ||||||||||||||||||||||||||
| Approved: |
Yes
|
|||||||||||||||||||||||||
| Description |
[ERROR] One or more dependencies were identified with vulnerabilities: [graphql-java-17.6.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(6.2)[ERROR] magnolia-dx-core-demo-webapp-6.3-SNAPSHOT.war: graphql-java-17.6.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(6.2) Not an actual vulnerability, see below why. We don't actually use the affected classes in CVE-2023-2976, so this library was never vulnerable to CVE-2023-2976. However, in #3239 we received reports that security scanners have mistakenly flagged graphql-java as vulnerable because we do still include the Guava POM inside the META-INF directory of our jar. https://github.com/graphql-java/graphql-java/pull/3243 |