[BUILD-1088] Update to graphQL Java 18.6 Created: 08/Jun/23  Updated: 23/Oct/23  Resolved: 09/Aug/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: BOM 6.2.34
Fix Version/s: BOM 6.2.38

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Dai Ha
Resolution: Fixed Votes: 0
Labels: security
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
Issue split
split to MGNLGQL-148 Implementation updates after graphql ... Closed
Sub-Tasks:
Key
Summary
Type
Status
Assignee
BUILD-1121 Implement Sub-task Completed Federico Grilli  
BUILD-1122 Review Sub-task Completed Milan Divilek  
BUILD-1123 piQA Sub-task Completed Milan Divilek  
BUILD-1124 QA Sub-task Completed Oanh Thai Hoang  
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Release notes required:
Yes
Epic Link: DevX Bucket
Sprint: DevX 43
Team: DeveloperX
Work Started:
Approved:
Yes

 Description   
[ERROR] One or more dependencies were identified with vulnerabilities: [graphql-java-17.6.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(6.2)[ERROR] magnolia-dx-core-demo-webapp-6.3-SNAPSHOT.war: graphql-java-17.6.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(6.2)

Not an actual vulnerability, see below why.

We don't actually use the affected classes in CVE-2023-2976, so this library was never vulnerable to CVE-2023-2976. However, in #3239 we received reports that security scanners have mistakenly flagged graphql-java as vulnerable because we do still include the Guava POM inside the META-INF directory of our jar. 

https://github.com/graphql-java/graphql-java/pull/3243 


Generated at Sun Feb 11 23:48:02 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.