diff options
author | Lázaro Clapp <lazaro@uber.com> | 2021-12-29 12:56:14 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-12-29 12:56:14 -0500 |
commit | 65410d1254a52a270151894a2e922c71633e6ddd (patch) | |
tree | c2d690ffbbaa1aa536d3810214a36d7371abacf2 | |
parent | 51277f4510e462b2d5377648fc2c885a3a44f753 (diff) | |
download | nullaway-65410d1254a52a270151894a2e922c71633e6ddd.tar.gz |
Bump Guava dependency to 24.1.1 (#536)
This is needed, as previous versions of Guava are subject to
CVE-2018-10237.
Note that the vulnerability occurs when decerializing untrusted data.
As such, it is hard to imagine a case where NullAway would be directly
exploitable, but we still shouldn't be asking build systems to
resolve a known-vulnerable version of the library.
Also, I'd love to bump Guava to a more modern version, but internally
we still need to be able to work with Guava 24.1.1, so setting that
as the minimum version seems the safest course of action right now.
-rwxr-xr-x | gradle/dependencies.gradle | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle index 3c68f08..5c5fd24 100755 --- a/gradle/dependencies.gradle +++ b/gradle/dependencies.gradle @@ -62,7 +62,7 @@ def build = [ errorProneJavac : "com.google.errorprone:javac:9+181-r4173-1", errorProneTestHelpers : "com.google.errorprone:error_prone_test_helpers:${versions.errorProneApi}", checkerDataflow : "org.checkerframework:dataflow-nullaway:${versions.checkerFramework}", - guava : "com.google.guava:guava:22.0", + guava : "com.google.guava:guava:24.1.1-jre", javaxValidation : "javax.validation:validation-api:2.0.1.Final", jsr305Annotations : "com.google.code.findbugs:jsr305:3.0.2", commonsIO : "commons-io:commons-io:2.4", |