This is an automated email from the ASF dual-hosted git repository.
fanningpj pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-pekko-grpc.git
The following commit(s) were added to refs/heads/main by this push:
new 9fad0376 use newer version of guava due to CVE (#173)
9fad0376 is described below
commit 9fad0376d7c48f18abe0974c8ee9ce48d03d19df
Author: PJ Fanning <[email protected]>
AuthorDate: Wed Sep 13 10:25:26 2023 +0100
use newer version of guava due to CVE (#173)
* use newer version of guava due to CVE
Update build.gradle
gradle setting
guava as runtime dep
Update Dependencies.scala
gradle 7
Update build.gradle
Update link-validator.conf
run gradle tests
* rename build param
---
gradle-plugin/build.gradle | 1 +
project/Dependencies.scala | 31 ++++++++++++++++++++-----------
scripts/link-validator.conf | 1 +
3 files changed, 22 insertions(+), 11 deletions(-)
diff --git a/gradle-plugin/build.gradle b/gradle-plugin/build.gradle
index 57e850c9..628af1b5 100644
--- a/gradle-plugin/build.gradle
+++ b/gradle-plugin/build.gradle
@@ -124,6 +124,7 @@ repositories {
dependencies {
implementation 'com.google.protobuf:protobuf-gradle-plugin:0.9.4'
implementation 'commons-lang:commons-lang:2.6'
+ runtimeOnly 'com.google.guava:guava:32.1.2-android'
testImplementation 'junit:junit:4.13.2'
testImplementation 'org.spockframework:spock-core:2.3-groovy-3.0'
}
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index d573388c..97169e7a 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -55,10 +55,15 @@ object Dependencies {
val scalapbRuntime = ("com.thesamet.scalapb" %% "scalapb-runtime" %
scalapb.compiler.Version.scalapbVersion)
.exclude("io.grpc", "grpc-netty")
- val grpcCore = "io.grpc" % "grpc-core" % Versions.grpc
- val grpcStub = "io.grpc" % "grpc-stub" % Versions.grpc
- val grpcNettyShaded = "io.grpc" % "grpc-netty-shaded" % Versions.grpc
- val grpcProtobuf = "io.grpc" % "grpc-protobuf" % Versions.grpc
+ // we force the use of a newer version of guava due to CVEs
+ val grpcCore = ("io.grpc" % "grpc-core" % Versions.grpc)
+ .excludeAll("com.google.guava" % "guava")
+ val grpcProtobuf = ("io.grpc" % "grpc-protobuf" % Versions.grpc)
+ .excludeAll("com.google.guava" % "guava")
+ val grpcNettyShaded = ("io.grpc" % "grpc-netty-shaded" % Versions.grpc)
+ .excludeAll("com.google.guava" % "guava")
+ val grpcStub = ("io.grpc" % "grpc-stub" % Versions.grpc)
+ .excludeAll("com.google.guava" % "guava")
// Excluding grpc-alts works around a complex resolution bug
// Details are in https://github.com/akka/akka-grpc/pull/469
@@ -76,15 +81,16 @@ object Dependencies {
object Test {
final val Test = sbt.Test
- val scalaTest = "org.scalatest" %% "scalatest" % Versions.scalaTest %
"test" // Apache V2
- val scalaTestPlusJunit = "org.scalatestplus" %% "junit-4-13" %
(Versions.scalaTest + ".0") % "test" // Apache V2
- val pekkoDiscoveryConfig = "org.apache.pekko" %% "pekko-discovery" %
Versions.pekko % "test"
- val pekkoTestkit = "org.apache.pekko" %% "pekko-testkit" % Versions.pekko
% "test"
- val pekkoStreamTestkit = "org.apache.pekko" %% "pekko-stream-testkit" %
Versions.pekko % "test"
+ val scalaTest = "org.scalatest" %% "scalatest" % Versions.scalaTest % Test
// Apache V2
+ val scalaTestPlusJunit = "org.scalatestplus" %% "junit-4-13" %
(Versions.scalaTest + ".0") % Test // Apache V2
+ val pekkoDiscoveryConfig = "org.apache.pekko" %% "pekko-discovery" %
Versions.pekko % Test
+ val pekkoTestkit = "org.apache.pekko" %% "pekko-testkit" % Versions.pekko
% Test
+ val pekkoStreamTestkit = "org.apache.pekko" %% "pekko-stream-testkit" %
Versions.pekko % Test
}
object Runtime {
val logback = "ch.qos.logback" % "logback-classic" % "1.2.11" % "runtime"
// Eclipse 1.0
+ val guavaAndroid = "com.google.guava" % "guava" % "32.1.2-android" %
"runtime"
}
object Protobuf {
@@ -102,6 +108,7 @@ object Dependencies {
Compile.scalapbCompilerPlugin,
Protobuf.protobufJava, // or else scalapb pulls older version in
transitively
Compile.grpcProtobuf,
+ Runtime.guavaAndroid, // forces a newer version than grpc-protobuf
defaults too
Test.scalaTest)
val runtime = l ++= Seq(
@@ -109,14 +116,15 @@ object Dependencies {
Protobuf.protobufJava, // or else scalapb pulls older version in
transitively
Compile.grpcProtobuf,
Compile.grpcCore,
- Compile.grpcStub % "provided", // comes from the generators
+ Compile.grpcStub % Provided, // comes from the generators
Compile.grpcNettyShaded,
+ Runtime.guavaAndroid, // forces a newer version than
grpc-core/grpc-protobuf default too
Compile.pekkoStream,
Compile.pekkoHttpCore,
Compile.pekkoHttp,
Compile.pekkoDiscovery,
Compile.pekkoHttpCors,
- Compile.pekkoHttp % "provided",
+ Compile.pekkoHttp % Provided,
Test.pekkoTestkit,
Test.pekkoStreamTestkit,
Test.scalaTest,
@@ -149,6 +157,7 @@ object Dependencies {
val pluginTester = l ++= Seq(
// usually automatically added by `suggestedDependencies`, which doesn't
work with ReflectiveCodeGen
Compile.grpcStub,
+ Runtime.guavaAndroid,
Compile.pekkoHttpCors,
Compile.pekkoHttp,
Test.scalaTest,
diff --git a/scripts/link-validator.conf b/scripts/link-validator.conf
index 1bf9c382..728b24e4 100644
--- a/scripts/link-validator.conf
+++ b/scripts/link-validator.conf
@@ -36,6 +36,7 @@ site-link-validator {
# license report
"http://aopalliance.sourceforge.net";,
"http://asm.ow2.io/";,
+ "http://checkerframework.org";,
"http://code.google.com/p/";,
"http://commons.apache.org/proper/";,
"http://findbugs.sourceforge.net/";,
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
