[
https://issues.apache.org/jira/browse/FLINK-28891?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605425#comment-17605425
]
Bilna commented on FLINK-28891:
-------------------------------
[~martijnvisser] I would love to contribute. But currently I am occupied with
the sprint cycle.
> Upgrade google-cloud-libraries-bom version to 25.0.0
> ----------------------------------------------------
>
> Key: FLINK-28891
> URL: https://issues.apache.org/jira/browse/FLINK-28891
> Project: Flink
> Issue Type: Technical Debt
> Reporter: Bilna
> Priority: Major
>
> *CVE-2022-25647*
> In flink-connector-gcp-pubsub, the google-cloud-pubsub version is pulled from
> google-cloud-bom (loaded via the libraries-bom) and libraries-bom version in
> 1.13.6 is 8.1.0. The the google-cloud-pubsub version pulled thorigh this is
> 1.108.0
> https://mvnrepository.com/artifact/com.google.cloud/libraries-bom/8.1.0
>
> The dependecny google-cloud-pubsub:1.108.0 has
> com.google.code.gson:gson:jar:2.8.6 which is vulnerable
> https://search.maven.org/artifact/com.google.cloud/google-cloud-pubsub/1.108.0/jar
>
> The google-cloud-pubsub:1.116.0 onwards the gson version is 2.9.0.
> https://search.maven.org/artifact/com.google.cloud/google-cloud-pubsub/1.116.0/jar
>
> So in order to resolve the vulnerability, google-cloud-libraries-bom version
> needs to be upgraded to 25.0.0 or higher
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
