[
https://issues.apache.org/jira/browse/IGNITE-27872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18059001#comment-18059001
]
Kirill Anisimov edited comment on IGNITE-27872 at 2/24/26 5:09 AM:
-------------------------------------------------------------------
* Normalized Guava / SLF4J versions via parent properties and ignite-bom.
* Added {{failureaccess.version}} property and ensured it is controlled from
BOM.
* Removed explicit {{<version>}} for {{{}com.google.guava:guava{}}},
{{{}com.google.guava:failureaccess{}}}, {{org.slf4j:slf4j-api}} from modules
where possible, relying on BOM/parent.
*The reason:* To avoid multiple versions in dependency tree which triggers
false-positive CVE reports and complicates dependency upgrades.
was (Author: JIRAUSER310920):
h1. Before:
h3. Guava:
* {{ignite-core:}}
{code:java}
org.apache.ignite:ignite-core:jar:2.18.0-SNAPSHOT
\- com.google.guava:guava:jar:32.1.2-jre:test{code}
* {{ignite-zookeeper:}}
{code:java}
org.apache.ignite:ignite-zookeeper:jar:2.18.0-SNAPSHOT
\- org.apache.curator:curator-test:jar:5.3.0:test
\- com.google.guava:guava:jar:27.0.1-jre:test{code}
h3. SLF4J:
* {{ignite-core:}}
{code:java}
org.apache.ignite:ignite-core:jar:2.18.0-SNAPSHOT
\- org.eclipse.jetty:jetty-servlets:jar:11.0.24:test
\- org.slf4j:slf4j-api:jar:2.0.9:test{code}
* {{ignite-zookeeper:}}
{code:java}
org.apache.ignite:ignite-zookeeper:jar:2.18.0-SNAPSHOT
\- org.slf4j:slf4j-api:jar:1.7.36:compile{code}
> Normalize Guava/SLF4J versions to reduce CVE false positives
> ------------------------------------------------------------
>
> Key: IGNITE-27872
> URL: https://issues.apache.org/jira/browse/IGNITE-27872
> Project: Ignite
> Issue Type: Sub-task
> Components: general
> Affects Versions: 2.17, 2.18
> Reporter: Kirill Anisimov
> Assignee: Kirill Anisimov
> Priority: Major
> Labels: cve, dependencies, ignite-2
> Time Spent: 10m
> Remaining Estimate: 0h
>
> There are different versions of Guava and SLF4J in the dependency tree, which
> can give false positives in CVE reports and complicate updates.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
