[jira] [Commented] (MINDEXER-126) Remove guava dependency from indexer-core

Hudson (Jira) Mon, 05 Apr 2021 03:29:06 -0700


    [ 
https://issues.apache.org/jira/browse/MINDEXER-126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314769#comment-17314769
 ]


Hudson commented on MINDEXER-126:
---------------------------------

Build unstable in Jenkins: Maven » Maven TLP » maven-indexer » master #36

See 
https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/master/36/

> Remove guava dependency from indexer-core
> -----------------------------------------
>
>                 Key: MINDEXER-126
>                 URL: https://issues.apache.org/jira/browse/MINDEXER-126
>             Project: Maven Indexer
>          Issue Type: Dependency upgrade
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>             Fix For: 6.0.1
>
>
> It suffers from multiple CVEs:
>  * guava < 24.1.1 is vulnerable to 
> [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j].
>  * guava < 30.0 is vulnerable to 
> [CVE-2020-8908|https://github.com/google/guava/issues/4011].
> Moving to guava 30.1 will require moving to Java 8 so it's actually simpler 
> to just remove the dependency altogether.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (MINDEXER-126) Remove guava dependency from indexer-core

Reply via email to