Hi,
We are using the google-api-services-compute.jar(v1-rev235-1.25.0) and google-cloud-monitoring jar (1.84.0) as a dependency for my project.
Recently we have ran security scan on my project and tool dependency check has reported following vulnerabilities,
Is there any fix or workaround for following vulnerabilities ?
com.google.apis:google-api-services-compute:jar version - v1-rev235-1.25.0
**Transitive dependency :** google-oauth-client-1.25.0.jar
**NVD Id :** CVE-2020-7692 https://nvd.nist.gov/vuln/detail/CVE-2020-7692
**Transitive dependency :** guava-20.0.jar
**NVD Id :** CVE-2018-10237 https://nvd.nist.gov/vuln/detail/CVE-2018-10237
com.google.cloud:google-cloud-monitoring:jar Version - 1.84.0
**Transitive dependency :** grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-buffer:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-codec-http2:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-codec-http:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-codec-socks:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-codec:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-common:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-handler-proxy:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-resolver:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-transport-native-epoll:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-transport-native-unix- common:4.1.34.Final)
grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-transport:4.1.34.Final)
**NVD Id :** CVE-2019-16869 https://nvd.nist.gov/vuln/detail/CVE-2019-16869
CVE-2019-20444 https://nvd.nist.gov/vuln/detail/CVE-2019-20444
CVE-2019-20445 https://nvd.nist.gov/vuln/detail/CVE-2019-20445
CVE-2020-11612 https://nvd.nist.gov/vuln/detail/CVE-2020-11612
You need to update your dependencies.
The latest version of google-api-services-compute is v1-rev20200719-1.30.10. Alternatively, you can update google-api-client to 1.30.10 (which will update google-oauth-java-client to 1.31.0) or update google-oauth-client to 1.31.0.
For monitoring, 1.84.0 is from over a year ago. You can either update grpc yourself (1.31.1 is the latest) or update google-cloud-monitoring. 1.100.1 is the latest 1.x version and 2.0.1 (minor breaking change) is the latest 2.x version.
Alternatively, you can use the com.google.cloud:libraries-bom to version manage your dependencies.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>libraries-bom</artifactId>
<version>9.1.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-monitoring</artifactId>
</dependency>
</dependencies>