Google-cloud-java: Vulnarabilities in google-api-services-compute and google-cloud-monitoring jar.

Created on 14 Aug 2020  路  2Comments  路  Source: googleapis/google-cloud-java

Hi,
We are using the google-api-services-compute.jar(v1-rev235-1.25.0) and google-cloud-monitoring jar (1.84.0) as a dependency for my project.
Recently we have ran security scan on my project and tool dependency check has reported following vulnerabilities,

Is there any fix or workaround for following vulnerabilities ?

  1. com.google.apis:google-api-services-compute:jar version - v1-rev235-1.25.0

       **Transitive dependency :** google-oauth-client-1.25.0.jar
       **NVD Id  :** CVE-2020-7692  https://nvd.nist.gov/vuln/detail/CVE-2020-7692
    
       **Transitive dependency :** guava-20.0.jar 
       **NVD Id :** CVE-2018-10237  https://nvd.nist.gov/vuln/detail/CVE-2018-10237
    
  2. com.google.cloud:google-cloud-monitoring:jar Version - 1.84.0

       **Transitive dependency  :** grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-buffer:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-codec-http2:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-codec-http:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-codec-socks:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-codec:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-common:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-handler-proxy:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-resolver:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-transport-native-epoll:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-transport-native-unix- common:4.1.34.Final)
                                    grpc-netty-shaded-1.21.0.jar (shaded: io.netty:netty-transport:4.1.34.Final)
    
       **NVD Id :** CVE-2019-16869 https://nvd.nist.gov/vuln/detail/CVE-2019-16869
                    CVE-2019-20444 https://nvd.nist.gov/vuln/detail/CVE-2019-20444
                    CVE-2019-20445  https://nvd.nist.gov/vuln/detail/CVE-2019-20445
                    CVE-2020-11612  https://nvd.nist.gov/vuln/detail/CVE-2020-11612
    
question

All 2 comments

You need to update your dependencies.

The latest version of google-api-services-compute is v1-rev20200719-1.30.10. Alternatively, you can update google-api-client to 1.30.10 (which will update google-oauth-java-client to 1.31.0) or update google-oauth-client to 1.31.0.

For monitoring, 1.84.0 is from over a year ago. You can either update grpc yourself (1.31.1 is the latest) or update google-cloud-monitoring. 1.100.1 is the latest 1.x version and 2.0.1 (minor breaking change) is the latest 2.x version.

Alternatively, you can use the com.google.cloud:libraries-bom to version manage your dependencies.

<dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>com.google.cloud</groupId>
      <artifactId>libraries-bom</artifactId>
      <version>9.1.0</version>
      <type>pom</type>
      <scope>import</scope>
    </dependency>
  </dependencies>
</dependencyManagement>

<dependencies>
  <dependency>
    <groupId>com.google.cloud</groupId>
    <artifactId>google-cloud-monitoring</artifactId>
  </dependency>
</dependencies>
Was this page helpful?
0 / 5 - 0 ratings