Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade com.google.protobuf:protobuf-java from 3.19.6 to 3.25.5 #9547

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Security upgrade com.google.protobuf:protobuf-java from 3.19.6 to 3.25.5 #9547

wants to merge 1 commit into from
+1 −1

Conversation

mo-auto
Copy link
Member

@mo-auto mo-auto commented Sep 20, 2024

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • jans-orm/sql/pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Stack-based Buffer Overflow
SNYK-JAVA-COMGOOGLEPROTOBUF-8055227		   721   com.google.protobuf:protobuf-java:
3.19.6 -> 3.25.5
No Known Exploit

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The provided code change updates the com.google.protobuf:protobuf-java dependency version from 3.19.6 to 3.25.5 in the jans-orm-sql module's pom.xml file, which is a routine update to keep dependencies up-to-date and address any potential security issues that may have been discovered and fixed in newer versions.

Expand for full summary

Summary:

The provided code change is an update to the pom.xml file in the jans-orm-sql module of the project. The key change is the update of the com.google.protobuf:protobuf-java dependency version from 3.19.6 to 3.25.5. From an application security perspective, this change is not directly related to any known security vulnerabilities. However, it's always a good practice to keep dependencies up-to-date to ensure that any security issues that have been discovered and fixed in newer versions are addressed. While there are no known security vulnerabilities in the com.google.protobuf:protobuf-java library, keeping it up-to-date is important to ensure that any potential issues are addressed. Overall, this code change appears to be a routine update to a dependency and does not raise any immediate security concerns.

Files Changed:

  • jans-orm/sql/pom.xml: The key change in this file is the update of the com.google.protobuf:protobuf-java dependency version from 3.19.6 to 3.25.5. This update is not directly related to any known security vulnerabilities, but it's a good practice to keep dependencies up-to-date to ensure that any security issues that have been discovered and fixed in newer versions are addressed.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added comp-jans-orm Component affected by issue or PR kind-dependencies Pull requests that update a dependency file labels Sep 20, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Sep 20, 2024

Quality Gate Passed Quality Gate passed for 'orm'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurem yurem Awaiting requested review from yurem yurem is a code owner

@yuriyz yuriyz Awaiting requested review from yuriyz yuriyz is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
comp-jans-orm Component affected by issue or PR kind-dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mo-auto @snyk-bot