Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-2976 reported for the component "com.google.guava:guava" in "build-info-extractor-maven3-2.40.0-uber.jar" file #2190

Closed
palaksahu1 opened this issue Sep 6, 2023 · 3 comments · Fixed by jfrog/build-info-go#192
Closed

CVE-2023-2976 reported for the component "com.google.guava:guava" in "build-info-extractor-maven3-2.40.0-uber.jar" file #2190

palaksahu1 opened this issue Sep 6, 2023 · 3 comments · Fixed by jfrog/build-info-go#192
Assignees
@yahavi
Labels
bug Something isn't working

Comments

@palaksahu1
Copy link

Describe the bug

the CVE-2023-2976 reported for the component "com.google.guava:guava" used in the "build-info-extractor-maven3-2.40.0-uber.jar" file which needs to be fixed.

Current behavior

the CVE-2023-2976 reported for the component "com.google.guava:guava" used in the "build-info-extractor-maven3-2.40.0-uber.jar" file which needs to be fixed.

Reproduction steps

  1. Download the package build-info-extractor-maven3-2.40.0-uber.jar provided by JFrog and scan it with the help of Xray.

  2. Xray will report the CVE-2023-2976 for the component "com.google.guava:guava" used in the "build-info-extractor-maven3-2.40.0-uber.jar" file which needs to be fixed as shown below:

Expected behavior

Build-info-extractor-maven3-2.40.0-uber.jar should not be vulnerable. If the above CVE gets fixed, there will be no violations.

JFrog CLI version

2.46.2

Operating system type and version

Rhel 8

JFrog Artifactory version

latest

JFrog Xray version

latest
@palaksahu1 palaksahu1 added the bug Something isn't working label Sep 6, 2023
@yahavi yahavi mentioned this issue Sep 7, 2023
Merged
4 tasks
@yahavi
Copy link
Member

yahavi commented Sep 7, 2023

Thanks for reporting this issue @palaksahu1.
We created jfrog/build-info-go#192 to include jfrog/build-info#754 that should update Guava to 32.0.1-jre.

@yahavi yahavi self-assigned this Sep 7, 2023
@yahavi yahavi linked a pull request Sep 7, 2023 that will close this issue
Update Maven and Gradle extractors jfrog/build-info-go#192
Merged
4 tasks
@yahavi
Copy link
Member

yahavi commented Sep 12, 2023

@palaksahu1
JFrog CLI 2.46.3 has been released.
This version includes the upgrade of the Guava dependency.
We'd appreciate your feedback on that.

@palaksahu1
Copy link
Author

Thank you @yahavi for the fix.

@yahavi yahavi closed this as completed May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yahavi yahavi

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update Maven and Gradle extractors jfrog/build-info-go
2 participants
@yahavi @palaksahu1