Update Dagger guava dependency to address CVE-2023-2976

Question

Update Dagger guava dependency to address CVE-2023-2976

snijsure opened this issue 3 months ago · 2 comments

In my project I am using dagger 2.48.1 that uses com.google.guava:guava:31.0.1-jre* has this CVE - CVE-2023-2976

I could try and force to use guava 32.0 , wondering if dagger should be updated to take dependency on latest guava?

+--- com.google.dagger:dagger-compiler:2.48.1
| +--- com.google.dagger:dagger:2.48.1
| | --- javax.inject:javax.inject:1
| +--- com.google.dagger:dagger-producers:2.48.1
| | +--- com.google.dagger:dagger:2.48.1 (*)
| | +--- com.google.guava:failureaccess:1.0.1
| | +--- com.google.guava:guava:31.0.1-jre
| | | +--- com.google.guava:failureaccess:1.0.1
| | | +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
| | | +--- com.google.code.findbugs:jsr305:3.0.2
| | | +--- org.checkerframework:checker-qual:3.12.0
| | | +--- com.google.errorprone:error_prone_annotations:2.7.1
| | | --- com.google.j2objc:j2objc-annotations:1.3
| | +--- javax.inject:javax.inject:1
| | --- org.checkerframework:checker-compat-qual:2.5.5

Answer 1 · 2024-04-23T15:56:50.000Z

Looks like if you update the dagger to 2.51 you'll get the guava 33.0

+--- com.google.dagger:hilt-android-compiler:2.51
|    +--- com.google.dagger:dagger:2.51
|    |    \--- javax.inject:javax.inject:1
|    +--- com.google.dagger:dagger-compiler:2.51
|    |    +--- com.google.dagger:dagger:2.51 (*)
|    |    +--- com.google.dagger:dagger-spi:2.51
|    |    |    +--- com.google.dagger:dagger:2.51 (*)
|    |    |    +--- com.google.code.findbugs:jsr305:3.0.2
|    |    |    +--- com.google.devtools.ksp:symbol-processing-api:1.9.20-1.0.14 -> 1.9.22-1.0.17 (*)
|    |    |    +--- com.google.guava:failureaccess:1.0.2
|    |    |    +--- com.google.guava:guava:33.0.0-jre (*)
|    |    |    +--- com.squareup:javapoet:1.13.0
|    |    |    \--- javax.inject:javax.inject:1
|    |    +--- com.google.code.findbugs:jsr305:3.0.2
|    |    +--- com.google.devtools.ksp:symbol-processing-api:1.9.20-1.0.14 -> 1.9.22-1.0.17 (*)
|    |    +--- com.google.googlejavaformat:google-java-format:1.5
|    |    |    +--- com.google.guava:guava:22.0 -> 33.0.0-jre (*)
|    |    |    \--- com.google.errorprone:javac-shaded:9-dev-r4023-3
|    |    +--- com.google.guava:failureaccess:1.0.2
|    |    +--- com.google.guava:guava:33.0.0-jre (*)
|    |    +--- com.squareup:javapoet:1.13.0
|    |    +--- com.squareup:kotlinpoet:1.11.0 -> 1.14.2 (*)
|    |    +--- javax.inject:javax.inject:1
|    |    +--- net.ltgt.gradle.incap:incap:0.2
|    |    +--- org.checkerframework:checker-compat-qual:2.5.5
|    |    \--- org.jetbrains.kotlin:kotlin-stdlib:1.9.20 (*)
|    +--- com.google.dagger:dagger-spi:2.51 (*)
|    +--- com.google.code.findbugs:jsr305:3.0.2
|    +--- com.google.devtools.ksp:symbol-processing-api:1.9.20-1.0.14 -> 1.9.22-1.0.17 (*)
|    +--- com.google.guava:failureaccess:1.0.2
|    +--- com.google.guava:guava:33.0.0-jre (*)
|    +--- com.squareup:javapoet:1.13.0
|    +--- javax.inject:javax.inject:1
|    +--- net.ltgt.gradle.incap:incap:0.2
|    \--- org.jetbrains.kotlin:kotlin-stdlib:1.9.20 (*)

Answer 2 · 2024-04-23T16:58:31.000Z

Thanks we will update our dagger version!