Transitive vulnerability from symbol-processing-api

Question

Transitive vulnerability from symbol-processing-api

Closed this issue 2 months ago · 1 comments

Hi. We are considering introducing Dagger 2 in our Java project. However, we are concerned that our plugin found a vulnerability associated with the dagger-compiler dependency

        <dagger.ver>2.51.1</dagger.ver>
       <!-- ... -->
        <dependency>
            <groupId>com.google.dagger</groupId>
            <artifactId>dagger</artifactId>
            <version>${dagger.ver}</version>
        </dependency>

        <dependency>
            <groupId>com.google.dagger</groupId>
            <artifactId>dagger-compiler</artifactId>
            <version>${dagger.ver}</version>
            <scope>provided</scope>
        </dependency>

The vulnerability comes from the symbol-processing-api-1.9.20-1.0.14 artifact. It has more recent versions

Are those versions free of the aforementioned vulnerability?
If so, are there any plans to update the version of that dependency so that we can safely integrate Dagger in our application?

It was also submitted through the bughunters.google.com website (though, I believe it is supposed to get reports on new vulnerabilities)

Thank you

Answer 1 · 2024-05-28T12:36:56.000Z

Hey - I think you are misunderstanding the vulnerability report, it identified two possible libraries corresponding to the symbol-processing-api-1.9.29-1.0.14.jar file, one is the KSP one and the other one is some library that indeed has a vulnerability. Dagger depends on KSP not on the other. Also notice how the CVE is for that 'other' library and not KSP.