Updating Guava dependency to latest

Question

Updating Guava dependency to latest

jason-ogaard opened this issue a year ago · 4 comments

When we pull in 0.10.0 of jpmml-evaluator we get Guava v31.1-jre - this version of Guava is known to be insecure, see here. I believe it would be a single line change in your pom here as well as regression testing to fix this issue. The latest release as of right now is 32.1.2-jre

Answer 1 · 2023-09-24T20:21:29.000Z

The Google Guava library is a collection of modules.

The JPMML-Evaluator library mostly uses the "Caching" (ie. com.google.common.cache.* classes) and "Collections" (ie. com.google.common.collect.*) modules. It does not load, initialize or use classes from other modules.

The CVE-2023-2976 vulnerability affects the "IO" module. It is therefore highly unlikely that the vulnerable code gets invoked by the JPMML-Evaluator in any way. However, the situation may change, if the Java application itself does some Guava-assisted IO, such as storing the PMML document in a temporary file.

The good news is that it should be perfectly safe to override the default Guava dependency declaration in local build configuration. Simply exclude the legacy version, and import the latest one.

Here is a sample override:
jpmml/jpmml-evaluator-python@0d3e914

In this case, the legacy Guava dependency was being brought in via JPMML-Evaluator and JPMML-Transpiler libraries, so there are two separate <exclusion/> directives.

Answer 2 · 2023-09-24T20:24:19.000Z

When we pull in 0.10.0 of jpmml-evaluator we get Guava v31.1-jre

I've released jpmml_evaluator version 0.10.1 to PyPI, which includes Guava version 32.1.2-jre:
https://pypi.org/project/jpmml-evaluator/0.10.1/

Answer 3 · 2024-04-10T07:29:41.000Z

Hi, is there a planned update for the Java versions too ?
i.e. https://mvnrepository.com/artifact/org.jpmml/pmml-evaluator and https://mvnrepository.com/artifact/org.jpmml/pmml-evaluator-metro ?

Answer 4 · 2024-04-10T07:57:29.000Z

@AbdealiLoKo You can attach an arbitrary Guava version to an existing JPMML-Evaluator version using the "dependency override" mechanism (exclude old ver, declare a new more appropriate ver) as shown here:
jpmml/jpmml-evaluator-python@0d3e914

Yes, there is an JPMML-Evaluator update in the works, which adds support for multi-output (aka multi-leaf) tree models. The Guava dependency (and other dependencies that have gone stale over the past 1 -- 1.5 years) will be updated then.

Right now, my focus is on getting some major refactorings done on the JPMML-SkLearn project.