Could we bump grpc version and release a jprotoc 1.23
Opened this issue · 3 comments
Hi there,
Could we bump up the jprotoc 1.23 updated to use io.grpc version 1.66 or higher since we are using this package in our company but we have to complice with CVEs
Thanks in adavnce!
gRPC has been really stable for the past few tens of releases. In the interim, you can safely manually override the version in you pom.xml with an <excludes> statement on the jProtoc dependency and your own <dependency> block. Alternatively, you can force override the version of transitive dependencies with a <dependencyManagement> statement.
Thanks @rmichela. We tried both solution but does not work unfortunately.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>32.0.0-jre</version>
<scope>import</scope>
<type>pom</type>
</dependency>
<dependency>
<groupId>io.vertx</groupId>
<artifactId>vertx-grpc</artifactId>
<version>3.21.7</version>
</dependency>
</dependencies>
</dependencyManagement>
or
<dependency>
<groupId>io.vertx</groupId>
<artifactId>vertx-grpc-protoc-plugin</artifactId>
<version>${vertx.version}</version>
<optional>true</optional>
<exclusions>
<exclusion>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
</exclusion>
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.salesforce.servicelibs</groupId>
<artifactId>jprotoc</artifactId>
<version>1.2.2</version>
<exclusions>
<exclusion>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
</exclusion>
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
</exclusions>
</dependency>
Still getting the report that
"VulnerabilityID": "CVE-2023-2976",
"PkgName": "com.google.guava:guava",
"PkgPath": "opt/caas/app/jprotoc-1.2.2.jar",
"InstalledVersion": "31.1-jre",
"FixedVersion": "32.0.0-android",
"Status": "fixed",
or
"VulnerabilityID": "CVE-2021-22569",
"PkgName": "com.google.protobuf:protobuf-java",
"PkgPath": "opt/caas/app/vertx-grpc-protoc-plugin-4.5.10.jar",
"InstalledVersion": "3.15.8",
"FixedVersion": "3.16.1, 3.18.2, 3.19.2",
"Status": "fixed",
I guess b/c we have to run plugin that brings the vertx-grpc-protoc-plugin with jprotoc which can't overrides by dependency management rules.
plugin>
<groupId>org.xolstice.maven.plugins</groupId>
<artifactId>protobuf-maven-plugin</artifactId>
<version>0.6.1</version>
<configuration>
<protocArtifact>
com.google.protobuf:protoc:${protobuf.version}:exe:${os.detected.classifier}</protocArtifact>
<pluginId>grpc-java</pluginId>
<pluginArtifact>io.grpc:protoc-gen-grpc-java:${grpc.version}:exe:${os.detected.classifier}</pluginArtifact>
<protocPlugins>
<protocPlugin>
<id>vertx-grpc-protoc-plugin</id>
<groupId>io.vertx</groupId>
<artifactId>vertx-grpc-protoc-plugin</artifactId>
<version>${vertx.version}</version>
<mainClass>io.vertx.grpc.protoc.plugin.VertxGrpcGenerator</mainClass>
</protocPlugin>
</protocPlugins>
</configuration>
<executions>
<execution>
<id>compile</id>
<goals>
<goal>compile</goal>
<goal>compile-custom</goal>
</goals>
<configuration>
<!-- Include this line if we switch to checkin the generated grpc code into git.
<outputDirectory>${project.basedir}/src/main/java</outputDirectory>
-->
<protoSourceRoot>${project.basedir}/src/main/proto/</protoSourceRoot>
<clearOutputDirectory>false</clearOutputDirectory>
</configuration>
</execution>
</executions>
</plugin>
```