[FLINK-28891] Upgrade google-cloud-libraries-bom version to 25.0.0 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Technical Debt
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Connectors / Google Cloud PubSub
Labels:
None

Description

CVE-2022-25647
In flink-connector-gcp-pubsub, the google-cloud-pubsub version is pulled from
google-cloud-bom (loaded via the libraries-bom) and libraries-bom version in 1.13.6 is 8.1.0. The the google-cloud-pubsub version pulled thorigh this is 1.108.0
https://mvnrepository.com/artifact/com.google.cloud/libraries-bom/8.1.0

The dependecny google-cloud-pubsub:1.108.0 has com.google.code.gson:gson:jar:2.8.6 which is vulnerable
https://search.maven.org/artifact/com.google.cloud/google-cloud-pubsub/1.108.0/jar

The google-cloud-pubsub:1.116.0 onwards the gson version is 2.9.0.
https://search.maven.org/artifact/com.google.cloud/google-cloud-pubsub/1.116.0/jar

So in order to resolve the vulnerability, google-cloud-libraries-bom version needs to be upgraded to 25.0.0 or higher

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Bilna

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Aug/22 10:41

Updated:: 16/Sep/22 07:29