github
[GHSA-7g45-4rm6-3mm3] Guava vulnerable to insecure use of temporary directory
Updates
- Affected products
Comments guava produces 2 versions of jars, one for mobile env with android suffix and jre for java outside the mobile Android envs.
Hi @mareknovotny, you are right, Guava produces two lines of jars. Unfortunately, the way they are packaged and uploaded to Maven the system does not see the distinct lines. Instead, it sees the jre package as an upgrade of the android package. In other words, if we were to change the fixed version to 32.0.0-jre, the system would consider 32.0.0-android a vulnerable version.
@JonathanLEvans np with that, this was just trying to improve the things as i can't accept on my dependabot's PRs that change from jre to android. If you can't create 2 same CVE reports or aggregate them that is your problem of the advisory. I hope only that you won't consider that jre as vulnerable ;)
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.
i guess you can close this until you have an issue for your system to handle that special GUAVA artifact versions as if they use classificator not qualificator in versions you would be fine ;) . This doesn't change the situation that GHSA-7g45-4rm6-3mm3 report is wrong and should recommend to upgrade also to 32.0.0-jre version.
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.