Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump org.json:json due to CVE-2022-45688 #28962

Merged
merged 1 commit into from
Oct 19, 2023
Merged

[Security] Bump org.json:json due to CVE-2022-45688 #28962

merged 1 commit into from
Oct 19, 2023

Conversation

bvolpato
Copy link
Contributor

Comments suggested that org.json was in sync with libraries-bom, but when analyzing through

cd /tmp; wget https://repo1.maven.org/maven2/com/google/cloud/libraries-bom/26.22.0/libraries-bom-26.22.0.pom -O base.pom && mvn help:effective-pom -f base.pom -Doutput=effective.pom && cat effective.pom | grep -v 'dependencyManagement' > cleanup.pom && mvn dependency:tree -f cleanup.pom

We can see that it brings a much newer (and not in the CVE range) version:

[INFO] --- dependency:3.6.0:tree (default-cli) @ libraries-bom ---
[INFO] com.google.cloud:libraries-bom:pom:26.22.0
[INFO] +- com.google.cloud:google-cloud-bigquery:jar:2.31.1:compile
[INFO] |  +- org.json:json:jar:20230618:compile

@codecov
Copy link

codecov bot commented Oct 12, 2023
edited
Loading

Codecov Report

Merging #28962 (87cf1b2) into master (4a7c484) will increase coverage by 0.01%.
Report is 4 commits behind head on master.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master   #28962      +/-   ##
==========================================
+ Coverage   72.15%   72.17%   +0.01%     
==========================================
  Files         686      686              
  Lines      101629   101629              
==========================================
+ Hits        73329    73348      +19     
+ Misses      26724    26705      -19     
  Partials     1576     1576
Flag Coverage Δ
python 82.62% <ø> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
sdks/python/apache_beam/ml/inference/base.py 93.51% <ø> (ø)

... and 13 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@bvolpato
Copy link
Contributor Author

Run Java_GCP_IO_Direct PreCommit

@github-actions
Copy link
Contributor

Assigning reviewers. If you would like to opt out of this review, comment assign to next reviewer:

R: @robertwb for label java.
R: @Abacn for label build.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

@Abacn Abacn merged commit 8fb23ee into apache:master Oct 19, 2023
30 checks passed
kkdoon pushed a commit to twitter-forks/beam that referenced this pull request Oct 21, 2023
@bvolpato
[Security] Bump org.json:json due to CVE-2022-45688 (apache#28962)
1f0a07f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Abacn Abacn Abacn approved these changes

Assignees
No one assigned
Labels
build java Next Action: Reviewers
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bvolpato @Abacn