Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrading Guava to resolve CVE-2018-10237 #2073

Closed
smansouri opened this issue Nov 13, 2020 · 2 comments
Closed

Upgrading Guava to resolve CVE-2018-10237 #2073

smansouri opened this issue Nov 13, 2020 · 2 comments
Labels
comp: tooling Build & Tooling

Comments

@smansouri
Copy link

smansouri commented Nov 13, 2020
edited
Loading

Hi,
We are using DataDog java agent in some of our projects, which are having a fixable security vulnerabiliy that can get resolved if Guava is upgraded to a version higher than 24.1.1. It seems that Guava version is set to 20.0 to support Java 7. Is there any plan to upgrade that?
@devinsba
Copy link
Contributor

HI @smansouri, work is underway to remove our last runtime usage of guava in #2044

To ease some fear though, the classes mentioned in the CVE are not loaded by our agent. They are also hidden from standard class loaders so your application could not load them inadvertently.

Guava classes loaded:

[0.173s][info][class,load] com.google.common.cache.CacheBuilder source: x-internal-jar:/
[0.174s][info][class,load] com.google.common.base.Supplier source: x-internal-jar:/
[0.174s][info][class,load] com.google.common.base.Ticker source: x-internal-jar:/
[0.174s][info][class,load] com.google.common.cache.CacheBuilder$3 source: x-internal-jar:/
[0.174s][info][class,load] com.google.common.cache.Cache source: x-internal-jar:/
[0.174s][info][class,load] com.google.common.base.Function source: x-internal-jar:/
[0.174s][info][class,load] com.google.common.cache.LoadingCache source: x-internal-jar:/
[0.175s][info][class,load] com.google.common.cache.AbstractCache$StatsCounter source: x-internal-jar:/
[0.175s][info][class,load] com.google.common.cache.CacheBuilder$1 source: x-internal-jar:/
[0.175s][info][class,load] com.google.common.base.Suppliers source: x-internal-jar:/
[0.175s][info][class,load] com.google.common.base.Suppliers$SupplierOfInstance source: x-internal-jar:/
[0.175s][info][class,load] com.google.common.cache.CacheStats source: x-internal-jar:/
[0.176s][info][class,load] com.google.common.base.Preconditions source: x-internal-jar:/
[0.177s][info][class,load] com.google.common.cache.CacheBuilder$2 source: x-internal-jar:/
[0.177s][info][class,load] com.google.common.base.Ticker$1 source: x-internal-jar:/
[0.177s][info][class,load] com.google.common.cache.LocalCache$Strength source: x-internal-jar:/
[0.177s][info][class,load] com.google.common.cache.LocalCache$Strength$1 source: x-internal-jar:/
[0.177s][info][class,load] com.google.common.cache.LocalCache$Strength$2 source: x-internal-jar:/
[0.178s][info][class,load] com.google.common.cache.LocalCache$Strength$3 source: x-internal-jar:/
[0.178s][info][class,load] com.google.common.cache.LocalCache$ValueReference source: x-internal-jar:/
[0.178s][info][class,load] com.google.common.cache.LocalCache$StrongValueReference source: x-internal-jar:/
[0.178s][info][class,load] com.google.common.cache.LocalCache$WeightedStrongValueReference source: x-internal-jar:/
[0.178s][info][class,load] com.google.common.cache.LocalCache$SoftValueReference source: x-internal-jar:/
[0.178s][info][class,load] com.google.common.cache.LocalCache$WeightedSoftValueReference source: x-internal-jar:/
[0.179s][info][class,load] com.google.common.cache.LocalCache$WeakValueReference source: x-internal-jar:/
[0.179s][info][class,load] com.google.common.cache.LocalCache$WeightedWeakValueReference source: x-internal-jar:/
[0.179s][info][class,load] com.google.common.cache.LocalCache$LocalManualCache source: x-internal-jar:/
[0.179s][info][class,load] com.google.common.cache.CacheLoader source: x-internal-jar:/
[0.179s][info][class,load] com.google.common.cache.LocalCache$LocalManualCache$1 source: x-internal-jar:/
[0.180s][info][class,load] com.google.common.cache.LocalCache source: x-internal-jar:/
[0.181s][info][class,load] com.google.common.cache.CacheLoader$UnsupportedLoadingOperationException source: x-internal-jar:/
[0.181s][info][class,load] com.google.common.cache.CacheLoader$InvalidCacheLoadException source: x-internal-jar:/
[0.181s][info][class,load] com.google.common.cache.LocalCache$ReferenceEntry source: x-internal-jar:/
[0.181s][info][class,load] com.google.common.util.concurrent.UncheckedExecutionException source: x-internal-jar:/
[0.181s][info][class,load] com.google.common.util.concurrent.ExecutionError source: x-internal-jar:/
[0.182s][info][class,load] com.google.common.cache.LocalCache$1 source: x-internal-jar:/
[0.182s][info][class,load] com.google.common.cache.LocalCache$2 source: x-internal-jar:/
[0.182s][info][class,load] com.google.common.base.MoreObjects source: x-internal-jar:/
[0.182s][info][class,load] com.google.common.base.Equivalence source: x-internal-jar:/
[0.183s][info][class,load] com.google.common.base.Equivalence$Equals source: x-internal-jar:/
[0.183s][info][class,load] com.google.common.base.Equivalence$Identity source: x-internal-jar:/
[0.183s][info][class,load] com.google.common.base.FunctionalEquivalence source: x-internal-jar:/
[0.183s][info][class,load] com.google.common.base.PairwiseEquivalence source: x-internal-jar:/
[0.183s][info][class,load] com.google.common.base.Predicate source: x-internal-jar:/
[0.184s][info][class,load] com.google.common.cache.Weigher source: x-internal-jar:/
[0.184s][info][class,load] com.google.common.cache.CacheBuilder$OneWeigher source: x-internal-jar:/
[0.184s][info][class,load] com.google.common.cache.RemovalListener source: x-internal-jar:/
[0.184s][info][class,load] com.google.common.cache.CacheBuilder$NullListener source: x-internal-jar:/
[0.184s][info][class,load] com.google.common.cache.LocalCache$EntryFactory source: x-internal-jar:/
[0.184s][info][class,load] com.google.common.cache.LocalCache$EntryFactory$1 source: x-internal-jar:/
[0.184s][info][class,load] com.google.common.cache.LocalCache$EntryFactory$2 source: x-internal-jar:/
[0.185s][info][class,load] com.google.common.cache.LocalCache$EntryFactory$3 source: x-internal-jar:/
[0.185s][info][class,load] com.google.common.cache.LocalCache$EntryFactory$4 source: x-internal-jar:/
[0.185s][info][class,load] com.google.common.cache.LocalCache$EntryFactory$5 source: x-internal-jar:/
[0.185s][info][class,load] com.google.common.cache.LocalCache$EntryFactory$6 source: x-internal-jar:/
[0.185s][info][class,load] com.google.common.cache.LocalCache$EntryFactory$7 source: x-internal-jar:/
[0.185s][info][class,load] com.google.common.cache.LocalCache$EntryFactory$8 source: x-internal-jar:/
[0.186s][info][class,load] com.google.common.cache.LocalCache$Segment source: x-internal-jar:/
[0.188s][info][class,load] com.google.common.cache.LocalCache$AccessQueue source: x-internal-jar:/
[0.188s][info][class,load] com.google.common.cache.LocalCache$AbstractReferenceEntry source: x-internal-jar:/
[0.188s][info][class,load] com.google.common.cache.LocalCache$AccessQueue$1 source: x-internal-jar:/
[0.812s][info][class,load] com.google.common.cache.LocalCache$WeakEntry source: x-internal-jar:/
[0.812s][info][class,load] com.google.common.cache.LocalCache$WeakAccessEntry source: x-internal-jar:/
[0.812s][info][class,load] com.google.common.cache.LocalCache$NullEntry source: x-internal-jar:/
[0.814s][info][class,load] com.google.common.base.Platform source: x-internal-jar:/
[0.814s][info][class,load] com.google.common.base.PatternCompiler source: x-internal-jar:/
[0.814s][info][class,load] com.google.common.base.Platform$JdkPatternCompiler source: x-internal-jar:/
[0.814s][info][class,load] com.google.common.base.CommonPattern source: x-internal-jar:/
[0.814s][info][class,load] com.google.common.base.JdkPattern source: x-internal-jar:/
[0.845s][info][class,load] com.google.common.cache.LocalCache$StrongEntry source: x-internal-jar:/
[0.845s][info][class,load] com.google.common.cache.LocalCache$StrongAccessEntry source: x-internal-jar:/
[0.873s][info][class,load] com.google.common.cache.CacheLoader$SupplierToCacheLoader source: x-internal-jar:/
[0.873s][info][class,load] com.google.common.cache.CacheLoader$FunctionToCacheLoader source: x-internal-jar:/
[0.873s][info][class,load] com.google.common.cache.CacheLoader$1 source: x-internal-jar:/
[0.873s][info][class,load] com.google.common.cache.LocalCache$LoadingValueReference source: x-internal-jar:/
[0.873s][info][class,load] com.google.common.util.concurrent.ListenableFuture source: x-internal-jar:/
[0.874s][info][class,load] com.google.common.util.concurrent.AbstractFuture source: x-internal-jar:/
[0.874s][info][class,load] com.google.common.util.concurrent.AbstractFuture$TrustedFuture source: x-internal-jar:/
[0.874s][info][class,load] com.google.common.util.concurrent.SettableFuture source: x-internal-jar:/
[0.874s][info][class,load] com.google.common.util.concurrent.AbstractFuture$AtomicHelper source: x-internal-jar:/
[0.874s][info][class,load] com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper source: x-internal-jar:/
[0.874s][info][class,load] com.google.common.util.concurrent.AbstractFuture$SafeAtomicHelper source: x-internal-jar:/
[0.874s][info][class,load] com.google.common.util.concurrent.AbstractFuture$SynchronizedHelper source: x-internal-jar:/
[0.875s][info][class,load] com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper$1 source: x-internal-jar:/
[0.876s][info][class,load] com.google.common.util.concurrent.AbstractFuture$Listener source: x-internal-jar:/
[0.876s][info][class,load] com.google.common.util.concurrent.AbstractFuture$Waiter source: x-internal-jar:/
[0.876s][info][class,load] com.google.common.base.Stopwatch source: x-internal-jar:/
[0.883s][info][class,load] com.google.common.util.concurrent.Uninterruptibles source: x-internal-jar:/
[0.883s][info][class,load] com.google.common.util.concurrent.AbstractFuture$SetFuture source: x-internal-jar:/
[0.883s][info][class,load] com.google.common.util.concurrent.AbstractFuture$Cancellation source: x-internal-jar:/
[0.883s][info][class,load] com.google.common.util.concurrent.AbstractFuture$Failure source: x-internal-jar:/
[0.888s][info][class,load] com.google.common.collect.UnmodifiableIterator source: x-internal-jar:/
[0.888s][info][class,load] com.google.common.collect.AbstractSequentialIterator source: x-internal-jar:/
[0.888s][info][class,load] com.google.common.cache.LocalCache$AccessQueue$2 source: x-internal-jar:/
[0.888s][info][class,load] com.google.common.cache.RemovalCause source: x-internal-jar:/
[0.888s][info][class,load] com.google.common.cache.RemovalCause$1 source: x-internal-jar:/
[0.889s][info][class,load] com.google.common.cache.RemovalCause$2 source: x-internal-jar:/
[0.889s][info][class,load] com.google.common.cache.RemovalCause$3 source: x-internal-jar:/
[0.889s][info][class,load] com.google.common.cache.RemovalCause$4 source: x-internal-jar:/
[0.889s][info][class,load] com.google.common.cache.RemovalCause$5 source: x-internal-jar:/
[0.889s][info][class,load] com.google.common.collect.ImmutableCollection source: x-internal-jar:/
[0.889s][info][class,load] com.google.common.collect.ImmutableSet source: x-internal-jar:/
[0.890s][info][class,load] com.google.common.collect.ImmutableList source: x-internal-jar:/
[0.890s][info][class,load] com.google.common.collect.ImmutableAsList source: x-internal-jar:/
[0.890s][info][class,load] com.google.common.collect.RegularImmutableAsList source: x-internal-jar:/
[0.890s][info][class,load] com.google.common.collect.ImmutableSet$Indexed source: x-internal-jar:/
[0.890s][info][class,load] com.google.common.collect.RegularImmutableSet source: x-internal-jar:/
[0.891s][info][class,load] com.google.common.collect.SingletonImmutableSet source: x-internal-jar:/
[0.891s][info][class,load] com.google.common.collect.ImmutableSet$Indexed$1 source: x-internal-jar:/
[0.891s][info][class,load] com.google.common.collect.ObjectArrays source: x-internal-jar:/
[0.891s][info][class,load] com.google.common.collect.SingletonImmutableList source: x-internal-jar:/
[0.891s][info][class,load] com.google.common.collect.RegularImmutableList source: x-internal-jar:/
[0.892s][info][class,load] com.google.common.collect.UnmodifiableListIterator source: x-internal-jar:/
[0.892s][info][class,load] com.google.common.collect.ImmutableList$ReverseImmutableList source: x-internal-jar:/
[0.892s][info][class,load] com.google.common.collect.AbstractIndexedListIterator source: x-internal-jar:/
[0.892s][info][class,load] com.google.common.collect.ImmutableList$1 source: x-internal-jar:/
[0.892s][info][class,load] com.google.common.collect.ImmutableList$SubList source: x-internal-jar:/
[0.893s][info][class,load] com.google.common.collect.Iterators source: x-internal-jar:/
[0.893s][info][class,load] com.google.common.collect.Iterators$1 source: x-internal-jar:/
[0.893s][info][class,load] com.google.common.collect.AbstractIterator source: x-internal-jar:/
[0.893s][info][class,load] com.google.common.collect.Iterators$6 source: x-internal-jar:/
[0.893s][info][class,load] com.google.common.collect.Iterators$11 source: x-internal-jar:/
[0.894s][info][class,load] com.google.common.collect.Iterators$12 source: x-internal-jar:/
[0.894s][info][class,load] com.google.common.collect.Iterators$10 source: x-internal-jar:/
[0.894s][info][class,load] com.google.common.collect.Iterators$3 source: x-internal-jar:/
[0.894s][info][class,load] com.google.common.collect.Iterators$5 source: x-internal-jar:/
[0.894s][info][class,load] com.google.common.collect.PeekingIterator source: x-internal-jar:/
[0.894s][info][class,load] com.google.common.collect.Iterators$MergingIterator source: x-internal-jar:/
[0.894s][info][class,load] com.google.common.collect.Iterators$2 source: x-internal-jar:/
[1.292s][info][class,load] org.yaml.snakeyaml.external.com.google.gdata.util.common.base.Escaper source: x-internal-jar:/
[1.292s][info][class,load] org.yaml.snakeyaml.external.com.google.gdata.util.common.base.UnicodeEscaper source: x-internal-jar:/
[1.292s][info][class,load] org.yaml.snakeyaml.external.com.google.gdata.util.common.base.PercentEscaper source: x-internal-jar:/
[1.293s][info][class,load] org.yaml.snakeyaml.external.com.google.gdata.util.common.base.UnicodeEscaper$2 source: x-internal-jar:/

@devinsba devinsba mentioned this issue Nov 13, 2020
Merged
@devinsba devinsba linked a pull request Nov 13, 2020 that will close this issue
Replace Guava caches #2044
Merged
@smansouri
Copy link
Author

Thanks a lot, @devinsba for the update 🙏

@randomanderson randomanderson removed a link to a pull request Nov 23, 2020
Replace Guava caches #2044
Merged
@PerfectSlayer PerfectSlayer added comp: tooling Build & Tooling and removed remove guava labels Jun 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
comp: tooling Build & Tooling
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@devinsba @PerfectSlayer @smansouri @richardstartin