1,修复gson版本导致的漏洞 #1358
1,修复gson版本导致的漏洞 #1358
Conversation
There was a problem hiding this comment.
Pls specify
Motivation:
Explain the context, and why you're making that change.
To make others understand what is the problem you're trying to solve.
Modification:
Describe the idea and modifications you've done.
Result:
Fixes #.
If there is no issue then describe the changes introduced by this PR.
|
It may be advisable to upgrade apollo-client to version 2.1.0, as the transitive gson version has been updated to 2.8.9 since the release of version 2.0.1. However, it's important to note that, beginning with the 2.0.0 release, apollo-client has ceased support for Java 1.7, constituting a significant change. |
|
got it, working on it |
xuqiu
force-pushed
the
fix-gson-version
branch
from
71c2267 to
ac5ed03
Compare
|
upgraded apollo-client to version 2.1.0, gson gone up to 2.8.9 as well. |
Codecov ReportAll modified lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #1358 +/- ##
============================================
- Coverage 72.07% 72.00% -0.08%
+ Complexity 784 783 -1
============================================
Files 416 416
Lines 17661 17661
Branches 2752 2752
============================================
- Hits 12730 12717 -13
- Misses 3526 3539 +13
Partials 1405 1405 ☔ View full report in Codecov by Sentry. |
修复由小程序云代码扫描报出的漏洞:
危害等级:高危
漏洞类型:反序列化漏洞
漏洞子类型:MPS-2022-12287_com.google.code.gson_gson
漏洞编号:
MPS-2022-12287
CVE-2022-25647
漏洞状态: 漏洞提交
首次发现时间:2023-07-21 13:39:52
最近发现时间:2023-08-08 16:02:39
漏洞基因编码:b953014247a1a4716f6d56e1f7e51ad3
漏洞源文件:https://github.com/sofastack/sofa-rpc/blob/master/config/config-apollo/pom.xml
详细内容:
{
间接依赖的组件是:
com.google.code.gson
[H[gson]H]
间接依赖链路如下:
com.ctrip.framework.apollo:apollo-client:1.4.0->com.google.code.gson:gson:2.8.0
对应的修复版本为:
2.8.9
}