FSB-5668 Old Version of com.google.code.gson:gson v2.8.5 (CVE-2022-25647) #104

ahongbynder · 2023-07-06T17:49:37Z

https://bynder.atlassian.net/browse/FSB-5668

Dependency converter-gson version 2.9.0 has a compile/transitive dependency on com.google.code.gson version 2.8.5 (https://mvnrepository.com/artifact/com.squareup.retrofit2/converter-gson/2.9.0). Version 2.8.5 has a security vulnerability (https://mvnrepository.com/artifact/com.google.code.gson/gson/2.8.5) referencing CVE-2022-25647.

Referencing https://fossa.com/blog/overriding-dependency-versions-using-version-ranges-maven/, added a direct dependency of com.google.code.gson with version 2.10.1. With nearest definition in pom.xml, converter-gson picks up version 2.10.1 of com.google.code.gson.

…n update, used in converter-gson, update README for latest SDK version 2.2.18

coveralls · 2023-07-06T17:50:28Z

coverage: 47.059%. remained the same when pulling 0c19bb7 on FSB-5668 into dddb80b on master.

FSB-5668 update com.google.code.gson transitive dependency for versio…

0c19bb7

…n update, used in converter-gson, update README for latest SDK version 2.2.18

ahongbynder marked this pull request as ready for review July 6, 2023 22:36

ahongbynder requested review from thegreatdeku, dylanmartins, Dobiday and TimBloembergen July 6, 2023 22:36

thegreatdeku approved these changes Jul 7, 2023

View reviewed changes

ahongbynder merged commit bf9abb6 into master Jul 7, 2023
4 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FSB-5668 Old Version of com.google.code.gson:gson v2.8.5 (CVE-2022-25647) #104

FSB-5668 Old Version of com.google.code.gson:gson v2.8.5 (CVE-2022-25647) #104

ahongbynder commented Jul 6, 2023

coveralls commented Jul 6, 2023

FSB-5668 Old Version of com.google.code.gson:gson v2.8.5 (CVE-2022-25647) #104

FSB-5668 Old Version of com.google.code.gson:gson v2.8.5 (CVE-2022-25647) #104

Conversation

ahongbynder commented Jul 6, 2023

coveralls commented Jul 6, 2023