| [jersey-dev] security research questions about jersey-guava |
|
Hi jersey-dev. This is NOT a security report - I have a question about an old artifact. I don’t expect anyone to spend a lot of time with this, but any help would be appreciated. We currently have a dependency on org.glassfish.jersey.bundles.repackaged.jersey-guava_2.22.1.v20161103-1916[1] (the Artifact). The Artifact was flagged by our CVE matching service for CVE-2018-10237[2] (the CVE). I believe this is a false positive, because the vulnerable classes for the CVE are AtomicDoubleArray and CompoundOrdering[3], which are not present in the Artifact. I’m trying to fill out my understanding of how repackaged-guava was built and am hoping someone here can help me. I am trying to understand how the Artifact was built such that it does not include the vulnerable classes for the CVE. The vulnerable classes are present in guava 18.0, which was the version used to build the Artifact.
I read through the pom[4], but don’t understand why only a subset of classes from guava 18.0 are included in jersey-guava. I checked out jersey 2.21.x[5] and attempted to build it myself, hoping that would help me understand. The build failed to complete, but the repackaged module succeeded. When I inspected jersey-guava-2.22.1.jar, it contained all of the classes from guava 18.0 instead of the subset I was expected based on the Artifact. Can anyone help me understand how the Artifact was built such that it does not include the vulnerable classes for the CVE? Thanks! Tony Homer [1]
https://search.maven.org/artifact/org.glassfish.jersey.bundles.repackaged/jersey-guava/2.22.1/bundle [2]
https://github.com/google/guava/wiki/CVE-2018-10237 [3]
https://github.com/google/guava/commit/7ec8718f1e6e2814dabaa4b9f96b6b33a813101c [4] https://github.com/jersey/jersey/blob/2.21.1/bundles/repackaged/jersey-guava/pom.xml [5] https://github.com/jersey/jersey/commit/28183b0d4c41514fe698cfeffc09bc2feb3fb2e6 |