Transitive vulnerability from symbol-processing-api
NadChel opened this issue · comments
Hi. We are considering introducing Dagger 2 in our Java project. However, we are concerned that our plugin found a vulnerability associated with the dagger-compiler
dependency
<dagger.ver>2.51.1</dagger.ver>
<!-- ... -->
<dependency>
<groupId>com.google.dagger</groupId>
<artifactId>dagger</artifactId>
<version>${dagger.ver}</version>
</dependency>
<dependency>
<groupId>com.google.dagger</groupId>
<artifactId>dagger-compiler</artifactId>
<version>${dagger.ver}</version>
<scope>provided</scope>
</dependency>
The vulnerability comes from the symbol-processing-api-1.9.20-1.0.14
artifact. It has more recent versions
- Are those versions free of the aforementioned vulnerability?
- If so, are there any plans to update the version of that dependency so that we can safely integrate Dagger in our application?
It was also submitted through the bughunters.google.com
website (though, I believe it is supposed to get reports on new vulnerabilities)
Thank you
Hey - I think you are misunderstanding the vulnerability report, it identified two possible libraries corresponding to the symbol-processing-api-1.9.29-1.0.14.jar
file, one is the KSP one and the other one is some library that indeed has a vulnerability. Dagger depends on KSP not on the other. Also notice how the CVE is for that 'other' library and not KSP.