Dependency `opencensus` is no longer maintained
rogierslag opened this issue · comments
This library has an ultimate dependency on a version of grpc-context
(1.27.2
), which is vulnerable to several CVEs.
- https://nvd.nist.gov/vuln/detail/CVE-2023-33953
- https://nvd.nist.gov/vuln/detail/CVE-2023-4785
- https://nvd.nist.gov/vuln/detail/CVE-2023-32732
The exact dependency chain is as follows:
[INFO] com.google.http-client:google-http-client:jar:1.42.3:compile
[INFO] +- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO] | \- io.grpc:grpc-context:jar:1.27.2:compile
[INFO] \- io.opencensus:opencensus-contrib-http-util:jar:0.31.1:compile
The vulnerable library is ultimately included through opensensus, but that repository has been archived on Github, and the code is since unmaintained. The vulnerable version of grpc is defined here.
As the library is unmaintained, no new versions are pushed as part of #1290
This library shouldn't touch gRPC. I'll try to exclude the dependency.
It was already handled in googleapis/google-api-java-client#2416.
There's no io.grpc:grpc-context:jar:1.27.2 any more in the dependency tree https://gist.github.com/suztomo/4c19cd63ec5ac031d3951ecfa0fed87d.