Dependency `opencensus` is no longer maintained
rogierslag opened this issue · comments
This library has an ultimate dependency on a version of grpc-context (1.27.2), which is vulnerable to several CVEs.
- https://nvd.nist.gov/vuln/detail/CVE-2023-33953
- https://nvd.nist.gov/vuln/detail/CVE-2023-4785
- https://nvd.nist.gov/vuln/detail/CVE-2023-32732
The exact dependency chain is as follows:
[INFO] com.google.http-client:google-http-client:jar:1.42.3:compile
[INFO] +- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO] | \- io.grpc:grpc-context:jar:1.27.2:compile
[INFO] \- io.opencensus:opencensus-contrib-http-util:jar:0.31.1:compile
The vulnerable library is ultimately included through opensensus, but that repository has been archived on Github, and the code is since unmaintained. The vulnerable version of grpc is defined here.
As the library is unmaintained, no new versions are pushed as part of #1290