Dependency on `google-http-client` with includes a vulnerable version of `io.grpc:grpc-context`

This library has a dependency on `google-http-client` (version `1.42.3`) which ultimately depends on a version of `grpc-context` (`1.27.2`) which is vulnerable to several CVEs.

- https://nvd.nist.gov/vuln/detail/CVE-2023-33953
- https://nvd.nist.gov/vuln/detail/CVE-2023-4785
- https://nvd.nist.gov/vuln/detail/CVE-2023-32732

The exact dependency chain is as follows:

```
[INFO] +- com.google.api-client:google-api-client:jar:2.2.0:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.15:compile
[INFO] |  +- com.google.oauth-client:google-oauth-client:jar:1.34.1:compile
[INFO] |  +- com.google.http-client:google-http-client-gson:jar:1.42.3:compile
[INFO] |  |  \- com.google.code.gson:gson:jar:2.10:compile
[INFO] |  +- com.google.http-client:google-http-client-apache-v2:jar:1.42.3:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] |  |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- com.google.http-client:google-http-client:jar:1.42.3:compile
[INFO] |     +- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO] |     |  \- io.grpc:grpc-context:jar:1.27.2:compile
[INFO] |     \- io.opencensus:opencensus-contrib-http-util:jar:0.31.1:compile
```

The vulnerable library is ultimately included through opensensus, but that repository [has been archived](https://github.com/census-instrumentation/opencensus-java/tree/master) on Github, and the code is since unmaintained. The vulnerable version of grpc is defined [here](https://github.com/census-instrumentation/opencensus-java/blob/master/build.gradle#L164).

Would it be possible to remove the ultimate dependency on this grpc package, or potentially remove the unmaintained code as dependencies altogether?

_Also flagged in https://github.com/googleapis/google-http-java-client/issues/1915_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependency on `google-http-client` with includes a vulnerable version of `io.grpc:grpc-context` #2416

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Dependency on google-http-client with includes a vulnerable version of io.grpc:grpc-context #2416

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Dependency on `google-http-client` with includes a vulnerable version of `io.grpc:grpc-context` #2416