Bilna created FLINK-28891:
-----------------------------
Summary: Upgrade google-cloud-libraries-bom version to 25.0.0
Key: FLINK-28891
URL: https://issues.apache.org/jira/browse/FLINK-28891
Project: Flink
Issue Type: Bug
Reporter: Bilna
*CVE-2022-25647*
In flink-connector-gcp-pubsub, the google-cloud-pubsub version is pulled from
google-cloud-bom (loaded via the libraries-bom) and libraries-bom version in
1.13.6 is 8.1.0. The the google-cloud-pubsub version pulled thorigh this is
1.108.0
https://mvnrepository.com/artifact/com.google.cloud/libraries-bom/8.1.0
The dependecny google-cloud-pubsub:1.108.0 has
com.google.code.gson:gson:jar:2.8.6 which is vulnerable
https://search.maven.org/artifact/com.google.cloud/google-cloud-pubsub/1.108.0/jar
The google-cloud-pubsub:1.116.0 onwards the gson version is 2.9.0.
https://search.maven.org/artifact/com.google.cloud/google-cloud-pubsub/1.116.0/jar
So in order to resolve the vulnerability, google-cloud-libraries-bom version
needs to be upgraded to 25.0.0 or higher
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
