raboof commented on issue #1553: URL: https://github.com/apache/pekko/issues/1553#issuecomment-2866155896
> our GitHub 'security' tab claims that we depend on a version of guava that is vulnerable to [GHSA-mvr2-9pj6-7w5j](https://github.com/advisories/GHSA-mvr2-9pj6-7w5j) . > > I think this is a false positive: I think this is the guava that comes in as a transitive dependency of leveldb, but this is an `optional;provided` dependency. This apparently ends up in the `compile-internal` and `optional` scopes. > > I think we should probably exclude the `compile-internal` and `optional` scopes, and use the dependabot security report for artifacts that actually come in as transitive dependencies for our users. The chance that an advisory for an optional/provided/test/built-time dependency actually impacts our build seems to small to justify the noise it adds. This should be fixed with https://github.com/apache/pekko/pull/1392 > When I run "jdeps --multi-release 21 -jdkinternals" scan I am getting com.google.guava.guava-32.1.3-jre.jar is using "Uses internal APIs: sun.misc.Unsafe" That seems offtopic for this particular issue tbh ;). FWIW Pekko itself also still uses sun.misc.Unsafe in several places (and works fine with Java 21 as long as you add the relevant flags). We should probably add this to our documentation - filed #1840 for that. > As mentioned above, it is coming as a transitive dependency of leveldb, I am not using this directly any where, can I ignore this report? While that particularly old version of Guava came in via the optional leveldb dependency, I think more recent versions come in via 'regular' dependencies such as Jackson. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@pekko.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@pekko.apache.org For additional commands, e-mail: notifications-h...@pekko.apache.org
