Bug google-http-client-gson-1.42.0.jar HEIGH Vulnerability

[genesiscastillo]

scanner

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Agoogle&cpe_product=cpe%3A%2F%3Agoogle%3Agson&cpe_version=cpe%3A%2F%3Agoogle%3Agson%3A1.42.0

Atte.
Cesar

[Capstan]

The complaint in the link is that Gson version before 2.8.9 are vulnerable. Head is currently importing 2.9.0 (#1582), and the first fixed version was imported in #1492, and is available in v1.42.0.

[Capstan]

That CPE is weird. There is no version of https://github.com/google/gson that is v1.42.0. And that CPE isn't pointing at google-http-client-gson which does have a v1.42.0, but that version doesn't have the issue specified, because it requires a later version of Gson.

[Capstan]

I guess NIST assumes since all Gson versions <2.8.9 are vulnerable, a mythical Gson version 1.42.0 would also be vulnerable. That said, the CPE tag does not apply to this repo, and this repo pins a non-vulnerable version of Gson since v1.42.0.

Now that said, I wonder if this should show up in the https://github.com/googleapis/google-http-java-client/security/advisories section. 🤔

[meltsufin]

This repo uses GSON 2.9.0. Closing.