CVE-2023-2976

[b-reich]

 * JGraphT version: 1.5.2
 * Java version (java -version)/platform:  17/linux

Issue
com.google.guava until 31.01 is affected by the CVE-2023-2976

Steps to reproduce (small coding example)

Expected behaviour
jgrapht guava without an vulnerable dependency

Other information

[jsichi]

I've analyzed this issue as follows:

• JGraphT itself doesn't use Google Guava at all; we just provide an optional adapter module which does
• The adapter module does not use FileBackedOutputStream directly
• From looking at the Guava code, I don't think anything else uses it indirectly

So there's no actually vulnerability for JGraphT. The issue would be if someone was using our adapter module, and ended up with a dependency conflict as a result of trying to use the latest version of Guava. So if someone runs into that, we'll need to provide a point release at that time.

[b-reich]

You are right.
The Adapter depends on it. https://mvnrepository.com/artifact/org.jgrapht/jgrapht-guava/1.5.2

A point release would be greate for it

[jkinable]

I've updated the dependencies and pushed them into main. Our snapshot build now imports the latest guava version.