Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could we bump grpc version and release a jprotoc 1.23 #245

Open
xchen8421 opened this issue Sep 18, 2024 · 3 comments
Open

Could we bump grpc version and release a jprotoc 1.23 #245

xchen8421 opened this issue Sep 18, 2024 · 3 comments

Comments

@xchen8421
Copy link

Hi there,

Could we bump up the jprotoc 1.23 updated to use io.grpc version 1.66 or higher since we are using this package in our company but we have to complice with CVEs

Thanks in adavnce!
@rmichela
Copy link
Collaborator

gRPC has been really stable for the past few tens of releases. In the interim, you can safely manually override the version in you pom.xml with an <excludes> statement on the jProtoc dependency and your own <dependency> block. Alternatively, you can force override the version of transitive dependencies with a <dependencyManagement> statement.

@xchen8421
Copy link
Author

Thanks @rmichela. We tried both solution but does not work unfortunately.

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
        <version>32.0.0-jre</version>
        <scope>import</scope>
        <type>pom</type>
      </dependency>
     <dependency>
      <groupId>io.vertx</groupId>
      <artifactId>vertx-grpc</artifactId>
      <version>3.21.7</version>
    </dependency>
    </dependencies>
  </dependencyManagement>

or

    <dependency>
      <groupId>io.vertx</groupId>
      <artifactId>vertx-grpc-protoc-plugin</artifactId>
      <version>${vertx.version}</version>
      <optional>true</optional>
      <exclusions>
        <exclusion>
          <groupId>com.google.protobuf</groupId>
          <artifactId>protobuf-java</artifactId>
        </exclusion>
        <exclusion>
          <groupId>com.google.guava</groupId>
          <artifactId>guava</artifactId>
        </exclusion>
      </exclusions>
    </dependency>

    <dependency>
      <groupId>com.salesforce.servicelibs</groupId>
      <artifactId>jprotoc</artifactId>
      <version>1.2.2</version>
      <exclusions>
        <exclusion>
          <groupId>com.google.protobuf</groupId>
          <artifactId>protobuf-java</artifactId>
        </exclusion>
        <exclusion>
          <groupId>com.google.guava</groupId>
          <artifactId>guava</artifactId>
        </exclusion>
      </exclusions>
    </dependency>

Still getting the report that

          "VulnerabilityID": "CVE-2023-2976",
         "PkgName": "com.google.guava:guava",
         "PkgPath": "opt/caas/app/jprotoc-1.2.2.jar",
         "InstalledVersion": "31.1-jre",
         "FixedVersion": "32.0.0-android",
         "Status": "fixed",

or

          "VulnerabilityID": "CVE-2021-22569",
         "PkgName": "com.google.protobuf:protobuf-java",
         "PkgPath": "opt/caas/app/vertx-grpc-protoc-plugin-4.5.10.jar",
         "InstalledVersion": "3.15.8",
         "FixedVersion": "3.16.1, 3.18.2, 3.19.2",
         "Status": "fixed",

@xchen8421
Copy link
Author

I guess b/c we have to run plugin that brings the vertx-grpc-protoc-plugin with jprotoc which can't overrides by dependency management rules.

plugin>
        <groupId>org.xolstice.maven.plugins</groupId>
        <artifactId>protobuf-maven-plugin</artifactId>
        <version>0.6.1</version>
        <configuration>
          <protocArtifact>
            com.google.protobuf:protoc:${protobuf.version}:exe:${os.detected.classifier}</protocArtifact>
          <pluginId>grpc-java</pluginId>
          <pluginArtifact>io.grpc:protoc-gen-grpc-java:${grpc.version}:exe:${os.detected.classifier}</pluginArtifact>
          <protocPlugins>
            <protocPlugin>
              <id>vertx-grpc-protoc-plugin</id>
              <groupId>io.vertx</groupId>
              <artifactId>vertx-grpc-protoc-plugin</artifactId>
              <version>${vertx.version}</version>
              <mainClass>io.vertx.grpc.protoc.plugin.VertxGrpcGenerator</mainClass>
            </protocPlugin>
          </protocPlugins>
        </configuration>
        <executions>
          <execution>
            <id>compile</id>
            <goals>
              <goal>compile</goal>
              <goal>compile-custom</goal>
            </goals>
            <configuration>
              <!-- Include this line if we switch to checkin the generated grpc code into git.
              <outputDirectory>${project.basedir}/src/main/java</outputDirectory>
              -->
              <protoSourceRoot>${project.basedir}/src/main/proto/</protoSourceRoot>
              <clearOutputDirectory>false</clearOutputDirectory>
            </configuration>
          </execution>
        </executions>
      </plugin>
     ```

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rmichela @xchen8421