Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-7g45-4rm6-3mm3] Guava vulnerable to insecure use of temporary directory #5041

Closed
wants to merge 1 commit into from
Closed

[GHSA-7g45-4rm6-3mm3] Guava vulnerable to insecure use of temporary directory #5041

wants to merge 1 commit into from
+20 −1

Conversation

virangdoshi
Copy link

Updates

  • Affected products

Comments
Added a variation of the package to the affected product

@github-actions github-actions bot changed the base branch from main to virangdoshi/advisory-improvement-5041 November 27, 2024 07:21
@virangdoshi
Copy link
Author

https://mvnrepository.com/artifact/com.google.guava/guava
image

@shelbyc
Copy link
Contributor

shelbyc commented Nov 27, 2024

👋 Hi @virangdoshi, thank you for your contribution, but I can't accept the suggested change because it wouldn't work with current vulnerable version range (VVR) logic. The VVR must use the -android suffix as the patched version because using -jre will lead to -android being incorrectly marked as vulnerable. This happens because -jre occurs later in the alphabet than -android, so -android is interpreted as an earlier version of the same package, not a variant of the same package.

Documentation that describes this vulnerable version range behavior is available at https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories#common-errors.

GHSA-7g45-4rm6-3mm is used as an example of this behavior at https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories#advisory-with-branch-names-in-version-numbers.

Thank you for your interest in GHSA-7g45-4rm6-3mm and have a good week.

@shelbyc shelbyc closed this Nov 27, 2024
@github-actions github-actions bot deleted the virangdoshi-GHSA-7g45-4rm6-3mm3 branch November 27, 2024 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@virangdoshi @shelbyc