-
dpsutton authored
CVE info: Package: com.google.oauth-client:google-oauth-client Installed Version: 1.31.5 Vulnerability CVE-2021-22573 Severity: HIGH Fixed Version: 1.33.3 ``` . metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk . com.google.cloud/google-cloud-bigquery 1.135.4 . [truncated] . com.google.oauth-client/google-oauth-client 1.31.5 . metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics . com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1 . com.google.api-client/google-api-client 1.32.1 . com.google.oauth-client/google-oauth-client 1.31.5 ``` I looked into bumping com.google.apis/google-api-services-analytics-v3-rev20190807-1.32.1 but as far as I can tell from https://search.maven.org/artifact/com.google.apis/google-api-services-analytics this is the most recent version so we have to just target the transitive dep. For bigquery, it seems we are pretty far behind. 1.135.4 was released in July 2021, the current version is 2.13.1 released in June. https://mvnrepository.com/artifact/com.google.cloud/google-cloud-bigquery I'm hesitant to bump this for a CVE but we need to prioritize this upgrade. After this PR: ``` clj -Stree -A:drivers . metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk . com.google.cloud/google-cloud-bigquery 1.135.4 . [truncated] X com.google.oauth-client/google-oauth-client 1.31.5 :older-version . com.google.oauth-client/google-oauth-client 1.33.3 . metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics . com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1 . com.google.api-client/google-api-client 1.32.1 X com.google.oauth-client/google-oauth-client 1.31.5 :older-version ``` With the `X` meaning not included and 1.33.3 being top level included so using that version.dpsutton authoredCVE info: Package: com.google.oauth-client:google-oauth-client Installed Version: 1.31.5 Vulnerability CVE-2021-22573 Severity: HIGH Fixed Version: 1.33.3 ``` . metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk . com.google.cloud/google-cloud-bigquery 1.135.4 . [truncated] . com.google.oauth-client/google-oauth-client 1.31.5 . metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics . com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1 . com.google.api-client/google-api-client 1.32.1 . com.google.oauth-client/google-oauth-client 1.31.5 ``` I looked into bumping com.google.apis/google-api-services-analytics-v3-rev20190807-1.32.1 but as far as I can tell from https://search.maven.org/artifact/com.google.apis/google-api-services-analytics this is the most recent version so we have to just target the transitive dep. For bigquery, it seems we are pretty far behind. 1.135.4 was released in July 2021, the current version is 2.13.1 released in June. https://mvnrepository.com/artifact/com.google.cloud/google-cloud-bigquery I'm hesitant to bump this for a CVE but we need to prioritize this upgrade. After this PR: ``` clj -Stree -A:drivers . metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk . com.google.cloud/google-cloud-bigquery 1.135.4 . [truncated] X com.google.oauth-client/google-oauth-client 1.31.5 :older-version . com.google.oauth-client/google-oauth-client 1.33.3 . metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics . com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1 . com.google.api-client/google-api-client 1.32.1 X com.google.oauth-client/google-oauth-client 1.31.5 :older-version ``` With the `X` meaning not included and 1.33.3 being top level included so using that version.
Code owners
Assign users and groups as approvers for specific file changes. Learn more.