Bump transitive com.google.code.gson/gson (#23069)
An alert from trivy:
```
Package: com.google.code.gson:gson
Installed Version: 2.8.7
Vulnerability CVE-2022-25647
Severity: HIGH
Fixed Version: 2.8.9
Link: CVE-2022-25647
Trivy
```
running `clj -Sdeps` will not show this dep because it is in two
drivers. Instead running
```
clj A:ee:drivers
```
will find it.
```
. metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk
. com.google.cloud/google-cloud-bigquery 1.135.4
. com.google.code.gson/gson 2.8.7
```
and
```
. metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics
. com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1
. com.google.api-client/google-api-client 1.32.1
. com.google.http-client/google-http-client-gson 1.39.2
X com.google.code.gson/gson 2.8.6 :older-version
```
This shows: google analytics depends on 2.8.6 but it is not actually
used and bigquery-cloud-sdk depends on 2.8.7 which is the version that
we are ending up with. (The `X` means excluded from the jar with reason
being `:older-version`).
More info:
https://clojure.org/reference/dep_expansion#_tree_printing
```
Trees are built from the trace log and include all considered nodes. Included nodes are prefixed with .. Excluded nodes are prefixed with X. The end of the line will contain the reason code (some codes are suppressed). The current set of reason codes (subject to change) are:
:new-top-dep - included as top dep (suppressed)
:new-dep - included as new dep (suppressed)
:same-version - excluded, same as currently selected dep (suppressed)
:newer-version - included, newer version than previously selected
:use-top - excluded, same as top lib but not at top
:older-version - excluded, older version than previously selected
:excluded - excluded, node in parent path excluded this lib
:parent-omitted - excluded, parent node deselected
:superseded - excluded, this version was deselected
```
THE FIX:
Just put a top level dependency on the version we care about. No need to
exclude the version. Technically only need it in one project as our
build would always use the specified version. But in case anyone builds
with just one or the other included in both for completeness with a
comment indicating the other location.
```clojure
com.google.code.gson/gson {:mvn/version "2.8.9"}
```
PROOF OF FIX:
clj -A:ee:drivers and look for gson
```
. metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk
. com.google.cloud/google-cloud-bigquery 1.135.4
X com.google.code.gson/gson 2.8.7 :older-version
```
```
. metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics
. com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1
. com.google.api-client/google-api-client 1.32.1
. com.google.http-client/google-http-client-gson 1.39.2
X com.google.code.gson/gson 2.8.6 :older-version
. com.google.code.gson/gson 2.8.9
```
- 2.8.7 in bigquery-cloud-sdk now has an `X` and `:older-version`
- 2.8.6 in google analytics still has `X` and `:older-version`
- metabase/googleanalytics now has a top level (and included `.`) gson on 2.8.9
Please register or sign in to comment