Bump google oauth version (#23165)
CVE info:
Package: com.google.oauth-client:google-oauth-client
Installed Version: 1.31.5
Vulnerability CVE-2021-22573
Severity: HIGH
Fixed Version: 1.33.3
```
. metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk
. com.google.cloud/google-cloud-bigquery 1.135.4
. [truncated]
. com.google.oauth-client/google-oauth-client 1.31.5
. metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics
. com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1
. com.google.api-client/google-api-client 1.32.1
. com.google.oauth-client/google-oauth-client 1.31.5
```
I looked into bumping
com.google.apis/google-api-services-analytics-v3-rev20190807-1.32.1
but as far as I can tell from
https://search.maven.org/artifact/com.google.apis/google-api-services-analytics
this is the most recent version so we have to just target the transitive
dep.
For bigquery, it seems we are pretty far behind. 1.135.4 was released in
July 2021, the current version is 2.13.1 released in
June. https://mvnrepository.com/artifact/com.google.cloud/google-cloud-bigquery
I'm hesitant to bump this for a CVE but we need to prioritize this
upgrade.
After this PR:
```
clj -Stree -A:drivers
. metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk
. com.google.cloud/google-cloud-bigquery 1.135.4
. [truncated]
X com.google.oauth-client/google-oauth-client 1.31.5 :older-version
. com.google.oauth-client/google-oauth-client 1.33.3
. metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics
. com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1
. com.google.api-client/google-api-client 1.32.1
X com.google.oauth-client/google-oauth-client 1.31.5 :older-version
```
With the `X` meaning not included and 1.33.3 being top level included so
using that version.
Please register or sign in to comment