[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DISCUSS] Dropping old Guava support

Frankly, I think we're being poor citizens by encouraging this kind of (poor) dependency hygiene with Guava by defaulting to known vulnerable versions in our POMs.

As a library, we should be ensuring that folks can use Avatica/Calcite in their applications. This is not only from a compatibility POV (e.g. can you use Calcite with your Guava version of choice), but also from a confidence in security as not everyone will invest the time to look into the details behind a CVE.

Specifically, with our declaration of the old version of Guava in the POM, an unsuspecting user may just use that version instead of swapping in a newer one. As a library, we don't know how the user may be using Calcite -- they may be doing things with Java or GWT serialization.

All that said, I agree that this specific CVE is not a high-risk scenario for the project. However, that must be tempered with security organizations who treat these issues as black and white. Many security organizations in regulated industries don't "care" about the scope of a CVE; they simply cannot use a version of software that includes "vulnerable" code.

What if we switch things around: instead of depending on the older on in the POMs, we switch to the newer one and do release testing around the older ones that folks have an interest in supporting? If a certain module needs a specific version of Guava (e.g. Cassandra tests), then we can mark that version at test-time for that specific module.

- Josh

On 10/12/18 4:01 PM, Julian Hyde wrote:
The CVE doesn’t seem that serious, since we don’y use either Java or GWT serialization.

I hope and believe that people can use any recent version of Guava with Avatica and Calcite, including 24.1.1. If not we should fix it urgently.

I’m not sure we need to disable it working with older versions.


On Oct 12, 2018, at 12:41 PM, Josh Elser <elserj@xxxxxxxxxx> wrote:


Guava [11,24.1.1) is marked as being vulnerable via https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Avatica currently depends on Guava 14.x and Calcite on 19.0. I'd like to start a discussion about how we ensure "safe" hygiene in our dependencies while still ensuring compatibility downstream.

I can see a couple of paths forward which are all related to relocating+bundling Guava in a non-standard location.

1. If we have Guava classes in the "user-facing API" for the projects, we should create a new module which relocates our version of Guava in a standard place for downstream projects to know about. This is required for developers to sanely use their IDEs (e.g. if we shade guava-$x, users cannot depend on guava-$x in their IDE as those classes don't actually exist). This is the "Maven way" to work around this problem.
2. If we only use Guava "internally", we can just shade Guava like normal.

I think we would require #1, but I haven't done any scan over the codebase recently. Given #1, we also should think about:

1a. Only Avatica has this special artifact for guava (or really, thirdparty dependencies)?
1b. Avatica and Calcite each have the special artifact for themselves.

If we can get away with 1a, great. Otherwise, 1b gives us lots of flexibility. I think this positions us in a place where we don't force downstream projects to move to a specific version of Guava (if they have analyzed their usage to know they are not vulnerable to some security issue).

- Josh