We've been using this plugin for a while along with the latest version of spotbugs and really appreciate the issues that it points out. I noticed that the project is using a version of guava that is vulnerable to CVE-2018-10237.
I noticed that this project has been kept on Java 7 to match the pulled in the version of findbugs. It looks like there is not a version of guava that is built on Java 7 with this issue resolved. Since 24.1.1 is the last version of guava that is vulnerable to this issue and that is after the split to guava-jre and guava-android. What about using one of the guava-android dependencies since those are still on Java 7 to resolve the issue? Or the version of the findbugs library could be updated since the latest is now using Java 8 and then take the latest version of guava-jre. I'd be happy to contribute a pull request if there is interest.
Thanks again!
https://nvd.nist.gov/vuln/detail/CVE-2018-10237
We've been using this plugin for a while along with the latest version of spotbugs and really appreciate the issues that it points out. I noticed that the project is using a version of guava that is vulnerable to CVE-2018-10237.
I noticed that this project has been kept on Java 7 to match the pulled in the version of findbugs. It looks like there is not a version of guava that is built on Java 7 with this issue resolved. Since 24.1.1 is the last version of guava that is vulnerable to this issue and that is after the split to guava-jre and guava-android. What about using one of the guava-android dependencies since those are still on Java 7 to resolve the issue? Or the version of the findbugs library could be updated since the latest is now using Java 8 and then take the latest version of guava-jre. I'd be happy to contribute a pull request if there is interest.
Thanks again!
https://nvd.nist.gov/vuln/detail/CVE-2018-10237