Skip to content

Fix CVEs in google-cloud via dependency updates and tree tracing#1616

Closed
sidhdirenge wants to merge 1 commit into
developfrom
jetski/fix-cve-jul1-google-cloud
Closed

Fix CVEs in google-cloud via dependency updates and tree tracing#1616
sidhdirenge wants to merge 1 commit into
developfrom
jetski/fix-cve-jul1-google-cloud

Conversation

@sidhdirenge

Copy link
Copy Markdown
Contributor

Traced dependency tree and updated snappy-java (1.1.10.5), avro (1.11.4), jackson-databind (2.14.0), protobuf-java (3.25.5), and guava (31.1-jre).

@sidhdirenge sidhdirenge added the build Trigger unit test build label Jul 1, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependency versions in the pom.xml file, including Apache Avro, Guava, Protocol Buffers, Jackson Databind, and Snappy Java. The reviewer recommends avoiding hardcoded version numbers within the dependency declarations. Instead, the project should continue using Maven properties (such as ${avro.version}, ${guava.version}, ${google.protobuf.java.version}, and ${jackson.core.version}) and update their definitions in the <properties> section to ensure POM consistency and maintainability.

Comment thread pom.xml Outdated
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
<version>${avro.version}</version>
<version>1.11.4</version>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Instead of hardcoding the version 1.11.4 directly in the dependency, you should continue using the property ${avro.version}. The property avro.version is already defined as 1.11.4 in the <properties> section of this POM. Hardcoding it here bypasses the property and reduces maintainability.

Suggested change
<version>1.11.4</version>
<version>${avro.version}</version>

Comment thread pom.xml Outdated
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
<version>31.1-jre</version>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Instead of hardcoding the version 31.1-jre directly in the dependency, you should continue using the property ${guava.version} and update the <guava.version> property in the <properties> section (line 79) to 31.1-jre. This keeps the POM consistent and avoids leaving unused or outdated properties.

Suggested change
<version>31.1-jre</version>
<version>${guava.version}</version>

Comment thread pom.xml Outdated
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>${google.protobuf.java.version}</version>
<version>3.25.5</version>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Instead of hardcoding the version 3.25.5 directly in the dependency, you should continue using the property ${google.protobuf.java.version} and update the <google.protobuf.java.version> property in the <properties> section (line 77) to 3.25.5. This keeps the POM consistent and avoids leaving unused or outdated properties.

Suggested change
<version>3.25.5</version>
<version>${google.protobuf.java.version}</version>

Comment thread pom.xml Outdated
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson.core.version}</version>
<version>2.14.0</version>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Instead of hardcoding the version 2.14.0 directly in the dependency, you should continue using the property ${jackson.core.version} and update the <jackson.core.version> property in the <properties> section (line 84) to 2.14.0. This keeps the POM consistent and avoids leaving unused or outdated properties.

Suggested change
<version>2.14.0</version>
<version>${jackson.core.version}</version>

@sidhdirenge sidhdirenge force-pushed the jetski/fix-cve-jul1-google-cloud branch 3 times, most recently from d49766a to 28f1b6b Compare July 1, 2026 06:38
@sidhdirenge sidhdirenge force-pushed the jetski/fix-cve-jul1-google-cloud branch from 28f1b6b to 0e39048 Compare July 1, 2026 06:42
@sidhdirenge sidhdirenge closed this Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

build Trigger unit test build

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant