Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Lift reports OSS vulnerabilities from Paparazzi transitive deps
See original GitHub issuehttps://lift.sonatype.com/results/github.com/TWiStErRob/net.twisterrob.sun/01FTFZF4H491509KXTNG4MT4Q7 (Note: for me the UI is broken, have to click “Show Details” and then “Components”, viewing Components outside doesn’t expand.)
Search HERE in below block.
+--- app.cash.paparazzi:paparazzi:0.9.0
| +--- app.cash.paparazzi:layoutlib-native-jdk11:2020.3.1-852189b
| +--- com.android.tools:common:27.1.2 -> 27.2.2
| | +--- com.android.tools:annotations:27.2.2
| | \--- com.google.guava:guava:28.1-jre -> 31.0.1-jre
| | +--- com.google.guava:failureaccess:1.0.1
| | +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
| | +--- com.google.code.findbugs:jsr305:3.0.2
| | +--- org.checkerframework:checker-qual:3.12.0
| | +--- com.google.errorprone:error_prone_annotations:2.7.1
| | \--- com.google.j2objc:j2objc-annotations:1.3
| +--- com.android.tools.layoutlib:layoutlib-api:27.2.2
| | +--- com.android.tools:common:27.2.2 (*)
| | +--- net.sf.kxml:kxml2:2.3.0
| | +--- com.android.tools:annotations:27.2.2
| | \--- org.jetbrains:annotations:13.0
| +--- com.android.tools:sdk-common:26.6.4
| | +--- com.android.tools:sdklib:26.6.4
| | | +--- com.android.tools.layoutlib:layoutlib-api:26.6.4 -> 27.2.2 (*)
| | | +--- com.android.tools:dvlib:26.6.4
| | | | \--- com.android.tools:common:26.6.4 -> 27.2.2 (*)
| | | +--- com.android.tools:repository:26.6.4
| | | | +--- com.android.tools:common:26.6.4 -> 27.2.2 (*)
| | | | +--- com.sun.activation:javax.activation:1.2.0
| | | | +--- org.apache.commons:commons-compress:1.12 <------ HERE
| | | | +--- org.glassfish.jaxb:jaxb-runtime:2.3.1
| | | | | +--- javax.xml.bind:jaxb-api:2.3.1
| | | | | | \--- javax.activation:javax.activation-api:1.2.0
| | | | | +--- org.glassfish.jaxb:txw2:2.3.1
| | | | | +--- com.sun.istack:istack-commons-runtime:3.0.7
| | | | | +--- org.jvnet.staxex:stax-ex:1.8
| | | | | +--- com.sun.xml.fastinfoset:FastInfoset:1.2.15
| | | | | \--- javax.activation:javax.activation-api:1.2.0
| | | | +--- com.google.jimfs:jimfs:1.1
| | | | | \--- com.google.guava:guava:18.0 -> 31.0.1-jre (*)
| | | | \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.71 -> 1.5.31
| | | | +--- org.jetbrains.kotlin:kotlin-stdlib:1.5.31
| | | | | +--- org.jetbrains:annotations:13.0
| | | | | \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.5.31
| | | | \--- org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.5.31
| | | | \--- org.jetbrains.kotlin:kotlin-stdlib:1.5.31 (*)
| | | +--- com.google.code.gson:gson:2.8.5
| | | +--- org.apache.commons:commons-compress:1.12 <------ HERE
| | | +--- org.apache.httpcomponents:httpmime:4.5.6
| | | | \--- org.apache.httpcomponents:httpclient:4.5.6 <------ HERE
| | | | +--- org.apache.httpcomponents:httpcore:4.4.10
| | | | +--- commons-logging:commons-logging:1.2
| | | | \--- commons-codec:commons-codec:1.10
| | | \--- org.apache.httpcomponents:httpcore:4.4.10
| | +--- com.android.tools.build:builder-test-api:3.6.4
| | | \--- com.android.tools.ddms:ddmlib:26.6.4
| | | +--- com.android.tools:common:26.6.4 -> 27.2.2 (*)
| | | \--- net.sf.kxml:kxml2:2.3.0
| | +--- com.android.tools.build:builder-model:3.6.4
| | | \--- com.android.tools:annotations:26.6.4 -> 27.2.2
| | +--- com.android.tools.ddms:ddmlib:26.6.4 (*)
| | +--- com.android.tools.analytics-library:shared:26.6.4
| | | +--- com.android.tools.analytics-library:protos:26.6.4
| | | | \--- com.google.protobuf:protobuf-java:3.4.0
| | | +--- com.android.tools:annotations:26.6.4 -> 27.2.2
| | | +--- com.android.tools:common:26.6.4 -> 27.2.2 (*)
| | | +--- com.google.guava:guava:27.1-jre -> 31.0.1-jre (*)
| | | +--- com.google.code.gson:gson:2.8.5
| | | \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.71 -> 1.5.31 (*)
| | +--- org.bouncycastle:bcpkix-jdk15on:1.56
| | | \--- org.bouncycastle:bcprov-jdk15on:1.56 <------ HERE
| | +--- org.bouncycastle:bcprov-jdk15on:1.56 <------ HERE
| | +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.71 -> 1.5.31 (*)
| | +--- org.jetbrains.kotlin:kotlin-reflect:1.3.71 -> 1.5.31
| | | \--- org.jetbrains.kotlin:kotlin-stdlib:1.5.31 (*)
| | +--- com.google.protobuf:protobuf-java:3.4.0
| | +--- javax.inject:javax.inject:1
| | +--- org.jetbrains.trove4j:trove4j:20160824
| | \--- com.android.tools.build:aapt2-proto:0.4.0
| | \--- com.google.protobuf:protobuf-java:3.4.0
| +--- kxml2:kxml2:2.3.0
| | \--- net.sf.kxml:kxml2:2.3.0
| +--- junit:junit:4.13.2
| | \--- org.hamcrest:hamcrest-core:1.3
| +--- androidx.annotation:annotation:1.3.0
| +--- com.google.guava:guava:31.0.1-jre (*)
| +--- org.jetbrains.kotlinx:kotlinx-coroutines-core:1.5.2
| | \--- org.jetbrains.kotlinx:kotlinx-coroutines-core-jvm:1.5.2
| | +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.5.30 -> 1.5.31 (*)
| | \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.5.30 -> 1.5.31
| +--- com.squareup.okio:okio:3.0.0
| | \--- com.squareup.okio:okio-jvm:3.0.0
| | +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.5.31 (*)
| | \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.5.31
| +--- org.jetbrains.kotlin:kotlin-bom:1.5.31
| | +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.5.31 (c)
| | +--- org.jetbrains.kotlin:kotlin-reflect:1.5.31 (c)
| | +--- org.jetbrains.kotlin:kotlin-stdlib:1.5.31 (c)
| | +--- org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.5.31 (c)
| | \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.5.31 (c)
| \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.5.31 (*)
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (8 by maintainers)
Top Results From Across the Web
OSSindex shows component clean, but when used as a ...
OSSindex shows component clean, but when used as a dependency lift scanner says severe vulnerability - Sonatype Lift - Sonatype Community.
Read more >95% Of Vulnerable Dependencies Are Transitive Ones - TFiR
A staggering 95% of all vulnerabilities are found in transitive dependencies – open source code packages that are not selected by developers ...
Read more >How to Better Manage Open-Source Dependencies and ...
Summarizing Endor's 2022 State of Dependency Management report, which reveals that 95% of OSS vulnerabilities are transitive dependencies.
Read more >Research reveals where 95% of open source vulnerabilities lie
Research finds that vulnerabilities in open source lie in unmonitored use of existing open source software in application development.
Read more >Transitive Dependencies: How much can you trust friends of ...
If one of the direct OSS components is pulling critical transitive vulnerabilities in a specific version, consider upgrading it. The component ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@anhanh11001 I wouldn’t be too worried about this in relation to Paparazzi, because if you use AGP,
com.android.tools.build:gradlealso depends onsdk-commonand has the same vulnerabilities, and you’ll be running both the build and tests on the same machine/JVM setup.Sorry, @fcduarte I forgot to file it yet, do you have an idea which component?
Nice, I didn’t know about that, and also forgot the fact that mere humans can’t select specific components in Google Issuetracker. Anyway, opened https://issuetracker.google.com/issues/262333727.