These are chat archives for
Sign in to start talking
Naveen Kumar Parachur Cotha
Dec 17 2018 19:16
I am using kite-data-core-1.1.0.jar in my project, which brings in shaded version of
which has CVE-2018-10237, is there any workaround for this?
Dec 17 2018 22:24
not an easy one. You'd have to re-build the Kite SDK from source using an updated version of Guava.
That being said, I doubt that CVE is a major concern to Kite in practice. Nothing inside of Kite uses the affected classes (AtomicDoubleArray and CompoundOrdering).
The only risk would be if your application used those shaded classes. The intention behind shading Guava was that none of the Guava APIs were part of Kite's public API.
I don't recall if we eliminated
uses of Guava classes (Optional was the common culprit that got exposed) but that was the goal