These are chat archives for kite-sdk/kite

17th
Dec 2018
Naveen Kumar Parachur Cotha
@naveencotha-zt
Dec 17 2018 19:16
I am using kite-data-core-1.1.0.jar in my project, which brings in shaded version of com.google.guava:guava:11.0.2 which has CVE-2018-10237, is there any workaround for this?
Joey Echeverria
@joey
Dec 17 2018 22:24
@naveencotha-zt not an easy one. You'd have to re-build the Kite SDK from source using an updated version of Guava.
That being said, I doubt that CVE is a major concern to Kite in practice. Nothing inside of Kite uses the affected classes (AtomicDoubleArray and CompoundOrdering).
The only risk would be if your application used those shaded classes. The intention behind shading Guava was that none of the Guava APIs were part of Kite's public API.
I don't recall if we eliminated all uses of Guava classes (Optional was the common culprit that got exposed) but that was the goal