sagarkate commented on issue #25746: URL: https://github.com/apache/beam/issues/25746#issuecomment-1459526536
@Abacn - Thank you Yi Hu for looking into this issue! We are using [beam-runner-google-cloud-dataflow-java-2.45.0](https://mvnrepository.com/artifact/org.apache.beam/beam-runners-google-cloud-dataflow-java/2.45.0) dependency in our code. This runner has [beam-vendor-grpc-1-48-1](https://mvnrepository.com/artifact/org.apache.beam/beam-runners-google-cloud-dataflow-java/2.45.0#:~:text=org.apache.beam%20%C2%BB%20beam%2Dvendor%2Dgrpc%2D1_48_1) as its compile time dependency. The protobuf-java-3.21.1 is shaded into this beam-vendor-grpc-1-48-1-0-1. So, we cannot exclude protobuf-java-3.21.1 from this vendor jar and we cannot even override it with the latest version of protobuf-java version either. We cannot use any other beam-vendor-grpc version as beam-vendor-grpc-1-48-1-0-1 is the latest version. We cannot exclude beam-vendor-grpc because internally dataflow runner references classes from beam-vendor-grpc-1-48-1 such as org.apache.beam.vendor.grpc.v1p48p1.com.google.protobuf.Message$Builder. And, if we include this vendor jar, it gets flagged vulnerable by our security scan due to shaded protobuf-java.3.21.1. Hence, it would be really helpful if the version of protobuf-java is updated to its latest version in beam-vendor-grpc-1-48-1. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
