exclude <v32 version of google guava dependency from google java form…

…at and add google guava 32.0.1 to resolve CVE CVE-2023-2976 (opensearch-project#1094) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>
sbcd90 · Aug 17, 2023 · 778e7ce · 778e7ce
1 parent 6e7a16b
commit 778e7ce
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/core/build.gradle b/core/build.gradle
@@ -15,7 +15,10 @@ dependencies {
     api "org.jetbrains.kotlin:kotlin-stdlib-jdk8:${kotlin_version}"
     implementation "com.cronutils:cron-utils:9.1.6"
     api "org.opensearch.client:opensearch-rest-client:${opensearch_version}"
-    implementation 'com.google.googlejavaformat:google-java-format:1.10.0'
+    implementation('com.google.googlejavaformat:google-java-format:1.10.0')  {
+        exclude group: 'com.google.guava'
+    }
+    implementation 'com.google.guava:guava:32.0.1-jre'
     api "org.opensearch:common-utils:${common_utils_version}@jar"
     implementation 'commons-validator:commons-validator:1.7'