Fix security issue SNYK-JAVA-COMGOOGLECODEGSON-1730327 by upgrading gson lib

[marko-asplund]

📜 Description

Upgrade com.google.code.gson:gson library to v2.8.9.

💡 Motivation and Context

Snyk scan for my service reports the following vulnerability:

  ✗ Deserialization of Untrusted Data [High Severity][https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327] in com.google.code.gson:gson@2.8.5
    introduced by com.foo:barlib_2.13@0.1.0-SNAPSHOT > io.sentry:sentry@5.1.2 > com.google.code.gson:gson@2.8.5 and 2 other path(s)
  This issue was fixed in versions: 2.8.9

Address this issue by upgrading com.google.code.gson:gson to v2.8.9.

💚 How did you test it?

📝 Checklist

• I reviewed the submitted code
• I added tests to verify the changes
• I updated the docs if needed
• No breaking changes

🔮 Next steps

[marko-asplund]

Could you please check if issue google/gson#1597 mentioned in buildSrc/src/main/java/Config.kt is still valid?

[romtsn]

Thanks for the PR, but we just got rid of the Gson dependency in the version 6.+, which makes this PR obsolete

[marko-asplund]

Thanks for the PR, but we just got rid of the Gson dependency in the version 6.+, which makes this PR obsolete

Looks like 6.0.0 alpha 1 is the latest release in v6 branch and was released back in 2021-11-23, but many organisations aren't allowed to upgrade to early alpha releases.
So, even if this PR would be considered obsolete, for many Sentry Java SDK users the underlying issue is not resolved.
Is there an ETA for a stable release?
Or in the meantime is there a workaround apart from excluding Sentry Java SDK from Snyk scanning entirely?

[romtsn]

no ETA for stable, but should be pretty soon afaik.

The workaround is to force gson version to 2.8.9 in your build config (it's easy to do with Gradle and Maven for sure). Since it's a patch version diff, there should not be any binary incompatibility, so not runtime exceptions.

[bruno-garcia]

Thanks for the PR, but we just got rid of the Gson dependency in the version 6.+, which makes this PR obsolete

Looks like 6.0.0 alpha 1 is the latest release in v6 branch and was released back in 2021-11-23, but many organisations aren't allowed to upgrade to early alpha releases. So, even if this PR would be considered obsolete, for many Sentry Java SDK users the underlying issue is not resolved. Is there an ETA for a stable release? Or in the meantime is there a workaround apart from excluding Sentry Java SDK from Snyk scanning entirely?

Would you be able to bump to the latest and at least run through your CI pipeline and test locally to give us some feedback?
We expect to get this moving quickly now, the biggest reason for delay is the little feedback we had so far about the release