Update guava dependency to address CVE-2023-2976 (#10249)

Explicit dependencies to keep versions in step with newer Guava

examples/example-debug/pom.xml

@@ -58,7 +58,7 @@
     <dependency> <!-- prevent downgrade of version in protobuf-java-util from grpc-services -->
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
-      <version>31.1-jre</version>
+      <version>32.0.1-jre</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>

examples/example-hostname/pom.xml

@@ -58,7 +58,7 @@
     <dependency> <!-- prevent downgrade of version in protobuf-java-util from grpc-services -->
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
-      <version>31.1-jre</version>
+      <version>32.0.1-jre</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>

examples/pom.xml

@@ -63,7 +63,12 @@
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
-      <version>31.1-jre</version> <!-- prevent downgrade of version in protobuf-java-util -->
+      <version>32.0.1-jre</version> <!-- prevent downgrade of version in protobuf-java-util -->
+    </dependency>
+    <dependency>
+      <groupId>com.google.j2objc</groupId>
+      <artifactId>j2objc-annotations</artifactId>
+      <version>2.8</version> <!-- prevent downgrade of version in guava -->
     </dependency>
     <dependency>
       <groupId>org.apache.tomcat</groupId>

gcp-observability/build.gradle

@@ -59,7 +59,9 @@ dependencies {
             libraries.animalsniffer.annotations, // Use our newer version
             libraries.guava.jre, // Use our newer version
             libraries.protobuf.java.util, // Use our newer version
-            libraries.re2j // Use our newer version
+            libraries.re2j, // Use our newer version
+            libraries.checker.qual, // Explicit dependency to keep in step with version used by guava
+            libraries.j2objc.annotations // Explicit dependency to keep in step with version used by guava
 
     testImplementation testFixtures(project(':grpc-context')),
             project(':grpc-testing'),

gradle/libs.versions.toml

@@ -2,7 +2,7 @@
 # Compatibility problem with internal version getting onto 1.5.3.
 # https://github.com/grpc/grpc-java/pull/9118
 googleauth = "1.4.0"
-guava = "31.1-android"
+guava = "32.0.1-android"
 netty = '4.1.87.Final'
 # Keep the following references of tcnative version in sync whenever it's updated:
 #   SECURITY.md
@@ -23,6 +23,7 @@ animalsniffer = "org.codehaus.mojo:animal-sniffer:1.23"
 animalsniffer-annotations = "org.codehaus.mojo:animal-sniffer-annotations:1.23"
 auto-value = "com.google.auto.value:auto-value:1.10.1"
 auto-value-annotations = "com.google.auto.value:auto-value-annotations:1.10.1"
+checker-qual = "org.checkerframework:checker-qual:3.33.0"
 checkstyle = "com.puppycrawl.tools:checkstyle:8.28"
 commons-math3 = "org.apache.commons:commons-math3:3.6.1"
 conscrypt = "org.conscrypt:conscrypt-openjdk-uber:2.5.2"
@@ -38,9 +39,10 @@ gson = "com.google.code.gson:gson:2.10.1"
 guava = { module = "com.google.guava:guava", version.ref = "guava" }
 guava-betaChecker = "com.google.guava:guava-beta-checker:1.0"
 guava-testlib = { module = "com.google.guava:guava-testlib", version.ref = "guava" }
-guava-jre = "com.google.guava:guava:31.1-jre"
+guava-jre = "com.google.guava:guava:32.0.1-jre"
 hdrhistogram = "org.hdrhistogram:HdrHistogram:2.1.12"
 javax-annotation = "org.apache.tomcat:annotations-api:6.0.53"
+j2objc-annotations = " com.google.j2objc:j2objc-annotations:2.8"
 jetty-alpn-agent = "org.mortbay.jetty.alpn:jetty-alpn-agent:2.0.10"
 jsr305 = "com.google.code.findbugs:jsr305:3.0.2"
 junit = "junit:junit:4.13.2"

repositories.bzl

@@ -20,7 +20,7 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [
     "com.google.code.gson:gson:2.10.1",
     "com.google.errorprone:error_prone_annotations:2.18.0",
     "com.google.guava:failureaccess:1.0.1",
-    "com.google.guava:guava:31.1-android",
+    "com.google.guava:guava:32.0.1-android",
     "com.google.re2j:re2j:1.7",
     "com.google.truth:truth:1.0.1",
     "com.squareup.okhttp:okhttp:2.7.5",

services/build.gradle

@@ -23,7 +23,8 @@ dependencies {
     implementation libraries.protobuf.java.util,
             libraries.guava.jre // JRE required by protobuf-java-util
 
-    runtimeOnly libraries.errorprone.annotations
+    runtimeOnly libraries.errorprone.annotations,
+            libraries.j2objc.annotations // Explicit dependency to keep in step with version used by guava
 
     compileOnly libraries.javax.annotation
     testImplementation project(':grpc-testing'),