Vulnerability: Okio Signed to Unsigned Conversion Error (GHSA-w33c-445m-f8w7)

[Noel-01]

I encountered a vulnerability in the Binance Java Connector related to the Okio library. The issue is a "Signed to Unsigned Conversion Error," identified by GitHub Security Advisory GHSA-w33c-445m-f8w7. This vulnerability could pose a security risk in applications using the connector with versions of Okio before 3.0.0.

Steps to Reproduce:

1. Add the binance-connector-java dependency to your project (pom.xml).
2. Run an OWASP Dependency Check or similar security tool to analyze your project.
3. The tool flags the issue due to the use of Okio in the connector, specifically in versions 3.0.x and lower.

Affected Versions:

Binance Java Connector version 3.4.0 and earlier.

Solution:
To resolve the issue, I fixed the vulnerability by enforcing the use of Okio version 3.9.1, which addresses the security concern. Here is the fix I applied to my pom.xml file:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.squareup.okio</groupId>
            <artifactId>okio</artifactId>
            <version>3.9.1</version>
        </dependency>
    </dependencies>
</dependencyManagement>

This forces the project to use Okio version 3.9.1, which is free from the vulnerability.