Incorrect vulnerability details for CVE-2018-1000873

[aikebah]

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/292c11e9-cf66-4d76-aaf7-b63a091f8891

Description
The wrong component is linked to this vulnerability.
It gets reported by OSSINDEX for pkg:maven/com.fasterxml.jackson.core/jackson-databind, but the vulnerability resides in one of the submodules of jackson-modules-java8: pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310 which is a separate library that requires explicit addition to a project's dependencies.

See jackson-modules-java8 github issue for details

[ken-duck]

This one is more complicated. We have implicated the jackson-datatype-jsr310 package directly with the CVE, and that should show up tomorrow. Un-implicating jackson-databind is more of a trick due to how the research pipeline for OSS Index works under the hood, so it will have to remain as a false positive for now.

However, we are in the midst of a rather large effort to move the OSS Index research to a different research pipeline that will result in not only higher quality results (for example, fixing this false positive), but also fewer false negatives and overall a much faster update time.

I am uncertain when this new pipeline will be fully in operation, but I suspect Maven/Java will be pretty high up on the priority list.