Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Upgrade jackson-core to 2.15.0 to resolve vulnerability #1234

Merged
merged 10 commits into from
Sep 12, 2024
Merged

Upgrade jackson-core to 2.15.0 to resolve vulnerability #1234

merged 10 commits into from
Sep 12, 2024

Conversation

shantyk
Copy link
Contributor

@shantyk shantyk commented Sep 11, 2024
edited
Loading

Resolves vulnerability reported in IDETECT-4459: FasterXML/jackson-core#827

shantyk
shantyk commented Sep 11, 2024
View reviewed changes
build.gradle
@@ -110,7 +110,8 @@ allprojects {
dependencies {
implementation "com.google.guava:guava:32.1.2-jre"
implementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.0'

// jackson-core is a transitive dep coming from jackson-dataformat-yaml, earlier versions have vulnerability sonatype-2022-6438
implementation('com.fasterxml.jackson.core:jackson-core:2.15.0')
Copy link
Contributor Author

@shantyk shantyk Sep 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have to add it as a direct dependency here in order to override a version constraint coming from a global dependency management configuration. I believe this constraint is coming from the following entry in our build files:
apply plugin: 'io.spring.dependency-management'

Because I see the following in the debug logs for when gradle attempts to resolve Jackson-core version:

2024-09-11T13:02:25.147-0600 [DEBUG] [io.spring.gradle.dependencymanagement.internal.VersionConfiguringAction] Processing dependency 'com.fasterxml.jackson.core:jackson-core:2.14.0'
2024-09-11T13:02:25.147-0600 [DEBUG] [io.spring.gradle.dependencymanagement.internal.DependencyManagementContainer] Found managed version '2.13.5' for dependency 'com.fasterxml.jackson.core:jackson-core' in global dependency management
2024-09-11T13:02:25.147-0600 [DEBUG] [io.spring.gradle.dependencymanagement.internal.VersionConfiguringAction] Using version '2.13.5' for dependency 'com.fasterxml.jackson.core:jackson-core:2.14.0'

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose just adding a direct dependency is sufficient and we don't need to exclude the transitive too from io.spring.dependency-management in addition to it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, I see all other versions of Jackson-core be corrected to --> 2.15.0 in the dependency tree. Other attempts always resulted in 2.13.5 winning (which I believe is coming from spring dependency management). I have also confirmed that in the Detect JAR built from the branch, only version 2.15.0 is present.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, thanks for explaining

@shantyk shantyk marked this pull request as ready for review September 11, 2024 21:08
@shantyk shantyk merged commit 821c3cc into 10.0.z Sep 12, 2024
@shantyk shantyk deleted the dev/shanty/IDETECT-4459-upgrade-jackson-core branch November 19, 2024 15:11
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@niravrsynopsys niravrsynopsys niravrsynopsys approved these changes

@andrian-sevastyanov andrian-sevastyanov andrian-sevastyanov approved these changes

@gopannabd gopannabd Awaiting requested review from gopannabd

@dterrybd dterrybd Awaiting requested review from dterrybd

@devmehtabd devmehtabd Awaiting requested review from devmehtabd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shantyk @niravrsynopsys @andrian-sevastyanov