Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

MODINVOICE-545: Unpin jackson fixing Number Parse DoS (PRISMA-2023-0067) #493

Merged
merged 1 commit into from
May 7, 2024
Merged

MODINVOICE-545: Unpin jackson fixing Number Parse DoS (PRISMA-2023-0067) #493

merged 1 commit into from
May 7, 2024

Conversation

julianladisch
Copy link
Contributor

https://folio-org.atlassian.net/browse/MODINVOICE-545

jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS): FasterXML/jackson-core#827

mod-invoice pins the jackson version to 2.13.4. This effectively downgrades the jackson version provided by RMB (domain-models-runtime, domain-models-api-interfaces) from 2.16.1 to 2.13.4.

Fix: Unpin jackson.

Purpose

Fix vulnerability in jackson-core.

Approach

Unpin jackson.

Learning

Don't pin dependency versions provided by RMB or Spring.

Pre-Merge Checklist:

Before merging this PR, please go through the following list and take appropriate action.

  • Does this PR meet or exceed the expected quality standards?
    • Code coverage on new code is 80% or greater
    • Duplications on new code are 3% or less
    • There are no major code smells or security issues
  • Does this introduce breaking changes?
    • Were any API paths or methods changed, added, or removed?
    • Were there any schema changes?
    • Did any of the interface versions change?
    • Were permissions changed, added, or removed?
    • Are there new interface dependencies?
    • There are no breaking changes in this PR.

@julianladisch
MODINVOICE-545: Unpin jackson fixing Number Parse DoS (PRISMA-2023-0067)
9a34156 
https://folio-org.atlassian.net/browse/MODINVOICE-545

jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS):
FasterXML/jackson-core#827

mod-invoice pins the jackson version to 2.13.4. This effectively downgrades the jackson version provided by RMB (domain-models-runtime, domain-models-api-interfaces) from 2.16.1 to 2.13.4.

Fix: Unpin jackson.
@SerhiiNosko SerhiiNosko requested a review from a team May 7, 2024 09:16
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented May 7, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@julianladisch julianladisch merged commit de7d446 into master May 7, 2024
4 checks passed
@julianladisch julianladisch deleted the MODINVOICE-545-unpin-jackson branch May 7, 2024 13:21
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@SerhiiNosko SerhiiNosko SerhiiNosko approved these changes

@imerabishvili imerabishvili imerabishvili approved these changes

@damien-git damien-git Awaiting requested review from damien-git

@NikitaSedyx NikitaSedyx Awaiting requested review from NikitaSedyx

@JavokhirAbdullayev JavokhirAbdullayev Awaiting requested review from JavokhirAbdullayev

@Saba-Zedginidze-EPAM Saba-Zedginidze-EPAM Awaiting requested review from Saba-Zedginidze-EPAM

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@julianladisch @SerhiiNosko @imerabishvili