From 561a5bf648ff3319c0c91724ed14da5a737e6663 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Tue, 1 Nov 2022 19:31:46 -0700 Subject: [PATCH] Add links to AdaLogics Jackson Security Audit document --- README.md | 22 ++++++++++++++-------- SECURITY.md | 10 +++++++++- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index a6744a86..ddd406bb 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,13 @@ [![Open Source](https://badges.frapsoft.com/os/v3/open-source.svg?v=103)](https://opensource.org/) - # Jackson Project Home @github This is the home page of the Jackson Project. ## What is New? +* Nov 2, 2022: AdaLogics Security Audit for Jackson released -- see Document/Reports * Oct 28, 2022: Jackson 2.14 Release Candidate 3 (2.14.0-rc3) released; 2.14.0 itself soon to be released! * Sep 3, 2022: Jackson 2.13.4 patch released * Sep 30, 2021: Jackson 2.13.0 (new stable) released @@ -271,6 +271,16 @@ mailing address. Note that filing an issue to go with report is fine, but if you DO NOT include details of security problem in the issue but only in email contact. This is important to give us time to provide a patch, if necessary, for the problem. +### Note on reporting Bugs + +Jackson bugs need to be reported against component they affect: for this reason, issue tracker +is not enabled for this project. +If you are unsure which specific project issue affects, the most likely component +is `jackson-databind`, so you would use +[Jackson Databind Issue Tracker](https://github.com/FasterXML/jackson-databind/issues). + +For suggestions and new ideas, try [Jackson Future Ideas](../../../jackson-future-ideas) + ## Documentation ### Web sites @@ -299,15 +309,11 @@ and more specific tutorials: * [Java67 Javakcson CSV Tutorial](https://www.java67.com/2019/05/how-to-read-csv-file-in-java-using-jackson-library.html) (CSV) -### Note on reporting Bugs +### Reports -Jackson bugs need to be reported against component they affect: for this reason, issue tracker -is not enabled for this project. -If you are unsure which specific project issue affects, the most likely component -is `jackson-databind`, so you would use -[Jackson Databind Issue Tracker](https://github.com/FasterXML/jackson-databind/issues). +Following reports have been published about Jackson components -For suggestions and new ideas, try [Jackson Future Ideas](../../../jackson-future-ideas) +* [AdaLogics Jackson Security Audit (2022)](../../blob/master/docs/AdaLogics-Security-Audit-Jackson-2022.pdf) (jackson-core, jackson-databind) ### Java JSON library comparisons diff --git a/SECURITY.md b/SECURITY.md index b5643a33..9023acc1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,6 @@ # Security Policy -Last Updated: 2022-09-20 +Last Updated: 2022-11-02 This policy covers ALL Jackson projects/repos: some repos may have their own copy of this policy document. @@ -32,3 +32,11 @@ To verify that any given Jackson artifact has been signed with a valid key, have https://github.com/FasterXML/jackson/blob/master/KEYS which lists all known valid keys in use. + +## Related documents + +There is a published security audit about 2 main Jackson components (`jackson-core`, `jackson-databind`): + +* [AdaLogics Jackson Security Audit (2022)](../../blob/master/docs/AdaLogics-Security-Audit-Jackson-2022.pdf) + +which documents a thorough investigation into Jackson design, implementation, as well as some security design suggestions for developers using Jackson libraries.