Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade jackson-core to 2.15.0 to resolve vulnerability #1234

Merged
merged 10 commits into from
Sep 12, 2024
Merged

Upgrade jackson-core to 2.15.0 to resolve vulnerability #1234

merged 10 commits into from
Sep 12, 2024

Conversation

shantyk
Copy link
Contributor

@shantyk shantyk commented Sep 11, 2024
edited
Loading

Resolves vulnerability reported in IDETECT-4459: FasterXML/jackson-core#827

shantyk
shantyk commented Sep 11, 2024
View reviewed changes
build.gradle
@@ -110,7 +110,8 @@ allprojects {
dependencies {
implementation "com.google.guava:guava:32.1.2-jre"
implementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.0'

// jackson-core is a transitive dep coming from jackson-dataformat-yaml, earlier versions have vulnerability sonatype-2022-6438
implementation('com.fasterxml.jackson.core:jackson-core:2.15.0')
Copy link
Contributor Author

@shantyk shantyk Sep 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have to add it as a direct dependency here in order to override a version constraint coming from a global dependency management configuration. I believe this constraint is coming from the following entry in our build files:
apply plugin: 'io.spring.dependency-management'

Because I see the following in the debug logs for when gradle attempts to resolve Jackson-core version:

2024-09-11T13:02:25.147-0600 [DEBUG] [io.spring.gradle.dependencymanagement.internal.VersionConfiguringAction] Processing dependency 'com.fasterxml.jackson.core:jackson-core:2.14.0'
2024-09-11T13:02:25.147-0600 [DEBUG] [io.spring.gradle.dependencymanagement.internal.DependencyManagementContainer] Found managed version '2.13.5' for dependency 'com.fasterxml.jackson.core:jackson-core' in global dependency management
2024-09-11T13:02:25.147-0600 [DEBUG] [io.spring.gradle.dependencymanagement.internal.VersionConfiguringAction] Using version '2.13.5' for dependency 'com.fasterxml.jackson.core:jackson-core:2.14.0'

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose just adding a direct dependency is sufficient and we don't need to exclude the transitive too from io.spring.dependency-management in addition to it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, I see all other versions of Jackson-core be corrected to --> 2.15.0 in the dependency tree. Other attempts always resulted in 2.13.5 winning (which I believe is coming from spring dependency management). I have also confirmed that in the Detect JAR built from the branch, only version 2.15.0 is present.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, thanks for explaining

@shantyk shantyk marked this pull request as ready for review September 11, 2024 21:08
@shantyk shantyk merged commit 821c3cc into 10.0.z Sep 12, 2024
@shantyk shantyk deleted the dev/shanty/IDETECT-4459-upgrade-jackson-core branch November 19, 2024 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@niravrsynopsys niravrsynopsys niravrsynopsys approved these changes

@andrian-sevastyanov andrian-sevastyanov andrian-sevastyanov approved these changes

@gopannabd gopannabd Awaiting requested review from gopannabd

@dterrybd dterrybd Awaiting requested review from dterrybd

@devmehtabd devmehtabd Awaiting requested review from devmehtabd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shantyk @niravrsynopsys @andrian-sevastyanov