Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2 #317

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

sadiqkassamali
Copy link

Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2 due to v3 https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538

@deepy
Copy link
Member

deepy commented Jul 31, 2024

Unfortunately merging this would require dropping support for Gradle versions older than 7.6. so this is going to need to wait until the next version bump

But on the bright side, actually using this to attack your build would require very specific circumstances so while the CVE has a high severity, it's almost irrelevant here
And Gradle's dependency management would allow this to be patched locally where necessary

@tkrah
Copy link

tkrah commented Aug 8, 2024

That would be really useful, see e.g. here:

CycloneDX/cyclonedx-gradle-plugin#482

@deepy
Copy link
Member

deepy commented Aug 22, 2024

Ah, API issues :-/
I was hoping that our usage would be innocuous enough, but I need to take a closer look at this

@deepy deepy added this to the 8.x milestone Sep 27, 2024
@tkrah
Copy link

tkrah commented Dec 9, 2024

@deepy Do you have news about this? Anything you need support with (we could maybe provide)?

@deepy
Copy link
Member

deepy commented Dec 13, 2024

@tkrah there's really only two ways to fix this:
A. Upgrading - which requires dropping support for older Gradle versions
B. Replacing jackson - which has a poor return of investment on the time I'd need to spend on it

When Gradle 9 releases I'm perfectly happy to drop support for older versions, but not right now given the relatively low severity of the issue
Although if you have a real scenario that makes a denial of service in a build an issue I'm happy to discuss and re-evaluate, beyond that I'm also open to replacing jackson

@tkrah
Copy link

tkrah commented Dec 13, 2024

@deepy It is not about the CVE which is the main issue here, it is the API issues (CycloneDX/cyclonedx-gradle-plugin#482) which are there because of that old jackson version (2.14 was released Nov 5, 2022 ... which is kind of dated) which clashes with other plugins.
Why not release a new version which drops support for those old gradle versions like other plugins do too to solve that problem - if you want to keep support for both, why not maintain 2 release lines?

@tkrah
Copy link

tkrah commented Dec 17, 2024

JFTR: With the latest Spring Boot Plugin 3.4.0 which uses 2.18.2 this is also going to be a problem because of this runtime Error:

'void com.fasterxml.jackson.core.base.GeneratorBase.<init>(int, com.fasterxml.jackson.core.ObjectCodec, com.fasterxml.jackson.core.io.IOContext)'

Seems I am going to need my own fork until this is fixed someday in the future.

Edit: Using my own fork which uses jackson 2.18.2 works fine with spring-boot-plugin 3.4.0 and cyclonedx-plugin 1.10.0.

Edit 2:

Another workaround which does fit and is much more useful because lightweight (no fork needed) is to add this constraint to the buildScript dependencies:

constraints {
        implementation("com.fasterxml.jackson.core:jackson-databind:2.18.2")
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants