Uploaded image for project: 'Beam'
  1. Beam
  2. BEAM-7881

Get rid of jackson to avoid the continuous flow of CVEs in Jackson

    XMLWordPrintableJSON

Details

    • Task
    • Status: Open
    • P3
    • Resolution: Unresolved
    • 2.14.0
    • 3.0.0
    • sdk-java-core

    Description

      Jackson keeps having CVE on all releases of databind and transitively beam sdk java core has CVE on all its releases (for the record, when writing this issue you must use at least jackson-databind 2.9.9.2 but last week it was 2.9.9.1 and 2.14 didn't get the fix).

      Can be neat to get rid of jackson which does not fix this issue for a very long time now and just use JSON-B or another JSON impl to ensure the CVE is not usable because beam is there.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              romain.manni-bucau Romain Manni-Bucau
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: