[ZOOKEEPER-4716] Upgrade jackson to 2.15.2, suppress two false positive CVE errors - ASF JIRA

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: 3.8.1
Fix Version/s: 3.9.0, 3.7.2, 3.8.2
Component/s: None
Labels:
- pull-request-available

Description

Our jackson is quite old, I want to upgrade it before release 3.8.2.

Also we have a few false positive CVEs reported by OWASP:

CVE-2023-35116: according to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098
CVE-2022-45688: the following CVE is not even jackson related, but a vulnerability in json-java which we don't use in ZooKeeper

[INFO] Finished at: 2023-06-30T13:23:38+02:00 
[INFO] ------------------------------------------------------------------------ 
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project zookeeper: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': 
[ERROR] 
[ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) 
[ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)

Attachments

Issue Links

Add Link

links to

GitHub Pull Request #2026

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Mate Szalay-Beko

Reporter:: Mate Szalay-Beko

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 30/Jun/23 11:43

Updated:: 04/Aug/23 11:28

Resolved:: 02/Jul/23 14:35

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

Upgrade jackson to 2.15.2, suppress two false positive CVE errors