This repository has been archived by the owner on Mar 21, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 548
Jackson dependency causes OWASP alerts. Change to Jackson version 2.7.4 #467
Comments
Does docker-client use xml at all? |
@KostyaSha no, it does not. |
OWASP checks still fail on 2.7.4 and 2.8.0, e.g.
The warning was added to the CVE database by downstream fedora issue, being tracked at https://bugzilla.redhat.com/show_activity.cgi?id=1328427 - the CVE database needs to be updated. |
So why do you care about XmlMapper? It also possible to change dependency version on project level. |
Even the jackson-core check will fail, pulled in by the |
@brettcave so upgrading to 2.7.4 or 2.8.0 or any other Jackson version won't resolve those warnings yet? |
@mattnworb correct. Can be easily verified as follows:
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
OWASP Validation obtains the following vulnerabilities for dependences:
Vulnerable Dependencies
CVE CWE Severity (CVSS)↑ Dependency
CVE-2016-3720 High (10.0) jackson-annotations-2.6.0.jar
CVE-2016-3720 High (10.0) jackson-core-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-databind-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-datatype-guava-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-jaxrs-base-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-jaxrs-json-provider-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-module-jaxb-annotations-2.6.7.jar
This vulnerability is fixed in jackson 2.7.4:
FasterXML/jackson-dataformat-xml#190
This dependency should be updated to avoid alerts in OWASP checking.
The text was updated successfully, but these errors were encountered: