Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities in dependency: jackson-databind 2.2.3 #433

Open
hkorpi opened this issue Nov 20, 2019 · 5 comments
Open

Vulnerabilities in dependency: jackson-databind 2.2.3 #433

hkorpi opened this issue Nov 20, 2019 · 5 comments
Labels
1.1.x

Comments

@hkorpi
Copy link

hkorpi commented Nov 20, 2019

Library Version(s)

metosin/compojure-api "1.1.13"

Problem

Compojure api seem to have an old transitive dependency:
[com.fasterxml.jackson.core/jackson-databind "2.2.3"]

lein nvd check complains vulnerabilities: CVE-2018-14721, CVE-2018-14720, CVE-2018-14719, CVE-2017-7525, CVE-2018-19360, CVE-20...

Dependency tree:

[metosin/compojure-api "1.1.13"]
   [cheshire "5.9.0"]
     [com.fasterxml.jackson.core/jackson-core "2.9.9"]
     [com.fasterxml.jackson.dataformat/jackson-dataformat-cbor "2.9.9"]
     [com.fasterxml.jackson.dataformat/jackson-dataformat-smile "2.9.9"]
     [tigris "0.1.1"]
   [compojure "1.6.1"]
     [clout "2.2.1"]
     [medley "1.0.0"]
   [frankiesardo/linked "1.3.0"]
   [metosin/ring-http-response "0.9.1"]
   [metosin/ring-swagger "0.26.2"]
     [metosin/schema-tools "0.11.0"]
     [metosin/scjsv "0.5.0"]
       [com.github.java-json-tools/json-schema-validator "2.2.10"]
         [com.github.java-json-tools/json-schema-core "1.2.10"]
           [com.github.fge/uri-template "0.9"]
           [com.github.java-json-tools/jackson-coreutils "1.9"]
             [com.fasterxml.jackson.core/jackson-databind "2.2.3"]
               [com.fasterxml.jackson.core/jackson-annotations "2.2.3"]
             [com.github.fge/msg-simple "1.1"]
               [com.github.fge/btf "1.2"]
           [org.mozilla/rhino "1.7.7.1"]
         [com.googlecode.libphonenumber/libphonenumber "8.0.0"]
         [javax.mail/mailapi "1.4.3"]
         [net.sf.jopt-simple/jopt-simple "5.0.3"]
@miikka
Copy link
Contributor

miikka commented Nov 20, 2019

Wow, that's an old dependency. As a workaround, you can add an explicit dependency on jackson-databind and I think it should work.

[com.fasterxml.jackson.core/jackson-databind "2.9.9"]

The version of jackson-databind should always be the same as the version of jackson-core; otherwise you will have problems.

I'm not super-eager to add dependency version overrides to compojure-api – it's better to upgrade libraries deeper in the dependency tree and wait until the upgrades bubble up to compojure-api – but it will take a while.

@hkorpi
Copy link
Author

hkorpi commented Nov 20, 2019

What happens if I exclude metosin/scjsv like:
[metosin/compojure-api "1.1.13" :exclusions [metosin/scjsv]]
?

@hkorpi
Copy link
Author

hkorpi commented Nov 20, 2019

... seems to at least break my test:

https://github.com/solita/livijuku/blob/develop/juku-backend/test/clj/juku/service/swagger_test.clj

Is that library metosin/scjsv only used for testing?

So can I exclude it from normal dependencies and include it in dev dependencies?

@miikka
Copy link
Contributor

miikka commented Nov 20, 2019

Yeah, I think that should work. scjsv is only needed for the compojure.api.validator namespace so as long as you use that only in tests, it should be fine.

@hkorpi
Copy link
Author

hkorpi commented Nov 21, 2019

Seems to work and my uberjar is also 5Mb thinner, thanks

@miikka miikka added the 1.1.x label Dec 20, 2019
@eydevelopment eydevelopment mentioned this issue Jun 9, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.1.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@miikka @hkorpi