Upgrade metosin:scjsv to fix CVE-2018-10237

[laurilehmijoki]

Hi, and first of all, thanks for working on ring-swagger!

I noticed that the ring-swagger:0.26.2's dependency metosin:scjsv:0.5.0 depends on com.github.java-json-tools:json-schema-validator:jar:2.2.10, which in turn transitively depends on com.google.guava:guava:jar:16.0.1 . Said Guava version is affected by the vulnerability CVE-2018-10237.

One way to fix the security issue inring-swagger:0.26.2 may be to upgrade metosin:scjsv. Any thoughts on this?

[miikka]

My thought is: it won't help, because scjsv 0.6.0 still transitively depends on Guava 16.0.1. However, if we created a new release of scjsv that depended on json-schema-validator 2.2.13, that would bring in an up-to-date version of Guava and fix the problem.

While you wait for this to happen, if you want to mitigate CVE-2018-10237 or any other issue, I recommend directly depending on up-to-date versions of libraries. Upgrading deps and making a new release is still a manual process for us, so it may take a while. 😐