search

Netflix / eureka

AWS Service registry for resilient mid-tier load balancing and failover.
Apache License 2.0
12.4k stars 3.74k forks source link

Jackson cbor #1410

Open AmitAmar opened 3 years ago

AmitAmar commented 3 years ago

Hi,

I upgraded some Jackson jars in your code:

compile "com.fasterxml.jackson.core:jackson-annotations:${jacksonVersion}" compile "com.fasterxml.jackson.core:jackson-core:${jacksonVersion}" compile "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}"

// Eureka client uses JSON encoding by default
compileOnly "com.fasterxml.jackson.dataformat:jackson-dataformat-xml:${jacksonVersion}"`

In this PR we discussed and we agreed to not keep upgrade after 2.10 version.

I run whitesource scanning and I saw some vulnerabilities in this jar:

eureka\WEB-INF\lib\jackson-dataformat-cbor-2.6.7.jar

I searched in the source code and I didn't find this dependency in the gradle file.

Any suggestions?

Thank guys and have a nice day,

Amit.

troshko111 commented 3 years ago

What does depedencyInsight tell you in Gradle?

kkrakovych commented 2 years ago

Hi @troshko111 , the pull request is addressed to fix the issue with outdated Jackson CBOR library.