ken-duck
commented
3 years ago This one is more complicated. We have implicated the jackson-datatype-jsr310 package directly with the CVE, and that should show up tomorrow. Un-implicating jackson-databind is more of a trick due to how the research pipeline for OSS Index works under the hood, so it will have to remain as a false positive for now.
However, we are in the midst of a rather large effort to move the OSS Index research to a different research pipeline that will result in not only higher quality results (for example, fixing this false positive), but also fewer false negatives and overall a much faster update time.
I am uncertain when this new pipeline will be fully in operation, but I suspect Maven/Java will be pretty high up on the priority list.
Vulnerability URL
Description The wrong component is linked to this vulnerability. It gets reported by OSSINDEX for
pkg:maven/com.fasterxml.jackson.core/jackson-databind, but the vulnerability resides in one of the submodules of jackson-modules-java8:pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310which is a separate library that requires explicit addition to a project's dependencies.See jackson-modules-java8 github issue for details