Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10.4 to remove CVE

[amaters-easy]

According to our latest security scan the The list of CVE's with impact High or Critical is quite long: CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-14379, CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2019-12086, CVE-2019-14439, CVE-2020-10672, CVE-2020-10673

[aaron-kumar]

@amaters-easy : can you let me know which Oxalis (Oxalis and Oxalis-AS4) version was scanned ?

[amaters-easy]

The Oxalis-AS4 5.1.0 Release which has the Oxalis base version 5.1.0

[aaron-kumar]

Only vefa-peppol component is using "jackson-databind" (and that too in "test" scope) Oxalis version 5.1.0 is using vefa-peppol 2.1.0 and which in turn is using version "2.11.0" of "com.fasterxml.jackson.core:jackson-databind:jar"

com.github.tomakehurst:wiremock:jar:2.27.2:test ... +- com.fasterxml.jackson.core:jackson-core:jar:2.11.0:test +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.0:test +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.0:test

Can you please run "mvn dependency:tree" in your product/project to find out from where mentioned older version of "jackson-databind" is coming for you @amaters-easy ?

[aaron-kumar]

@amaters-easy : We did not heard anything from you if you still have any questions...

[amaters-easy]

Could answer any earlier. we run the docker AS4 version as it is. not as a Java project or anything like that. Perhaps some of the developers can run the mvn command?

[aaron-kumar]

Oxalis version 5.1.0 is using vefa-peppol 2.1.0 and which in turn is using version "2.11.0" of "com.fasterxml.jackson.core:jackson-databind:jar", hence it is Not an issue

If you still have doubt than moving it to discussion.