Closed amaters-easy closed 2 years ago
@amaters-easy : can you let me know which Oxalis (Oxalis and Oxalis-AS4) version was scanned ?
The Oxalis-AS4 5.1.0 Release which has the Oxalis base version 5.1.0
Only vefa-peppol component is using "jackson-databind" (and that too in "test" scope) Oxalis version 5.1.0 is using vefa-peppol 2.1.0 and which in turn is using version "2.11.0" of "com.fasterxml.jackson.core:jackson-databind:jar"
com.github.tomakehurst:wiremock:jar:2.27.2:test ... +- com.fasterxml.jackson.core:jackson-core:jar:2.11.0:test +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.0:test +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.0:test
Can you please run "mvn dependency:tree" in your product/project to find out from where mentioned older version of "jackson-databind" is coming for you @amaters-easy ?
@amaters-easy : We did not heard anything from you if you still have any questions...
Could answer any earlier. we run the docker AS4 version as it is. not as a Java project or anything like that. Perhaps some of the developers can run the mvn command?
Oxalis version 5.1.0 is using vefa-peppol 2.1.0 and which in turn is using version "2.11.0" of "com.fasterxml.jackson.core:jackson-databind:jar", hence it is Not an issue
If you still have doubt than moving it to discussion.
According to our latest security scan the The list of CVE's with impact High or Critical is quite long: CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-14379, CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2019-12086, CVE-2019-14439, CVE-2020-10672, CVE-2020-10673