aws / aws-sdk-java

The official AWS SDK for Java 1.x (In Maintenance Mode, End-of-Life on 12/31/2025). The AWS SDK for Java 2.x is available here: https://github.com/aws/aws-sdk-java-v2/
https://aws.amazon.com/sdkforjava
Apache License 2.0
4.13k stars 2.83k forks source link

Upgrade jackson databind to address known issues #3120

Closed eoliphan closed 5 months ago

eoliphan commented 5 months ago

Upcoming End-of-Support

Describe the bug

The current jackson version has some known issues that are addressed as of the latest releases

Expected Behavior

Transitive deps shouldn't have issues

Current Behavior

SCA scans flag some known issues.

Reproduction Steps

Perform an sca scan

Possible Solution

Upgrade jackson

Additional Information/Context

It may be useful to integrate GH actions, maven plugins, etc that automate sca scans

AWS Java SDK version used

1.12.741

JDK version used

openjdk version "1.8.0_402" OpenJDK Runtime Environment Corretto-8.402.06.1 (build 1.8.0_402-b06) OpenJDK 64-Bit Server VM Corretto-8.402.06.1 (build 25.402-b06, mixed mode)

Operating System and version

AWS linux 2

debora-ito commented 5 months ago

@eoliphan do you have a report of the known issues? Is any issue security-related?

For context, Java SDK v1 cannot upgrade away from jackson databind 2.17.7.x, it can introduce some breaking changes.