wszczepaniak
commented
1 year ago version 5.3.2 is still reported to have a transitive vulnerability from jackson-databind:2.10.3 :(
Open TWiStErRob opened 2 years ago
wszczepaniak
commented
1 year ago version 5.3.2 is still reported to have a transitive vulnerability from jackson-databind:2.10.3 :(
TWiStErRob
commented
1 year ago @wszczepaniak barking up the wrong tree, see the link in OP.
wszczepaniak
commented
1 year ago TWiStErRob
commented
1 year ago 4 is up to you how you read it, it's just an expression, I meant @bonigarcia can't do much here until it's fixed upstream.
I haven't considered 3 as a solution, but that's a fair point. It might be a quite fundamental change though, because it's part of the public API.
bonigarcia
commented
1 year ago I believe the latest version of docker-java has bumped bcprov and commons-io. But the docker-java team refuses to bump jackson (see https://github.com/docker-java/docker-java/pull/2037).
TWiStErRob
commented
1 year ago Let's see what's the explanation, but regardless, that's some progress with the other two 👏.
masoodmd0786
commented
10 months ago Hi, Do we have any Update on this ?
bonigarcia
commented
10 months ago @masoodmd0786 As you have seen in https://github.com/docker-java/docker-java/issues/1974, no news yet
derolk
commented
10 months ago Sad but happy to see you're working on fixing the issue. Thanks
christianhujer
commented
8 months ago I just wanted to report the same, but then found that there already is such an issue open.
In case it helps, here's a list of vulnerabilities from transitive dependencies found in 5.7.0. As far as I can tell, they're all coming through com.fasterxml.jackson.core:jackson-databind:2.10.3
The criticality is probably low.
The easiest way to suppress the issue is by adding this to my dependencies in Gradle:
testImplementation("com.fasterxml.jackson.core:jackson-databind:2.16.0")If folks want to play it safe, they can also do this:
testImplementation("io.github.bonigarcia:webdrivermanager:5.7.0") {
exclude(group = "com.fasterxml.jackson.core", module = "jackson-databind")
}Hope this helps someone.
TurboCoder13
commented
6 months ago Thank you @christianhujer 🙇
Curious if you know whether excluding this dependency will affect how the package functions? 🤔
sivaprakashspg
commented
5 months ago Thank you @christianhujer 🙇
Curious if you know whether excluding this dependency will affect how the package functions? 🤔
Was wondering the same! They just won't upgrade #2328
Not sure if this would work, but can we <exclude'> Jackson from java-docker and add the latest Jackson dependency in WebDriverManager pom.xml?
bonigarcia
commented
4 months ago Not sure if this would work, but can we <exclude'> Jackson from java-docker and add the latest Jackson dependency in WebDriverManager pom.xml?
I have just released WebDriverManager 5.9.0, which excludes org.bouncycastle:bcpkix-jdk18on and forces to use jackson-databind 2.17.1. So I believe this issue should be fixed now.
bonigarcia
commented
4 months ago Sorry but forcing to use latest jackson-databind release does not work. The Docker support in WebDriverManager 5.9.0 seems broken now. See errors Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.NoClassDefFoundError: com/fasterxml/jackson/core/util/JacksonFeature in:
https://github.com/bonigarcia/selenium-jupiter/actions/runs/9647381928/job/26606009989
I am going to release WebDriverManager 5.9.1 without forcing the use of jackson-databind 2.17.1.
Description of the problem: There are vulnerabilities in transitive dependencies because they're not using the latest versions.
Browser and version: N/A
Operating system: N/A
WebDriverManager version: 5.3.0
This report is by Sonatype lift:
All (except 1) vulnerabilities will be fixed by bumping to latest minor for these.
Please watch (Subscribe button in sidebar) on https://github.com/docker-java/docker-java/issues/1974 and bump whenever they release.