search

dangmai / apex-ast-serializer

Serialize Apex Abstract Syntax Tree
MIT License
10 stars 1 forks source link

Overwrite Jetty version of Jackson temporarily to fix `Sonatype-2022-6438` #194

Open yeikel opened 1 year ago

yeikel commented 1 year ago

Currently, the Jackson version bundled with jersey is vulnerable to Sonatype-2022-6438. See https://github.com/FasterXML/jackson-core/issues/861 (Jackson is a transitive dependency)

This is currently under discussion here https://github.com/eclipse-ee4j/jersey/issues/5283 but it is unclear when that will be resolved

Sadly, due to this vulnerability , we cannot use prettier-plugin-apex in our environment because this dependency is pulling Jackson 2.14.1

Would you be open to temporarily overwrite the version of Jackson?

We should be able to exclude it from jetty and define Jackson 2.15 explicitly

https://github.com/dangmai/apex-ast-serializer/blob/master/build.gradle#L117

Current dependency tree: 

org.glassfish.jersey.media:jersey-media-json-jackson:3.1.3
|    +--- org.glassfish.jersey.core:jersey-common:3.1.3 (*)
|    +--- org.glassfish.jersey.ext:jersey-entity-filtering:3.1.3
|    |    \--- jakarta.ws.rs:jakarta.ws.rs-api:3.1.0
|    +--- com.fasterxml.jackson.core:jackson-annotations:2.14.1
|    |    \--- com.fasterxml.jackson:jackson-bom:2.14.1
|    |         +--- com.fasterxml.jackson.core:jackson-annotations:2.14.1 (c)
|    |         +--- com.fasterxml.jackson.core:jackson-core:2.14.1 (c)
|    |         +--- com.fasterxml.jackson.core:jackson-databind:2.14.1 (c)
|    |         \--- com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations:2.14.1 (c)
|    +--- com.fasterxml.jackson.core:jackson-databind:2.14.1
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.14.1 (*)
|    |    +--- com.fasterxml.jackson.core:jackson-core:2.14.1
|    |    |    \--- com.fasterxml.jackson:jackson-bom:2.14.1 (*)
|    |    \--- com.fasterxml.jackson:jackson-bom:2.14.1 (*)
|    +--- com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations:2.14.1
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.14.1 (*)
|    |    +--- com.fasterxml.jackson.core:jackson-core:2.14.1 (*)
|    |    +--- com.fasterxml.jackson.core:jackson-databind:2.14.1 (*)
|    |    \--- com.fasterxml.jackson:jackson-bom:2.14.1 (*)
|    \--- jakarta.xml.bind:jakarta.xml.bind-api:4.0.0
|         \--- jakarta.activation:jakarta.activation-api:2.1.0 -> 2.1.2

We can volunteer and send a pull request with that change if accepted

dangmai commented 1 year ago

Hello! Yes I'd welcome PR to fix this. Please understand that if the transitive dependency explicit version does not work with all the tests on the Prettier Apex side (because it looks like jersey itself has some issue upgrading to the new version), then I won't be able to merge them.

yeikel commented 1 year ago

Hello! Yes I'd welcome PR to fix this. Please understand that if the transitive dependency explicit version does not work with all the tests on the Prettier Apex side (because it looks like jersey itself has some issue upgrading to the new version), then I won't be able to merge them.

I submitted https://github.com/dangmai/apex-ast-serializer/pull/195

Please understand that if the transitive dependency explicit version does not work with all the tests on the Prettier Apex

That's fair. How can I test this?