search

java-json-tools / json-schema-validator

A JSON Schema validation implementation in pure Java, which aims for correctness and performance, in that order
http://json-schema-validator.herokuapp.com/
Other
1.63k stars 399 forks source link

Metric ton of insecure dependencies #288

Closed jaxley closed 4 years ago

jaxley commented 5 years ago

This library has a ton of insecure dependencies. Time to up-rev them. May be worthwhile to integrate Snyk to keep them updated: https://snyk.io/test/

json-schema-validator jaxley$ snyk test

Testing /private/tmp/json-schema-validator...

✗ Medium severity issue found in org.mozilla:rhino
  Description: MPL-2.0 license
  Info: https://snyk.io/vuln/snyk:lic:maven:org.mozilla:rhino:MPL-2.0
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > org.mozilla:rhino@1.7.7.1

✗ Medium severity vulnerability found in com.google.guava:guava
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.fge:uri-template@0.9 > com.google.guava:guava@16.0.1
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.google.guava:guava@16.0.1

✗ Medium severity vulnerability found in com.fasterxml.jackson.core:jackson-core
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3 > com.fasterxml.jackson.core:jackson-core@2.2.3

✗ Medium severity vulnerability found in com.fasterxml.jackson.core:jackson-core
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3 > com.fasterxml.jackson.core:jackson-core@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3

✗ High severity vulnerability found in com.fasterxml.jackson.core:jackson-databind
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884
  Introduced through: com.github.java-json-tools:json-schema-core@1.2.9
  From: com.github.java-json-tools:json-schema-core@1.2.9 > com.github.java-json-tools:jackson-coreutils@1.9 > com.fasterxml.jackson.core:jackson-databind@2.2.3
Capstan commented 4 years ago

Upon a manual run of https://snyk.io/test/github/java-json-tools/json-schema-validator at commit e3fb6fb9, this appears to be fixed.