jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.48k stars 1.29k forks source link

Dependency conflicts on com.fasterxml.jackson.core:jackson-core:jar, causing inconsisitent semantic behaviors #1777

Closed HelloCoCooo closed 4 years ago

HelloCoCooo commented 5 years ago

Hi, there are multiple versions of com.fasterxml.jackson.core:jackson-core:jar in DependencyCheck-v5.0.0-M1 (DependencyCheck-4.0.2\maven\src\it\629-jackson-dataformat module). As shown in the following dependency tree, according to Maven's dependency management strategy, only com.fasterxml.jackson.core:jackson-core:jar:2.4.5 can be loaded, and com.fasterxml.jackson.core:jackson-core:jar:2.8.9 will be shadowed.

Your project references the method <com.fasterxml.jackson.core.json.ReaderBasedJsonParser: com.fasterxml.jackson.core.JsonLocation getTokenLocation()> via the following invocation path, which is included in the shadowed version com.fasterxml.jackson.core:jackson-core:jar:2.8.9. However, this method is missing in the actual loaded version com.fasterxml.jackson.core:jackson-core:jar:2.4.5. Surprisingly, it will not cause NoSuchMethodError at rumtime.

<com.fasterxml.jackson.databind.DeserializationContext: com.fasterxml.jackson.databind.JsonMappingException weirdKeyException(java.lang.Class,java.lang.String,java.lang.String)> C:\Users\Flipped\.m2\repository\com\fasterxml\jackson\core\jackson-databind\2.8.9\jackson-databind-2.8.9.jar
<com.fasterxml.jackson.databind.exc.InvalidFormatException: com.fasterxml.jackson.databind.exc.InvalidFormatException 'from'(com.fasterxml.jackson.core.JsonParser,java.lang.String,java.lang.Object,java.lang.Class)> C:\Users\Flipped\.m2\repository\com\fasterxml\jackson\core\jackson-databind\2.8.9\jackson-databind-2.8.9.jar
<com.fasterxml.jackson.core.json.ReaderBasedJsonParser: com.fasterxml.jackson.core.JsonLocation getTokenLocation()>

By further analyzing, I found that the caller <com.fasterxml.jackson.databind.DeserializationContext. weirdKeyException(Class, String, String)> would invoke the method ParserBase.getTokenLocation() defined in the superclass of ReaderBasedJsonParser (ReaderBasedJsonParser extends ParserBase) with the same signature of the expected callee, due to dynamic binding mechanism.

Although the actual invoked method belonging to ParserBase has the same method name, same parameter types and return type as the expected method defined in its subclass ReaderBasedJsonParser, but it has different control flows and different behaviors. Maybe it is buggy behavior.

Solution:

Use the newer version com.fasterxml.jackson.core:jackson-core:jar:2.8.9 to keep the version consistency.

Dependency Tree---- [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ test-dataformat-jackson --- [INFO] org.owasp.test:test-dataformat-jackson:jar:1.0.0-SNAPSHOT [INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.4.5:compile [INFO] | +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.4.0:compile - omitted for conflict with 2.4.5) [INFO] | - com.fasterxml.jackson.core:jackson-core:jar:2.4.5:compile [INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.4.5:compile [INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.4.5:compile [INFO] | - (com.fasterxml.jackson.core:jackson-core:jar:2.4.5:compile - omitted for duplicate) [INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.4.5:compile [INFO] | +- (com.fasterxml.jackson.core:jackson-core:jar:2.4.5:compile - omitted for duplicate) [INFO] | +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.4.0:compile - omitted for conflict with 2.4.5) [INFO] | +- (com.fasterxml.jackson.core:jackson-databind:jar:2.4.5:compile - omitted for duplicate) [INFO] | +- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.4.5:compile [INFO] | | +- (com.fasterxml.jackson.core:jackson-core:jar:2.4.5:compile - omitted for duplicate) [INFO] | | - (com.fasterxml.jackson.core:jackson-databind:jar:2.4.5:compile - omitted for duplicate) [INFO] | - org.codehaus.woodstox:stax2-api:jar:3.1.4:compile [INFO] +- com.fasterxml.jackson.module:jackson-module-kotlin:jar:2.8.9:compile [INFO] | +- (com.fasterxml.jackson.core:jackson-databind:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] | +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile - omitted for conflict with 2.4.5) [INFO] | - org.jetbrains.kotlin:kotlin-reflect:jar:1.1.1:compile [INFO] | - org.jetbrains.kotlin:kotlin-stdlib:jar:1.1.1:compile [INFO] | - org.jetbrains:annotations:jar:13.0:compile [INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-ion:jar:2.8.9:compile [INFO] | +- software.amazon.ion:ion-java:jar:1.0.2:compile [INFO] | +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile - omitted for conflict with 2.4.5) [INFO] | +- (com.fasterxml.jackson.core:jackson-core:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] | - (com.fasterxml.jackson.core:jackson-databind:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] +- com.fasterxml.jackson.datatype:jackson-datatype-hppc:jar:2.8.9:compile [INFO] | +- (com.fasterxml.jackson.core:jackson-core:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] | +- (com.fasterxml.jackson.core:jackson-databind:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] | - com.carrotsearch:hppc:jar:0.7.1:compile [INFO] - com.fasterxml.jackson.jaxrs:jackson-jaxrs-yaml-provider:jar:2.8.9:compile [INFO] +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.8.9:compile [INFO] | +- (com.fasterxml.jackson.core:jackson-core:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] | - (com.fasterxml.jackson.core:jackson-databind:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] +- (com.fasterxml.jackson.core:jackson-core:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] +- (com.fasterxml.jackson.core:jackson-databind:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.9:compile [INFO] | +- (com.fasterxml.jackson.core:jackson-core:jar:2.8.9:compile - omitted for conflict with 2.4.5) [INFO] | - org.yaml:snakeyaml:jar:1.17:compile [INFO] - (com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.8.9:compile - omitted for conflict with 2.4.5)

Thanks! Best regards, Coco

HelloCoCooo commented 5 years ago

The code snippet of <com.fasterxml.jackson.core.json.ReaderBasedJsonParser: com.fasterxml.jackson.core.JsonLocation getTokenLocation()> in verison com.fasterxml.jackson.core:jackson-core:jar:2.8.9 ----

token2 8 9

com.fasterxml.jackson.core:jackson-core:jar:2.4.5 does not contain <com.fasterxml.jackson.core.json.ReaderBasedJsonParser: com.fasterxml.jackson.core.JsonLocation getTokenLocation()>.

The code snippet of <com.fasterxml.jackson.core.json.ParserBase: com.fasterxml.jackson.core.JsonLocation getTokenLocation()> in version com.fasterxml.jackson.core:jackson-core:jar:2.4.5----

token2 4 5

The method ReaderBasedJsonParser.getTokenLocation() included in newer verison 2.8.9 deals with more cases and adds more control branches, which changes the control flows and data flows. So referencing ParserBase.getTokenLocation() in version 2.4.5 by dynamic binding, may lead to inconsisitent semantic behaviors.

Thanks again.

jeremylong commented 5 years ago

Yes - PRs are always welcome.

Thanks!

jeremylong commented 5 years ago

So I think there might be some confusion with regard to this. maven\src\it\629-jackson-dataformat is an integration test. The dependencies in this have absolutely nothing to do with the functionality within dependency-check. This integration test exists to identify if dependency-check can correctly identify the CVEs associated with jackson-dataformat.

Running mvn dependency:tree shows that there is no dependency on jackson in the core project.