jackson-databind@2.6.7.1 is highly vulnerable

[kazurayam]

I published the inspectus-0.9.5 to the Maven Central. Then I got a mail from Sonatype Lift, which told that the inspectus-0.9.5.jar is vulnerable. It has dependency to jackson-databind@2.6.7.1 is highly vulnerable.

pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.1

[kazurayam]

$ cd inspectus
$ gradle dependencies >~/tmp/inspectus-dependencies.txt

the output was this

inspectus-dependencies.txt

The cause was that the materialstore0.16.5 -> ... -> com.fasterxml.jackson.core:jackson-databind:2.6.7.1

runtimeClasspath - Runtime classpath of source set 'main'.
+--- com.kazurayam:materialstore:0.16.5
...
|    +--- com.upplication:s3fs:2.2.2
|    |    +--- com.amazonaws:aws-java-sdk-s3:1.11.232
|    |    |    +--- com.amazonaws:aws-java-sdk-kms:1.11.232
|    |    |    |    +--- com.amazonaws:aws-java-sdk-core:1.11.232
|    |    |    |    |    +--- org.apache.httpcomponents:httpclient:4.5.2
|    |    |    |    |    |    +--- org.apache.httpcomponents:httpcore:4.4.4
|    |    |    |    |    |    \--- commons-codec:commons-codec:1.9 -> 1.15
|    |    |    |    |    +--- software.amazon.ion:ion-java:1.0.2
|    |    |    |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.6.7.1
|    |    |    |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.6.0
|    |    |    |    |    |    \--- com.fasterxml.jackson.core:jackson-core:2.6.7
|    |    |    |    |    +--- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.6.7
|    |    |    |    |    |    \--- com.fasterxml.jackson.core:jackson-core:2.6.7
|    |    |    |    |    \--- joda-time:joda-time:2.8.1
...

[kazurayam]

The feature of accessing AWS S3 should be optional for the materialstore library; it should not be built-in; it should be pluggable.