search

metosin / compojure-api

Sweet web apis with Compojure & Swagger
http://metosin.github.io/compojure-api/doc/
Eclipse Public License 1.0
1.11k stars 149 forks source link

Vulnerabilities in dependency: jackson-databind 2.2.3 #433

Open hkorpi opened 4 years ago

hkorpi commented 4 years ago

Library Version(s)

metosin/compojure-api "1.1.13"

Problem

Compojure api seem to have an old transitive dependency: [com.fasterxml.jackson.core/jackson-databind "2.2.3"]

lein nvd check complains vulnerabilities: CVE-2018-14721, CVE-2018-14720, CVE-2018-14719, CVE-2017-7525, CVE-2018-19360, CVE-20...

Dependency tree:

[metosin/compojure-api "1.1.13"]
   [cheshire "5.9.0"]
     [com.fasterxml.jackson.core/jackson-core "2.9.9"]
     [com.fasterxml.jackson.dataformat/jackson-dataformat-cbor "2.9.9"]
     [com.fasterxml.jackson.dataformat/jackson-dataformat-smile "2.9.9"]
     [tigris "0.1.1"]
   [compojure "1.6.1"]
     [clout "2.2.1"]
     [medley "1.0.0"]
   [frankiesardo/linked "1.3.0"]
   [metosin/ring-http-response "0.9.1"]
   [metosin/ring-swagger "0.26.2"]
     [metosin/schema-tools "0.11.0"]
     [metosin/scjsv "0.5.0"]
       [com.github.java-json-tools/json-schema-validator "2.2.10"]
         [com.github.java-json-tools/json-schema-core "1.2.10"]
           [com.github.fge/uri-template "0.9"]
           [com.github.java-json-tools/jackson-coreutils "1.9"]
             [com.fasterxml.jackson.core/jackson-databind "2.2.3"]
               [com.fasterxml.jackson.core/jackson-annotations "2.2.3"]
             [com.github.fge/msg-simple "1.1"]
               [com.github.fge/btf "1.2"]
           [org.mozilla/rhino "1.7.7.1"]
         [com.googlecode.libphonenumber/libphonenumber "8.0.0"]
         [javax.mail/mailapi "1.4.3"]
         [net.sf.jopt-simple/jopt-simple "5.0.3"]
miikka commented 4 years ago

Wow, that's an old dependency. As a workaround, you can add an explicit dependency on jackson-databind and I think it should work.

[com.fasterxml.jackson.core/jackson-databind "2.9.9"]

The version of jackson-databind should always be the same as the version of jackson-core; otherwise you will have problems.

I'm not super-eager to add dependency version overrides to compojure-api – it's better to upgrade libraries deeper in the dependency tree and wait until the upgrades bubble up to compojure-api – but it will take a while.

hkorpi commented 4 years ago

What happens if I exclude metosin/scjsv like: [metosin/compojure-api "1.1.13" :exclusions [metosin/scjsv]] ?

hkorpi commented 4 years ago

... seems to at least break my test:

https://github.com/solita/livijuku/blob/develop/juku-backend/test/clj/juku/service/swagger_test.clj

Is that library metosin/scjsv only used for testing?

So can I exclude it from normal dependencies and include it in dev dependencies?

miikka commented 4 years ago

Yeah, I think that should work. scjsv is only needed for the compojure.api.validator namespace so as long as you use that only in tests, it should be fine.

hkorpi commented 4 years ago

Seems to work and my uberjar is also 5Mb thinner, thanks