yhmo
commented
2 months ago ok, we will try replace it in the next minor version.
Open king1302217 opened 2 months ago
yhmo
commented
2 months ago ok, we will try replace it in the next minor version.
yhmo
commented
2 months ago @king1302217 This article mentioned "To fully remediate CVE-2022-25845, we recommend upgrading Fastjson to the latest version, which is currently 1.2.83."
The java sdk is using this version: https://github.com/milvus-io/milvus-sdk-java/blob/64e42bf8ee7dd6ce0b6a789c45c5afc031aa987b/pom.xml#L96
So, can we say it is safe now?
king1302217
commented
2 months ago @yhmo Fastjson is forbidden to use in my company. As far as I know, this jar is forbidden in many companies. So it is better to fix it in the next version
TWSFar
commented
2 months ago @yhmo Our company also prohibits the use of Fastjson, and we have the same requirement. Can you optimize and upgrade it
yhmo
commented
2 months ago Currently, the com.alibaba.fastjson.JSONObject is used as input of InsertParam/UpsertParam/InsertRowsParam and output of SearchResultsWrapper/QueryResultsWrapper. If we replace it with gson.JsonObject, will cause lots of impact on users' client code.
king1302217
commented
2 months ago Yes, but i think it is very necessary to fix because many companies prohibit the use of Fastjson. So hope we can upgrade in next version. @yhmo
yhmo
commented
1 month ago Note: The work of replacing FastJson with Gson is not ready. Today we released two new minor versions v2.3.7/v2.4.1 to fix some blocking issues. Replacing FastJson with Gson is postponed to the next minor version.
milvus-sdk-java rely on fastjson. This jar is unsafe to use. Can we upgrate fastjson to other jar, such as jackson or gson?