search

reactiverse / es4x

🚀 fast JavaScript 4 Eclipse Vert.x
https://reactiverse.io/es4x/
Apache License 2.0
883 stars 75 forks source link

Jackson dependency has severe vulnerabilities #344

Closed oravecz closed 4 years ago

oravecz commented 4 years ago

Would love to use in my organization, but our internal tooling will not allow packages with a dependency on this version of Jackson. Is there way for me to force an upgrade to a newer version?

Not sure why that remediation message says this; you are dependent on version 2.10.2 already. The snyk remediation below is wrong. Not sure if there is a "safe" version of Jackson available.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4 or higher.

Type:               VULNERABILITY
Name:               SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094
CVSS Score v3:      9.8
Severity:           severe
Description Link:   https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094
pmlopes commented 4 years ago

I believe this is a false positive. Jackson gets pulled from vertx-core which is 3.9.0 and defines: jackson-databing 2.10.2. Can you confirm your project is using es4x 0.11.0?

oravecz commented 4 years ago

That’s the dependency tree I see also, and I think you are right. Version 2.10.2 is shown to not have vulnerabilities. https://snyk.io/vuln/maven:com.fasterxml.jackson.core%3Ajackson-databind

pmlopes commented 4 years ago

Perhaps some other dependency has a dependency on databind 2.9.x and gets later upgraded? From what I can tell we don't depend on it.