Open sonatype-depshield-staging[bot] opened 5 years ago
com.fasterxml.jackson.core:jackson-databind:2.1.5 APIs are never used in the generated Jackson Modello reader/writer, since we just use the Streaming APIs, does it still the generated code being affected by the CVSS 10.0?
DepShield reports on vulnerabilities in a project's dependent components but does not determine if they are effective. Without knowing how the code is used in Modello, I could not answer that question. It seems that you've done your own review and found it not applicable so we can close this issue.
Vulnerabilities
DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.1.5 results in the following vulnerability(s):
Occurrences
com.fasterxml.jackson.core:jackson-databind:2.1.5 is a transitive dependency introduced by the following direct dependency(s):
• com.fasterxml.jackson.core:jackson-databind:2.1.5
• org.codehaus.modello:modello-plugin-jackson:1.8.4-SNAPSHOT └─ com.fasterxml.jackson.core:jackson-databind:2.1.5
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.