search

spring-cloud / spring-cloud-connectors

Library to let cloud applications connect to services
Apache License 2.0
185 stars 161 forks source link

Vulnerable version of Jackson-Databind with Spring-Cloud-cloudfoundry-connector #316

Closed raptorshots closed 3 years ago

raptorshots commented 3 years ago

We are usingspring-cloud-cloudfoundry-connector in our applications deployed in Tanzu Platform. Version is 2.0.7.RELEASE.

However this version is flagged as vulnerable by Application Security tools such as jFrog Xray Platform because of the vulnerable transitive dependency Jackson-Databind : 2.10.0

Will it be possible to release a version with non-vulnerable version ofjackson-databind such as 2.10.5.1 which is the closest non-vulnerable version?

For reference

https://snyk.io/vuln/maven:com.fasterxml.jackson.core:jackson-databind@2.10 https://snyk.io/vuln/maven:com.fasterxml.jackson.core:jackson-databind@2.10.5.1

scottfrederick commented 3 years ago

This is a duplicate of #315. See the analysis of how this Jackson issue affects Spring Cloud Connectors in this comment. Please add a comment to that issue if you have additional feedback.

Also note that Connectors is in maintenance mode, and should be replaced by the use of Java CFEnv (which does not shade Jackson dependencies and therefore is not subject to this type of issue).