-
-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2 #317
base: master
Are you sure you want to change the base?
Conversation
Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2 due to v3 https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538
Unfortunately merging this would require dropping support for Gradle versions older than 7.6. so this is going to need to wait until the next version bump But on the bright side, actually using this to attack your build would require very specific circumstances so while the CVE has a high severity, it's almost irrelevant here |
That would be really useful, see e.g. here: |
Ah, API issues :-/ |
@deepy Do you have news about this? Anything you need support with (we could maybe provide)? |
@tkrah there's really only two ways to fix this: When Gradle 9 releases I'm perfectly happy to drop support for older versions, but not right now given the relatively low severity of the issue |
@deepy It is not about the CVE which is the main issue here, it is the API issues (CycloneDX/cyclonedx-gradle-plugin#482) which are there because of that old jackson version (2.14 was released Nov 5, 2022 ... which is kind of dated) which clashes with other plugins. |
JFTR: With the latest Spring Boot Plugin 3.4.0 which uses 2.18.2 this is also going to be a problem because of this runtime Error:
Seems I am going to need my own fork until this is fixed someday in the future. Edit: Using my own fork which uses jackson 2.18.2 works fine with spring-boot-plugin 3.4.0 and cyclonedx-plugin 1.10.0. Edit 2: Another workaround which does fit and is much more useful because lightweight (no fork needed) is to add this constraint to the buildScript dependencies:
|
Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2 due to v3 https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538