Skip to content
This repository has been archived by the owner on Mar 21, 2022. It is now read-only.

Jackson dependency causes OWASP alerts. Change to Jackson version 2.7.4 #467

Closed
emartinezs44 opened this issue Jun 30, 2016 · 7 comments
Closed

Jackson dependency causes OWASP alerts. Change to Jackson version 2.7.4 #467

emartinezs44 opened this issue Jun 30, 2016 · 7 comments

Comments

@emartinezs44
Copy link

OWASP Validation obtains the following vulnerabilities for dependences:

Vulnerable Dependencies
CVE CWE Severity (CVSS)↑ Dependency
CVE-2016-3720 High (10.0) jackson-annotations-2.6.0.jar
CVE-2016-3720 High (10.0) jackson-core-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-databind-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-datatype-guava-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-jaxrs-base-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-jaxrs-json-provider-2.6.7.jar
CVE-2016-3720 High (10.0) jackson-module-jaxb-annotations-2.6.7.jar

This vulnerability is fixed in jackson 2.7.4:

FasterXML/jackson-dataformat-xml#190

This dependency should be updated to avoid alerts in OWASP checking.
@KostyaSha
Copy link

Does docker-client use xml at all?

@mattnworb
Copy link
Member

@KostyaSha no, it does not.

@brettcave
Copy link

OWASP checks still fail on 2.7.4 and 2.8.0, e.g.

CVE-2016-3720       High (10.0)     com.fasterxml.jackson.core.jackson-core-2.7.4.jar    
           com.fasterxml.jackson.core.jackson-annotations-2.7.4.jar
           com.fasterxml.jackson.core.jackson-databind-2.7.4.jar
           com.fasterxml.jackson.datatype.jackson-datatype-joda-2.7.4.jar
           com.fasterxml.jackson.module.jackson-module-paranamer-2.7.4.jar
           com.fasterxml.jackson.module.jackson-module-scala_2.10-2.7.4.jar

The warning was added to the CVE database by downstream fedora issue, being tracked at https://bugzilla.redhat.com/show_activity.cgi?id=1328427 - the CVE database needs to be updated.

@KostyaSha
Copy link

So why do you care about XmlMapper? It also possible to change dependency version on project level.

@brettcave
Copy link

Even the jackson-core check will fail, pulled in by the jackson-databind dependency - so will not pass even with xml exclusion rules.

@mattnworb
Copy link
Member

@brettcave so upgrading to 2.7.4 or 2.8.0 or any other Jackson version won't resolve those warnings yet?

@brettcave
Copy link

brettcave commented Jul 14, 2016
edited
Loading

@mattnworb correct. Can be easily verified as follows:

  1. Copy a jackson lib into "testlib" - have done this for jackson-core 2.7.4, 2.7.5 and 2.8.0.
  2. Download OWASP dependency check from https://www.owasp.org/index.php/OWASP_Dependency_Check ("Command line" link on right nav bar will down the archive) and extract it.
  3. Run the dependency check in the bin directory from extracted archive - .sh for Linux .bat for Windows: ./dependency-check.sh --disableAssembly --format ALL --project Jackson --scan path/to/testlib/*
  4. Open dependency-check-vulernability.html in the directory you ran it from.

@mattnworb mattnworb mentioned this issue May 19, 2017
Closed
mattnworb added a commit that referenced this issue May 25, 2017
@mattnworb
upgrade jackson to 2.8.6
de7af3e 
Closes #751, #467.
mattnworb added a commit that referenced this issue May 25, 2017
@mattnworb
upgrade jackson to 2.8.6
d9e26bf 
Closes #751, #467.
@mattnworb mattnworb mentioned this issue May 25, 2017
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mattnworb @brettcave @KostyaSha @emartinezs44