allure-framework
[email protected] internally embed in allure-java-commons with a CVE
The dependency allure-java-commons is embedding an internal / shadow version on jackson-databind, which is the 2.13.0 and has a CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-36518
In this file: https://github.com/allure-framework/allure-java/blob/master/allure-java-commons/build.gradle.kts there is the instruction about the internal deps of jackson-databind.
shadowJar {
archiveClassifier.set("")
relocate("com.fasterxml.jackson", "io.qameta.allure.internal.shadowed.jackson")
dependencies {
include(dependency("com.fasterxml.jackson.core::"))
}
and in this file: https://github.com/allure-framework/allure-java/blob/master/build.gradle.kts the import of 2.13.0 jackson bom
mavenBom("com.fasterxml.jackson:jackson-bom:2.13.0")
In consequence of that, we can't exclude the dependency, so we can't get rid of this CVE:
allure-java-commons-2.17.3.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.13.0:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-modules-java8:2.13.0:*:*:*:*:*:*:*) : CVE-2020-36518
Why do you need to have this specific version of the dependency ? Can't you manage this deps same as the other so we could exclude it to use a more recent version of jackson-databind ?
Or if you can't, could you upgrade the version of jackson-databind ?
I have only allure-testng as a dependency as well and im getting back a HIGH severity for Jackson data bind
