compojure-api icon indicating copy to clipboard operation
compojure-api copied to clipboard

Published 20 hours ago verified publisher icon metosin

Vulnerabilities in dependency: jackson-databind 2.2.3

Open hkorpi opened this issue 5 years ago • 5 comments

Library Version(s)

metosin/compojure-api "1.1.13"

Problem

Compojure api seem to have an old transitive dependency: [com.fasterxml.jackson.core/jackson-databind "2.2.3"]

lein nvd check complains vulnerabilities: CVE-2018-14721, CVE-2018-14720, CVE-2018-14719, CVE-2017-7525, CVE-2018-19360, CVE-20...

Dependency tree:

[metosin/compojure-api "1.1.13"]
   [cheshire "5.9.0"]
     [com.fasterxml.jackson.core/jackson-core "2.9.9"]
     [com.fasterxml.jackson.dataformat/jackson-dataformat-cbor "2.9.9"]
     [com.fasterxml.jackson.dataformat/jackson-dataformat-smile "2.9.9"]
     [tigris "0.1.1"]
   [compojure "1.6.1"]
     [clout "2.2.1"]
     [medley "1.0.0"]
   [frankiesardo/linked "1.3.0"]
   [metosin/ring-http-response "0.9.1"]
   [metosin/ring-swagger "0.26.2"]
     [metosin/schema-tools "0.11.0"]
     [metosin/scjsv "0.5.0"]
       [com.github.java-json-tools/json-schema-validator "2.2.10"]
         [com.github.java-json-tools/json-schema-core "1.2.10"]
           [com.github.fge/uri-template "0.9"]
           [com.github.java-json-tools/jackson-coreutils "1.9"]
             [com.fasterxml.jackson.core/jackson-databind "2.2.3"]
               [com.fasterxml.jackson.core/jackson-annotations "2.2.3"]
             [com.github.fge/msg-simple "1.1"]
               [com.github.fge/btf "1.2"]
           [org.mozilla/rhino "1.7.7.1"]
         [com.googlecode.libphonenumber/libphonenumber "8.0.0"]
         [javax.mail/mailapi "1.4.3"]
         [net.sf.jopt-simple/jopt-simple "5.0.3"]

hkorpi avatar Nov 20 '19 11:11 hkorpi

Wow, that's an old dependency. As a workaround, you can add an explicit dependency on jackson-databind and I think it should work.

[com.fasterxml.jackson.core/jackson-databind "2.9.9"]

The version of jackson-databind should always be the same as the version of jackson-core; otherwise you will have problems.

I'm not super-eager to add dependency version overrides to compojure-api – it's better to upgrade libraries deeper in the dependency tree and wait until the upgrades bubble up to compojure-api – but it will take a while.

miikka avatar Nov 20 '19 19:11 miikka

What happens if I exclude metosin/scjsv like: [metosin/compojure-api "1.1.13" :exclusions [metosin/scjsv]] ?

hkorpi avatar Nov 20 '19 20:11 hkorpi

... seems to at least break my test:

https://github.com/solita/livijuku/blob/develop/juku-backend/test/clj/juku/service/swagger_test.clj

Is that library metosin/scjsv only used for testing?

So can I exclude it from normal dependencies and include it in dev dependencies?

hkorpi avatar Nov 20 '19 20:11 hkorpi

Yeah, I think that should work. scjsv is only needed for the compojure.api.validator namespace so as long as you use that only in tests, it should be fine.

miikka avatar Nov 20 '19 21:11 miikka

Seems to work and my uberjar is also 5Mb thinner, thanks

hkorpi avatar Nov 21 '19 08:11 hkorpi