gradle-node-plugin icon indicating copy to clipboard operation
gradle-node-plugin copied to clipboard
verified publisher icon node-gradle

Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2

Open sadiqkassamali opened this issue 1 year ago • 7 comments

Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2 due to v3 https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538

sadiqkassamali avatar Jul 31 '24 07:07 sadiqkassamali

Unfortunately merging this would require dropping support for Gradle versions older than 7.6. so this is going to need to wait until the next version bump

But on the bright side, actually using this to attack your build would require very specific circumstances so while the CVE has a high severity, it's almost irrelevant here And Gradle's dependency management would allow this to be patched locally where necessary

deepy avatar Jul 31 '24 12:07 deepy

That would be really useful, see e.g. here:

https://github.com/CycloneDX/cyclonedx-gradle-plugin/issues/482

tkrah avatar Aug 08 '24 15:08 tkrah

Ah, API issues :-/ I was hoping that our usage would be innocuous enough, but I need to take a closer look at this

deepy avatar Aug 22 '24 06:08 deepy

@deepy Do you have news about this? Anything you need support with (we could maybe provide)?

tkrah avatar Dec 09 '24 15:12 tkrah

@tkrah there's really only two ways to fix this: A. Upgrading - which requires dropping support for older Gradle versions B. Replacing jackson - which has a poor return of investment on the time I'd need to spend on it

When Gradle 9 releases I'm perfectly happy to drop support for older versions, but not right now given the relatively low severity of the issue Although if you have a real scenario that makes a denial of service in a build an issue I'm happy to discuss and re-evaluate, beyond that I'm also open to replacing jackson

deepy avatar Dec 13 '24 09:12 deepy

@deepy It is not about the CVE which is the main issue here, it is the API issues (https://github.com/CycloneDX/cyclonedx-gradle-plugin/issues/482) which are there because of that old jackson version (2.14 was released Nov 5, 2022 ... which is kind of dated) which clashes with other plugins. Why not release a new version which drops support for those old gradle versions like other plugins do too to solve that problem - if you want to keep support for both, why not maintain 2 release lines?

tkrah avatar Dec 13 '24 10:12 tkrah

JFTR: With the latest Spring Boot Plugin 3.4.0 which uses 2.18.2 this is also going to be a problem because of this runtime Error:

'void com.fasterxml.jackson.core.base.GeneratorBase.<init>(int, com.fasterxml.jackson.core.ObjectCodec, com.fasterxml.jackson.core.io.IOContext)'

Seems I am going to need my own fork until this is fixed someday in the future.

Edit: Using my own fork which uses jackson 2.18.2 works fine with spring-boot-plugin 3.4.0 and cyclonedx-plugin 1.10.0.

Edit 2:

Another workaround which does fit and is much more useful because lightweight (no fork needed) is to add this constraint to the buildScript dependencies:

constraints {
        implementation("com.fasterxml.jackson.core:jackson-databind:2.18.2")
}

tkrah avatar Dec 17 '24 15:12 tkrah