testcontainers-java icon indicating copy to clipboard operation
testcontainers-java copied to clipboard
verified publisher icon testcontainers

[Enhancement]: Update jackson databind version (support more than 50 containers in compose file)

Open henryxparker opened this issue 2 years ago • 1 comments

Module

Core

Proposal

Currently the project is using Jackson databind yaml 2.8.x, and the comments on that part of the code say that this is for backwards compatibility.

Unfortunately that version uses an older version of snake yaml (1.17). This version has a known arbitrary code execution vulnerability, and it also fails to parse yaml that has >50 attributes, so it does not support more than 50 containers in a docker compose file.

jackson databind 2.8.x also has its own known vulnerabilitie: 1, 2.

I do not know what the compatibility issues the comment is referring to, but I think it's best to move to a newer version of jackson databind, even if it requires a new minor/major version.

henryxparker avatar Aug 16 '23 16:08 henryxparker

testcontainers-core build.gradle:

configurations.all {
    resolutionStrategy {
        // use lower Jackson version
        force 'com.fasterxml.jackson.core:jackson-databind:2.8.8'
        force 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.8.8'
    }
}

Jackson-databind 2.8.8 should be updated. It has 54 CVEs. Even though testcontainers should run in the test scope

Direct vulnerabilities:

  1. CVE-2022-42004
  2. CVE-2022-42003
  3. CVE-2021-20190
  4. CVE-2020-9548
  5. CVE-2020-9547
  6. CVE-2020-8840
  7. CVE-2020-36518
  8. CVE-2020-36189
  9. CVE-2020-36188
  10. CVE-2020-36187
  11. CVE-2020-36186
  12. CVE-2020-36185
  13. CVE-2020-36184
  14. CVE-2020-36183
  15. CVE-2020-36182
  16. CVE-2020-36181
  17. CVE-2020-36180
  18. CVE-2020-36179
  19. CVE-2020-35728
  20. CVE-2020-35491
  21. CVE-2020-35490
  22. CVE-2020-25649
  23. CVE-2020-24750
  24. CVE-2020-24616
  25. CVE-2020-10673
  26. CVE-2020-10650
  27. CVE-2019-20330
  28. CVE-2019-17531
  29. CVE-2019-17267
  30. CVE-2019-16943
  31. CVE-2019-16942
  32. CVE-2019-16335
  33. CVE-2019-14892
  34. CVE-2019-14540
  35. CVE-2019-14439
  36. CVE-2019-14379
  37. CVE-2019-12814
  38. CVE-2019-12384
  39. CVE-2019-12086
  40. CVE-2018-7489
  41. CVE-2018-5968
  42. CVE-2018-19362
  43. CVE-2018-19361
  44. CVE-2018-19360
  45. CVE-2018-14721
  46. CVE-2018-14720
  47. CVE-2018-14719
  48. CVE-2018-14718
  49. CVE-2018-12023
  50. CVE-2018-12022
  51. CVE-2018-11307
  52. CVE-2017-7525
  53. CVE-2017-17485
  54. CVE-2017-15095

Vulnerabilities from dependencies:

  1. CVE-2020-15250

erik-meuwese-topicus avatar Jun 26 '24 10:06 erik-meuwese-topicus

This has been addressed by #8816

eddumelendez avatar Jul 03 '24 16:07 eddumelendez