On Sun, Feb 23, 2020 at 1:09 AM Enrico Olivelli <eolive...@gmail.com> wrote:
> Hi, > we are using a library, Jackson Databind, to serialize JSON objects on > the HTTP Admin Endpoint. > > Unfortunately that library is very ofter subject to CVEs due to the > intrinsic nature of the library, the fact that is really very common > and in particular to the fact that it has many deserialization > "gadgets" (that we are not using). > > Usually we are never affected by those CVEs because we are using only > Jackson core features and we are using it only in order to serialize > data (and only very simple beans). > > Some more context here: > > > https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 > > > We want OWASP dependency checker to be always happy with our releases. > I think this is very good. > But we are spending lot of time, especially in blocking releases due > to these fact. > > I am now proposing to drop this dependency and use some other simpler > JSON encoding library. > > Thoughts ? > > +1 - makes sense to me. Can we find something with a permissive license, that's minimal, has a history of success/support and will minimize impact? Thanks, Patrick > Enrico >
