[jira] [Commented] (MSHADE-418) Jackson-databind version is being picked as 2.12.6 instead of 2.12.6.1

[Karl Heinz Marbaise (Jira)]

    [ 
https://issues.apache.org/jira/browse/MSHADE-418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576214#comment-17576214
 ] 

Karl Heinz Marbaise commented on MSHADE-418:
--------------------------------------------

Based on your {{pom.xml}} file you have defined two dependencies:
{code:xml}
  <dependency>
        <groupId>com.fasterxml.jackson.core</groupId>
        <artifactId>jackson-core</artifactId>
        <version>2.12.6</version>
    </dependency>
    <dependency>
        <groupId>com.fasterxml.jackson.core</groupId>
        <artifactId>jackson-databind</artifactId>
        <version>2.12.6.1</version>
    </dependency>
{code}

which means only {{jackson-databind}} will be used with the upgraded version. 
If you analyse your pom via:
{code}
$ mvn org.apache.maven.plugins:maven-dependency-plugin:3.3.0:tree
[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------< sign.core.opentext.com:digital-signer >----------------
[INFO] Building Digital-Signer 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ digital-signer ---
[INFO] sign.core.opentext.com:digital-signer:jar:1.0-SNAPSHOT
[INFO] +- junit:junit:jar:3.8.1:test
[INFO] +- commons-codec:commons-codec:jar:1.13:compile
[INFO] +- com.microsoft.azure:azure-keyvault-core:jar:1.2.4:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] |  \- com.google.guava:guava:jar:24.1.1-jre:compile
[INFO] |     +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |     +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile
[INFO] |     +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile
[INFO] |     +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |     \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- com.microsoft.azure:azure-keyvault-cryptography:jar:1.2.4:compile
[INFO] +- com.microsoft.azure:azure-mgmt-keyvault:jar:1.22.0:compile
[INFO] |  +- com.microsoft.azure:azure-client-runtime:jar:1.6.4:compile
[INFO] |  +- com.microsoft.azure:azure-mgmt-resources:jar:1.22.0:compile
[INFO] |  |  +- io.reactivex:rxjava:jar:1.3.8:compile
[INFO] |  |  \- com.microsoft.azure:azure-annotations:jar:1.8.0:compile
[INFO] |  \- com.microsoft.azure:azure-mgmt-graph-rbac:jar:1.22.0:compile
[INFO] +- com.microsoft.azure:azure-keyvault:jar:1.2.4:compile
[INFO] |  \- com.microsoft.rest:client-runtime:jar:1.7.4:compile
[INFO] |     +- com.squareup.retrofit2:retrofit:jar:2.7.2:compile
[INFO] |     +- com.squareup.okhttp3:okhttp:jar:3.12.6:compile
[INFO] |     |  \- com.squareup.okio:okio:jar:1.15.0:compile
[INFO] |     +- com.squareup.okhttp3:logging-interceptor:jar:3.12.2:compile
[INFO] |     +- com.squareup.okhttp3:okhttp-urlconnection:jar:3.12.2:compile
[INFO] |     +- com.squareup.retrofit2:converter-jackson:jar:2.7.2:compile
[INFO] |     +- 
com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.10.1:compile
[INFO] |     |  \- joda-time:joda-time:jar:2.9.9:compile
[INFO] |     \- com.squareup.retrofit2:adapter-rxjava:jar:2.7.2:compile
[INFO] +- com.microsoft.azure:azure-keyvault-webkey:jar:1.2.4:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:compile
[INFO] +- com.microsoft.azure:azure-keyvault-extensions:jar:1.2.4:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.6.1:compile
[INFO] +- com.microsoft.aad:adal4j:jar:0.0.2:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:4.5:compile
[INFO] |  |  +- javax.mail:mail:jar:1.4.7:compile
[INFO] |  |  |  \- javax.activation:activation:jar:1.1:compile
[INFO] |  |  +- net.jcip:jcip-annotations:jar:1.0:compile
[INFO] |  |  \- com.nimbusds:lang-tag:jar:1.4:compile
[INFO] |  +- com.google.code.gson:gson:jar:2.2.4:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO] +- com.nimbusds:nimbus-jose-jwt:jar:8.22.1:compile
[INFO] |  +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] |  \- net.minidev:json-smart:jar:2.4.7:compile
[INFO] |     \- net.minidev:accessors-smart:jar:2.4.7:compile
[INFO] |        \- org.ow2.asm:asm:jar:9.1:compile
[INFO] +- org.apache.pdfbox:pdfbox-tools:jar:2.0.17:compile
[INFO] |  \- org.apache.pdfbox:pdfbox-debugger:jar:2.0.17:compile
[INFO] |     \- org.apache.pdfbox:pdfbox:jar:2.0.17:compile
[INFO] |        \- org.apache.pdfbox:fontbox:jar:2.0.17:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] +- org.apache.pdfbox:jbig2-imageio:jar:3.0.2:compile
[INFO] +- org.bouncycastle:bcpkix-jdk15on:jar:1.70:compile
[INFO] |  \- org.bouncycastle:bcutil-jdk15on:jar:1.70:compile
[INFO] +- org.bouncycastle:bcmail-jdk15on:jar:1.70:compile
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile
[INFO] +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.70:compile
[INFO] \- com.beust:jcommander:jar:1.72:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.611 s
[INFO] Finished at: 2022-08-06T15:10:39+02:00
[INFO] ------------------------------------------------------------------------
{code}
You can see:
{code}
[INFO] +- com.microsoft.azure:azure-keyvault-webkey:jar:1.2.4:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:compile
[INFO] +- com.microsoft.azure:azure-keyvault-extensions:jar:1.2.4:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.6.1:compile
[INFO] +- com.microsoft.aad:adal4j:jar:0.0.2:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:4.5:compile
{code}
That means only the version of jackson-databind is used as based on your pom 
file.

I would strongly recommend to upgrade the {{jackson-core}} dependency also to 
the newer version (in the meantime to 
https://search.maven.org/search?q=g:com.fasterxml.jackson.core)


> Jackson-databind version is being picked as 2.12.6  instead of 2.12.6.1
> -----------------------------------------------------------------------
>
>                 Key: MSHADE-418
>                 URL: https://issues.apache.org/jira/browse/MSHADE-418
>             Project: Maven Shade Plugin
>          Issue Type: Bug
>    Affects Versions: 3.3.0
>            Reporter: Saikrishna Kosna
>            Priority: Major
>         Attachments: pom.xml
>
>
> There was a security issue in jackson-databind, which needs to be upgraded to 
> 2.12.6.1 version. When the version is updated and the Jar file is generated, 
> the security issue still exists as part of the Jar file and the version is 
> being shown as 2.12.6 instead of 2.12.6.1.  Attaching the pom.xml file, 
> please let me know if I am doing something wrong.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)