[ https://issues.apache.org/jira/browse/MSHADE-418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576214#comment-17576214 ]
Karl Heinz Marbaise commented on MSHADE-418: -------------------------------------------- Based on your {{pom.xml}} file you have defined two dependencies: {code:xml} <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-core</artifactId> <version>2.12.6</version> </dependency> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.12.6.1</version> </dependency> {code} which means only {{jackson-databind}} will be used with the upgraded version. If you analyse your pom via: {code} $ mvn org.apache.maven.plugins:maven-dependency-plugin:3.3.0:tree [INFO] Scanning for projects... [INFO] [INFO] ---------------< sign.core.opentext.com:digital-signer >---------------- [INFO] Building Digital-Signer 1.0-SNAPSHOT [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ digital-signer --- [INFO] sign.core.opentext.com:digital-signer:jar:1.0-SNAPSHOT [INFO] +- junit:junit:jar:3.8.1:test [INFO] +- commons-codec:commons-codec:jar:1.13:compile [INFO] +- com.microsoft.azure:azure-keyvault-core:jar:1.2.4:compile [INFO] | +- org.apache.commons:commons-lang3:jar:3.8.1:compile [INFO] | \- com.google.guava:guava:jar:24.1.1-jre:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile [INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile [INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile [INFO] +- com.microsoft.azure:azure-keyvault-cryptography:jar:1.2.4:compile [INFO] +- com.microsoft.azure:azure-mgmt-keyvault:jar:1.22.0:compile [INFO] | +- com.microsoft.azure:azure-client-runtime:jar:1.6.4:compile [INFO] | +- com.microsoft.azure:azure-mgmt-resources:jar:1.22.0:compile [INFO] | | +- io.reactivex:rxjava:jar:1.3.8:compile [INFO] | | \- com.microsoft.azure:azure-annotations:jar:1.8.0:compile [INFO] | \- com.microsoft.azure:azure-mgmt-graph-rbac:jar:1.22.0:compile [INFO] +- com.microsoft.azure:azure-keyvault:jar:1.2.4:compile [INFO] | \- com.microsoft.rest:client-runtime:jar:1.7.4:compile [INFO] | +- com.squareup.retrofit2:retrofit:jar:2.7.2:compile [INFO] | +- com.squareup.okhttp3:okhttp:jar:3.12.6:compile [INFO] | | \- com.squareup.okio:okio:jar:1.15.0:compile [INFO] | +- com.squareup.okhttp3:logging-interceptor:jar:3.12.2:compile [INFO] | +- com.squareup.okhttp3:okhttp-urlconnection:jar:3.12.2:compile [INFO] | +- com.squareup.retrofit2:converter-jackson:jar:2.7.2:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.10.1:compile [INFO] | | \- joda-time:joda-time:jar:2.9.9:compile [INFO] | \- com.squareup.retrofit2:adapter-rxjava:jar:2.7.2:compile [INFO] +- com.microsoft.azure:azure-keyvault-webkey:jar:1.2.4:compile [INFO] | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:compile [INFO] +- com.microsoft.azure:azure-keyvault-extensions:jar:1.2.4:compile [INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile [INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.6.1:compile [INFO] +- com.microsoft.aad:adal4j:jar:0.0.2:compile [INFO] | +- com.nimbusds:oauth2-oidc-sdk:jar:4.5:compile [INFO] | | +- javax.mail:mail:jar:1.4.7:compile [INFO] | | | \- javax.activation:activation:jar:1.1:compile [INFO] | | +- net.jcip:jcip-annotations:jar:1.0:compile [INFO] | | \- com.nimbusds:lang-tag:jar:1.4:compile [INFO] | +- com.google.code.gson:gson:jar:2.2.4:compile [INFO] | \- org.slf4j:slf4j-api:jar:1.7.5:compile [INFO] +- com.nimbusds:nimbus-jose-jwt:jar:8.22.1:compile [INFO] | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile [INFO] | \- net.minidev:json-smart:jar:2.4.7:compile [INFO] | \- net.minidev:accessors-smart:jar:2.4.7:compile [INFO] | \- org.ow2.asm:asm:jar:9.1:compile [INFO] +- org.apache.pdfbox:pdfbox-tools:jar:2.0.17:compile [INFO] | \- org.apache.pdfbox:pdfbox-debugger:jar:2.0.17:compile [INFO] | \- org.apache.pdfbox:pdfbox:jar:2.0.17:compile [INFO] | \- org.apache.pdfbox:fontbox:jar:2.0.17:compile [INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile [INFO] | \- commons-logging:commons-logging:jar:1.2:compile [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile [INFO] +- org.apache.pdfbox:jbig2-imageio:jar:3.0.2:compile [INFO] +- org.bouncycastle:bcpkix-jdk15on:jar:1.70:compile [INFO] | \- org.bouncycastle:bcutil-jdk15on:jar:1.70:compile [INFO] +- org.bouncycastle:bcmail-jdk15on:jar:1.70:compile [INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile [INFO] +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.70:compile [INFO] \- com.beust:jcommander:jar:1.72:compile [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 0.611 s [INFO] Finished at: 2022-08-06T15:10:39+02:00 [INFO] ------------------------------------------------------------------------ {code} You can see: {code} [INFO] +- com.microsoft.azure:azure-keyvault-webkey:jar:1.2.4:compile [INFO] | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:compile [INFO] +- com.microsoft.azure:azure-keyvault-extensions:jar:1.2.4:compile [INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile [INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.6.1:compile [INFO] +- com.microsoft.aad:adal4j:jar:0.0.2:compile [INFO] | +- com.nimbusds:oauth2-oidc-sdk:jar:4.5:compile {code} That means only the version of jackson-databind is used as based on your pom file. I would strongly recommend to upgrade the {{jackson-core}} dependency also to the newer version (in the meantime to https://search.maven.org/search?q=g:com.fasterxml.jackson.core) > Jackson-databind version is being picked as 2.12.6 instead of 2.12.6.1 > ----------------------------------------------------------------------- > > Key: MSHADE-418 > URL: https://issues.apache.org/jira/browse/MSHADE-418 > Project: Maven Shade Plugin > Issue Type: Bug > Affects Versions: 3.3.0 > Reporter: Saikrishna Kosna > Priority: Major > Attachments: pom.xml > > > There was a security issue in jackson-databind, which needs to be upgraded to > 2.12.6.1 version. When the version is updated and the Jar file is generated, > the security issue still exists as part of the Jar file and the version is > being shown as 2.12.6 instead of 2.12.6.1. Attaching the pom.xml file, > please let me know if I am doing something wrong. -- This message was sent by Atlassian Jira (v8.20.10#820010)