[ https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mate Szalay-Beko updated ZOOKEEPER-4716: ---------------------------------------- Issue Type: Task (was: Improvement) > Upgrade jackson to 2.15.2, suppress two false positive CVE errors > ----------------------------------------------------------------- > > Key: ZOOKEEPER-4716 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716 > Project: ZooKeeper > Issue Type: Task > Affects Versions: 3.8.1 > Reporter: Mate Szalay-Beko > Assignee: Mate Szalay-Beko > Priority: Major > Labels: pull-request-available > Fix For: 3.9.0, 3.7.2, 3.8.2 > > Time Spent: 40m > Remaining Estimate: 0h > > Our jackson is quite old, I want to upgrade it before release 3.8.2. > Also we have a few false positive CVEs reported by OWASP: > * CVE-2023-35116: according to jackson community, this is not a security > issue, see > [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098] > * CVE-2022-45688: the following CVE is not even jackson related, but a > vulnerability in json-java which we don't use in ZooKeeper > > {code:java} > [INFO] Finished at: 2023-06-30T13:23:38+02:00 > [INFO] > ------------------------------------------------------------------------ > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check > (default-cli) on project zookeeper: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) > [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5) > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)