[jira] [Updated] (ZOOKEEPER-4716) Upgrade jackson to 2.15.2, suppress two false positive CVE errors

2023-07-05 Thread Mate Szalay-Beko (Jira) 


 [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mate Szalay-Beko updated ZOOKEEPER-4716:

Issue Type: Task  (was: Improvement)

> Upgrade jackson to 2.15.2, suppress two false positive CVE errors
> -
>
> Key: ZOOKEEPER-4716
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716
> Project: ZooKeeper
>  Issue Type: Task
>Affects Versions: 3.8.1
>Reporter: Mate Szalay-Beko
>Assignee: Mate Szalay-Beko
>Priority: Major
>  Labels: pull-request-available
> Fix For: 3.9.0, 3.7.2, 3.8.2
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> Our jackson is quite old, I want to upgrade it before release 3.8.2.
> Also we have a few false positive CVEs reported by OWASP:
>  * CVE-2023-35116: according to jackson community, this is not a security 
> issue, see 
> [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098]
>  * CVE-2022-45688: the following CVE is not even jackson related, but a 
> vulnerability in json-java which we don't use in ZooKeeper
>  
> {code:java}
> [INFO] Finished at: 2023-06-30T13:23:38+02:00 
> [INFO] 
>  
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check 
> (default-cli) on project zookeeper: 
> [ERROR] 
> [ERROR] One or more dependencies were identified with vulnerabilities that 
> have a CVSS score greater than or equal to '0.0': 
> [ERROR] 
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) 
> [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
>  {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (ZOOKEEPER-4716) Upgrade jackson to 2.15.2, suppress two false positive CVE errors

2023-07-05 Thread Mate Szalay-Beko (Jira) 


 [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mate Szalay-Beko updated ZOOKEEPER-4716:

Summary: Upgrade jackson to 2.15.2, suppress two false positive CVE errors  
(was: upgrade jackson to 2.15.2, suppress two false positive CVE errors)

> Upgrade jackson to 2.15.2, suppress two false positive CVE errors
> -
>
> Key: ZOOKEEPER-4716
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716
> Project: ZooKeeper
>  Issue Type: Improvement
>Affects Versions: 3.8.1
>Reporter: Mate Szalay-Beko
>Assignee: Mate Szalay-Beko
>Priority: Major
>  Labels: pull-request-available
> Fix For: 3.9.0, 3.7.2, 3.8.2
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> Our jackson is quite old, I want to upgrade it before release 3.8.2.
> Also we have a few false positive CVEs reported by OWASP:
>  * CVE-2023-35116: according to jackson community, this is not a security 
> issue, see 
> [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098]
>  * CVE-2022-45688: the following CVE is not even jackson related, but a 
> vulnerability in json-java which we don't use in ZooKeeper
>  
> {code:java}
> [INFO] Finished at: 2023-06-30T13:23:38+02:00 
> [INFO] 
>  
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check 
> (default-cli) on project zookeeper: 
> [ERROR] 
> [ERROR] One or more dependencies were identified with vulnerabilities that 
> have a CVSS score greater than or equal to '0.0': 
> [ERROR] 
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) 
> [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
>  {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (ZOOKEEPER-4716) upgrade jackson to 2.15.2, suppress two false positive CVE errors

2023-06-30 Thread ASF GitHub Bot (Jira) 


 [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated ZOOKEEPER-4716:
--
Labels: pull-request-available  (was: )

> upgrade jackson to 2.15.2, suppress two false positive CVE errors
> -
>
> Key: ZOOKEEPER-4716
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716
> Project: ZooKeeper
>  Issue Type: Improvement
>Affects Versions: 3.8.1
>Reporter: Mate Szalay-Beko
>Assignee: Mate Szalay-Beko
>Priority: Major
>  Labels: pull-request-available
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> Our jackson is quite old, I want to upgrade it before release 3.8.2.
> Also we have a few false positive CVEs reported by OWASP:
>  * CVE-2023-35116: according to jackson community, this is not a security 
> issue, see 
> [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098]
>  * CVE-2022-45688: the following CVE is not even jackson related, but a 
> vulnerability in json-java which we don't use in ZooKeeper
>  
> {code:java}
> [INFO] Finished at: 2023-06-30T13:23:38+02:00 
> [INFO] 
>  
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check 
> (default-cli) on project zookeeper: 
> [ERROR] 
> [ERROR] One or more dependencies were identified with vulnerabilities that 
> have a CVSS score greater than or equal to '0.0': 
> [ERROR] 
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) 
> [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
>  {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (ZOOKEEPER-4716) upgrade jackson to 2.15.2, suppress two false positive CVE errors

2023-06-30 Thread Mate Szalay-Beko (Jira) 


 [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mate Szalay-Beko updated ZOOKEEPER-4716:

Description: 
Our jackson is quite old, I want to upgrade it before release 3.8.2.

Also we have a few false positive CVEs reported by OWASP:
 * CVE-2023-35116: according to jackson community, this is not a security 
issue, see 
[https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098]
 * CVE-2022-45688: the following CVE is not even jackson related, but a 
vulnerability in json-java which we don't use in ZooKeeper

 
{code:java}
[INFO] Finished at: 2023-06-30T13:23:38+02:00 
[INFO]  
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check 
(default-cli) on project zookeeper: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have 
a CVSS score greater than or equal to '0.0': 
[ERROR] 
[ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) 
[ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
 {code}
 

  was:
{code:java}
[INFO] Finished at: 2023-06-30T13:23:38+02:00 
[INFO]  
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check 
(default-cli) on project zookeeper: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have 
a CVSS score greater than or equal to '0.0': 
[ERROR] 
[ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) 
[ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
 {code}


> upgrade jackson to 2.15.2, suppress two false positive CVE errors
> -
>
> Key: ZOOKEEPER-4716
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716
> Project: ZooKeeper
>  Issue Type: Improvement
>Affects Versions: 3.8.1
>Reporter: Mate Szalay-Beko
>Assignee: Mate Szalay-Beko
>Priority: Major
>
> Our jackson is quite old, I want to upgrade it before release 3.8.2.
> Also we have a few false positive CVEs reported by OWASP:
>  * CVE-2023-35116: according to jackson community, this is not a security 
> issue, see 
> [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098]
>  * CVE-2022-45688: the following CVE is not even jackson related, but a 
> vulnerability in json-java which we don't use in ZooKeeper
>  
> {code:java}
> [INFO] Finished at: 2023-06-30T13:23:38+02:00 
> [INFO] 
>  
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check 
> (default-cli) on project zookeeper: 
> [ERROR] 
> [ERROR] One or more dependencies were identified with vulnerabilities that 
> have a CVSS score greater than or equal to '0.0': 
> [ERROR] 
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) 
> [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
>  {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (ZOOKEEPER-4716) upgrade jackson to 2.15.2, suppress two false positive CVE errors

2023-06-30 Thread Mate Szalay-Beko (Jira) 


 [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mate Szalay-Beko updated ZOOKEEPER-4716:

Summary: upgrade jackson to 2.15.2, suppress two false positive CVE errors  
(was: Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116)

> upgrade jackson to 2.15.2, suppress two false positive CVE errors
> -
>
> Key: ZOOKEEPER-4716
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716
> Project: ZooKeeper
>  Issue Type: Improvement
>Affects Versions: 3.8.1
>Reporter: Mate Szalay-Beko
>Assignee: Mate Szalay-Beko
>Priority: Major
>
> {code:java}
> [INFO] Finished at: 2023-06-30T13:23:38+02:00 
> [INFO] 
>  
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check 
> (default-cli) on project zookeeper: 
> [ERROR] 
> [ERROR] One or more dependencies were identified with vulnerabilities that 
> have a CVSS score greater than or equal to '0.0': 
> [ERROR] 
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) 
> [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
>  {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)