Vulnerability issue in dependent lib #451
Description
WhiteSource flagged vulnerability issue in one of the dependent libraries - jackson-databind version 2.10.1
Following is the maven dependency tree for ring-defaults:
[INFO] +- metosin:compojure-api:jar:2.0.0-alpha31:compile
[INFO] | +- potemkin:potemkin:jar:0.4.5:compile
[INFO] | | +- (clj-tuple:clj-tuple:jar:0.2.2:compile - omitted for duplicate)
[INFO] | | - (riddley:riddley:jar:0.1.12:compile - omitted for conflict with 0.1.14)
[INFO] | +- prismatic:schema:jar:1.1.12:compile
[INFO] | +- prismatic:plumbing:jar:0.5.5:compile
[INFO] | | +- (prismatic:schema:jar:1.1.7:compile - omitted for conflict with 1.1.12)
[INFO] | | - de.kotka:lazymap:jar:3.1.0:compile
[INFO] | +- ikitommi:linked:jar:1.3.1-alpha1:compile
[INFO] | +- metosin:muuntaja:jar:0.6.6:compile
[INFO] | | +- metosin:jsonista:jar:0.2.5:compile
[INFO] | | | +- (com.fasterxml.jackson.core:jackson-databind:jar:2.10.0:compile - omitted for conflict with 2.10.1)
[INFO] | | | - com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.10.0:compile
[INFO] | | | +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.10.0:compile - omitted for duplicate)
[INFO] | | | +- (com.fasterxml.jackson.core:jackson-core:jar:2.10.0:compile - omitted for conflict with 2.9.0)
[INFO] | | | - (com.fasterxml.jackson.core:jackson-databind:jar:2.10.0:compile - omitted for duplicate)
[INFO] | | - com.cognitect:transit-clj:jar:0.8.319:compile
[INFO] | | - com.cognitect:transit-java:jar:0.8.337:compile
[INFO] | | +- (com.fasterxml.jackson.core:jackson-core:jar:2.8.7:compile - omitted for conflict with 2.9.0)
[INFO] | | +- org.msgpack:msgpack:jar:0.6.12:compile
[INFO] | | | +- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] | | | - org.javassist:javassist:jar:3.18.1-GA:compile
[INFO] | | +- (commons-codec:commons-codec:jar:1.6:compile - omitted for conflict with 1.11)
[INFO] | | - javax.xml.bind:jaxb-api:jar:2.3.0:compile
[INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.10.1:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-core:jar:2.10.1:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.10.1:compile
[INFO] | | | +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:compile - omitted for duplicate)
[INFO] | | | - (com.fasterxml.jackson.core:jackson-core:jar:2.10.1:compile - omitted for duplicate)
[INFO] | | - (joda-time:joda-time:jar:2.9.9:compile - omitted for conflict with 2.10.5)
...
This is the whitesource complain:
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
References:
FasterXML/jackson-databind#2589
https://bugzilla.redhat.com/show_bug.cgi?id=1887664
FasterXML/jackson-databind#2589
We tried to update the version of jackson-databind to 2.11.0 and run through the whitesource, and it went through successfully.
Would it be possible for you to update the version of jackson-databind in "compojure-api"? If yes, how soon can you provide updated build?
Also, from the above dep tree you can see that metosin:jsonista:jar:0.2.5 also used jackson-databind. Probably, that one also needs to be changed..?
FYI: I know that similar ticket exists - #433 . But, it's description is a bit different than mine, that's why opening new one.