diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 4e09cc4dfc..b57b1259b1 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -24,6 +24,10 @@ object Dependencies { val JwtCoreVersion = "3.0.1" + // Releases https://github.com/FasterXML/jackson-databind/releases + // CVE issues https://github.com/FasterXML/jackson-databind/issues?utf8=%E2%9C%93&q=+label%3ACVE + val JacksonDatabindVersion = "2.9.9" + // Allows to silence scalac compilation warnings selectively by code block or file path // This is only compile time dependency, therefore it does not affect the generated bytecode // https://github.com/ghik/silencer @@ -57,8 +61,8 @@ object Dependencies { val AwsLambda = Seq( libraryDependencies ++= Seq( "software.amazon.awssdk" % "lambda" % AwsSdk2Version, // ApacheV2 - // overriding AWS SDK version to avoid https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086 - "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9", + // overriding AWS SDK version to avoid security issues + "com.fasterxml.jackson.core" % "jackson-databind" % JacksonDatabindVersion, "org.mockito" % "mockito-core" % mockitoVersion % Test // MIT ) ) @@ -129,7 +133,7 @@ object Dependencies { libraryDependencies ++= Seq( "org.elasticsearch.client" % "elasticsearch-rest-client" % "6.3.1", // ApacheV2 "io.spray" %% "spray-json" % "1.3.5", // ApacheV2 - "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9", // ApacheV2 + "com.fasterxml.jackson.core" % "jackson-databind" % JacksonDatabindVersion, // ApacheV2 "org.codelibs" % "elasticsearch-cluster-runner" % "6.3.1.0" % Test, // ApacheV2 "org.slf4j" % "jcl-over-slf4j" % "1.7.25" % Test ) @@ -170,7 +174,7 @@ object Dependencies { Seq( "com.chuusai" %% "shapeless" % "2.3.3", // overriding version from geode to avoid some security vulnerabilities - "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9", + "com.fasterxml.jackson.core" % "jackson-databind" % JacksonDatabindVersion, "org.slf4j" % "log4j-over-slf4j" % slf4jVersion % Test // MIT like: http://www.slf4j.org/license.html ) ) @@ -269,7 +273,7 @@ object Dependencies { "com.github.jsurfer" % "jsurfer" % "1.4.3", // MIT, "com.github.jsurfer" % "jsurfer-jackson" % "1.4.3", // MIT // overriding version from jsurfer-jackson to avoid some security vulnerabilities - "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9" + "com.fasterxml.jackson.core" % "jackson-databind" % JacksonDatabindVersion ) ) @@ -368,8 +372,8 @@ object Dependencies { ExclusionRule("software.amazon.awssdk", "apache-client"), ExclusionRule("software.amazon.awssdk", "netty-nio-client") ), - // overriding AWS SDK version to avoid https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086 - "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9", + // overriding AWS SDK version to avoid security issues + "com.fasterxml.jackson.core" % "jackson-databind" % JacksonDatabindVersion, "com.typesafe.akka" %% "akka-http" % AkkaHttpVersion, // ApacheV2 "org.mockito" % "mockito-core" % mockitoVersion % Test // MIT ) @@ -401,8 +405,8 @@ object Dependencies { ExclusionRule("software.amazon.awssdk", "apache-client"), ExclusionRule("software.amazon.awssdk", "netty-nio-client") ), - // overriding AWS SDK version to avoid https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086 - "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9", + // overriding AWS SDK version to avoid security issues + "com.fasterxml.jackson.core" % "jackson-databind" % JacksonDatabindVersion, "com.typesafe.akka" %% "akka-http" % AkkaHttpVersion, // ApacheV2 "org.mockito" % "mockito-core" % mockitoVersion % Test, // MIT "org.mockito" % "mockito-inline" % mockitoVersion % Test // MIT