Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shaded third-party jackson-core 2.13.2 is missing fix for sonatype-2022-6438 #4336

Closed
ericfreese opened this issue Aug 23, 2023 · 3 comments
Closed

Shaded third-party jackson-core 2.13.2 is missing fix for sonatype-2022-6438 #4336

ericfreese opened this issue Aug 23, 2023 · 3 comments
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@ericfreese
Copy link

Describe the bug

The shaded third-party jackson-core is set at version 2.13.2 which does not have a fix for vulnerability issue sonatype-2022-6438.

aws-sdk-java-v2/pom.xml

Line 95 in 5aa3ff3

<jackson.version>2.13.2</jackson.version>

Expected Behavior

The shaded third-party jackson-core should be at least version 2.15.0.

Current Behavior

The issue was flagged by a prisma scan.

Reproduction Steps

N/A

Possible Solution

Upgrade to at least 2.15.0. Hopefully this is not too difficult because of the shading.

From #2598 (comment):

Shading allows us to use the latest, secure Jackson version without worrying about breaking customer applications.

Additional Information/Context

See:

This issue is similar to: #3825

AWS Java SDK version used

2.18.41

JDK version used

openjdk version "1.8.0_382" OpenJDK Runtime Environment Corretto-8.382.05.1 (build 1.8.0_382-b05) OpenJDK 64-Bit Server VM Corretto-8.382.05.1 (build 25.382-b05, mixed mode)

Operating System and version

Linux 9d7c897afc63 6.4.11-arch2-1 #1 SMP PREEMPT_DYNAMIC Sat, 19 Aug 2023 15:38:34 +0000 x86_64 x86_64 x86_64 GNU/Linux
@ericfreese ericfreese added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 23, 2023
@debora-ito
Copy link
Member

debora-ito commented Aug 28, 2023
edited
Loading

@ericfreese acknowledged. Assigning a standard priority because it's a sonatype issue with no CVE attached.

@debora-ito debora-ito added p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Aug 28, 2023
@debora-ito
Copy link
Member

The jackson version was upgraded as part of Java SDK version 2.20.140.

@github-actions
Copy link

github-actions bot commented Sep 6, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@apsivam apsivam mentioned this issue Jan 16, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericfreese @debora-ito