Skip to content
This repository has been archived by the owner on Feb 18, 2024. It is now read-only.

Overwrite Jetty version of Jackson temporarily to fix Sonatype-2022-6438 #194

Open
yeikel opened this issue Aug 1, 2023 · 2 comments
Open

Comments

@yeikel
Copy link

yeikel commented Aug 1, 2023

Currently, the Jackson version bundled with jersey is vulnerable to Sonatype-2022-6438. See FasterXML/jackson-core#861 (Jackson is a transitive dependency)

This is currently under discussion here eclipse-ee4j/jersey#5283 but it is unclear when that will be resolved

Sadly, due to this vulnerability , we cannot use prettier-plugin-apex in our environment because this dependency is pulling Jackson 2.14.1

Would you be open to temporarily overwrite the version of Jackson?

We should be able to exclude it from jetty and define Jackson 2.15 explicitly

https://github.com/dangmai/apex-ast-serializer/blob/master/build.gradle#L117

Current dependency tree:

org.glassfish.jersey.media:jersey-media-json-jackson:3.1.3
|    +--- org.glassfish.jersey.core:jersey-common:3.1.3 (*)
|    +--- org.glassfish.jersey.ext:jersey-entity-filtering:3.1.3
|    |    \--- jakarta.ws.rs:jakarta.ws.rs-api:3.1.0
|    +--- com.fasterxml.jackson.core:jackson-annotations:2.14.1
|    |    \--- com.fasterxml.jackson:jackson-bom:2.14.1
|    |         +--- com.fasterxml.jackson.core:jackson-annotations:2.14.1 (c)
|    |         +--- com.fasterxml.jackson.core:jackson-core:2.14.1 (c)
|    |         +--- com.fasterxml.jackson.core:jackson-databind:2.14.1 (c)
|    |         \--- com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations:2.14.1 (c)
|    +--- com.fasterxml.jackson.core:jackson-databind:2.14.1
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.14.1 (*)
|    |    +--- com.fasterxml.jackson.core:jackson-core:2.14.1
|    |    |    \--- com.fasterxml.jackson:jackson-bom:2.14.1 (*)
|    |    \--- com.fasterxml.jackson:jackson-bom:2.14.1 (*)
|    +--- com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations:2.14.1
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.14.1 (*)
|    |    +--- com.fasterxml.jackson.core:jackson-core:2.14.1 (*)
|    |    +--- com.fasterxml.jackson.core:jackson-databind:2.14.1 (*)
|    |    \--- com.fasterxml.jackson:jackson-bom:2.14.1 (*)
|    \--- jakarta.xml.bind:jakarta.xml.bind-api:4.0.0
|         \--- jakarta.activation:jakarta.activation-api:2.1.0 -> 2.1.2

We can volunteer and send a pull request with that change if accepted

@dangmai
Copy link
Owner

dangmai commented Aug 2, 2023

Hello! Yes I'd welcome PR to fix this. Please understand that if the transitive dependency explicit version does not work with all the tests on the Prettier Apex side (because it looks like jersey itself has some issue upgrading to the new version), then I won't be able to merge them.

@yeikel
Copy link
Author

yeikel commented Aug 5, 2023

Hello! Yes I'd welcome PR to fix this. Please understand that if the transitive dependency explicit version does not work with all the tests on the Prettier Apex side (because it looks like jersey itself has some issue upgrading to the new version), then I won't be able to merge them.

I submitted #195

Please understand that if the transitive dependency explicit version does not work with all the tests on the Prettier Apex

That's fair. How can I test this?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants