-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade jackson databind to version 12.3.0 or above #4138
Comments
Hey, just wanted to give un update - the error above is related to a change in functionality in the jackson-databind library related to the way annotations and mixins are implemented, and we were disabling annotations for some tests, by doing In any case, sorry for the confusion, nothing is needed in swagger for the jackson error, but the fact that versions below 2.13.0 are vulnerable still remains. |
thanks for reporting this. Updated jackson to 2.13.2 in #4144 |
Snyk (security analysis tool) has found recent vulnerabilities affecting com.fasterxml.jackson.core:jackson-databind package, versions [,2.13.0): SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244.
We are using the gradle package 'io.swagger.core.v3:swagger-jaxrs2', and the latest version has a dependency on jackson-databind version 2.12.1.
When trying to upgrade the jackson-databind version to 2.13.0 or above, a NullPointerException appears when using the jackson types:
java.lang.NullPointerException at com.fasterxml.jackson.databind.introspect.AnnotatedCreatorCollector.collect(AnnotatedCreatorCollector.java:79) at com.fasterxml.jackson.databind.introspect.AnnotatedCreatorCollector.collectCreators(AnnotatedCreatorCollector.java:61) at com.fasterxml.jackson.databind.introspect.AnnotatedClass._creators(AnnotatedClass.java:403) at com.fasterxml.jackson.databind.introspect.AnnotatedClass.getFactoryMethods(AnnotatedClass.java:315) at com.fasterxml.jackson.databind.introspect.BasicBeanDescription.getFactoryMethods(BasicBeanDescription.java:572) at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._addExplicitFactoryCreators(BasicDeserializerFactory.java:646) at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._constructDefaultValueInstantiator(BasicDeserializerFactory.java:279) at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findValueInstantiator(BasicDeserializerFactory.java:223) at com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.buildBeanDeserializer(BeanDeserializerFactory.java:261) at com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.createBeanDeserializer(BeanDeserializerFactory.java:150) at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer2(DeserializerCache.java:415) at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer(DeserializerCache.java:350) at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:264) at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:244) at com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:142) at com.fasterxml.jackson.databind.DeserializationContext.findNonContextualValueDeserializer(DeserializationContext.java:632) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.resolve(BeanDeserializerBase.java:539) at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:294) at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:244) at com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:142) at com.fasterxml.jackson.databind.DeserializationContext.findRootValueDeserializer(DeserializationContext.java:642) at com.fasterxml.jackson.databind.ObjectMapper._findRootDeserializer(ObjectMapper.java:4806) at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4387) at com.fasterxml.jackson.databind.ObjectMapper.convertValue(ObjectMapper.java:4325) at io.swagger.v3.core.util.ModelDeserializer.deserializeObjectSchema(ModelDeserializer.java:108) at io.swagger.v3.core.util.ModelDeserializer.deserialize(ModelDeserializer.java:74) at io.swagger.v3.core.util.ModelDeserializer.deserialize(ModelDeserializer.java:27) at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:322) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4675) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3630) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3598) at io.swagger.v3.core.filter.SpecFilter.filterComponentsSchema(SpecFilter.java:281) at io.swagger.v3.core.filter.SpecFilter.filter(SpecFilter.java:123)
Are there any plans to upgrade jackson-databind to a non-vulnerable version - i.e. 2.13.0 or above?
Or is there any fix that we could apply to get rid of the NPE?
Thanks!
The text was updated successfully, but these errors were encountered: