[zookeeper] branch master updated: ZOOKEEPER-4716: upgrade jackson to 2.15.2, suppress two false positive CVE errors (#2026)

symat Sun, 02 Jul 2023 07:19:13 -0700

This is an automated email from the ASF dual-hosted git repository.

symat pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zookeeper.git



The following commit(s) were added to refs/heads/master by this push:
     new f91a1fc08 ZOOKEEPER-4716: upgrade jackson to 2.15.2, suppress two 
false positive CVE errors (#2026)
f91a1fc08 is described below

commit f91a1fc08b61f00f3726d6595db45835b4cfea62
Author: Mate Szalay-Beko <sy...@apache.org>
AuthorDate: Sun Jul 2 16:19:03 2023 +0200

    ZOOKEEPER-4716: upgrade jackson to 2.15.2, suppress two false positive CVE 
errors (#2026)
    
    Our jackson is quite old, I want to upgrade it before release 3.8.2.
    
    Also we have a few false positive CVEs reported by OWASP:
    
    - CVE-2023-35116: according to jackson community, this is not a security 
issue,
      see 
https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098
    - CVE-2022-45688: the following CVE is not even jackson related, but a
      vulnerability in json-java which we don't use in ZooKeeper
---
 owaspSuppressions.xml | 12 ++++++++++++
 pom.xml               |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index 702032132..0c09a096f 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -54,4 +54,16 @@
       <cve>CVE-2021-34429</cve>
    </suppress>
 
+   <suppress>
+      <!-- ZOOKEEPER-4716: jackson related false positives -->
+
+      <!-- according to jackson community, this is not a security issue,
+           see: 
https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098
 -->
+      <cve>CVE-2023-35116</cve>
+
+      <!-- the following CVE is not even jackson related, but a vulnerability
+           in json-java which we don't use in ZooKeeper -->
+      <cve>CVE-2022-45688</cve>
+   </suppress>
+
 </suppressions>
diff --git a/pom.xml b/pom.xml
index df2a40307..ce01ee71d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -560,7 +560,7 @@
     <commons-cli.version>1.5.0</commons-cli.version>
     <netty.version>4.1.94.Final</netty.version>
     <jetty.version>9.4.51.v20230217</jetty.version>
-    <jackson.version>2.13.4.2</jackson.version>
+    <jackson.version>2.15.2</jackson.version>
     <jline.version>2.14.6</jline.version>
     <snappy.version>1.1.9.1</snappy.version>
     <kerby.version>2.0.0</kerby.version>

[zookeeper] branch master updated: ZOOKEEPER-4716: upgrade jackson to 2.15.2, suppress two false positive CVE errors (#2026)

Reply via email to