[zookeeper] branch branch-3.7 updated: ZOOKEEPER-4716: upgrade jackson to 2.15.2, suppress two false positive CVE errors (#2026)

Sun, 02 Jul 2023 07:33:07 -0700 

This is an automated email from the ASF dual-hosted git repository.

symat pushed a commit to branch branch-3.7
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.7 by this push:
     new 2e48ba52f ZOOKEEPER-4716: upgrade jackson to 2.15.2, suppress two 
false positive CVE errors (#2026)
2e48ba52f is described below

commit 2e48ba52f0871f9ee7306faaec6da80142e39546
Author: Mate Szalay-Beko <[email protected]>
AuthorDate: Sun Jul 2 16:19:03 2023 +0200

    ZOOKEEPER-4716: upgrade jackson to 2.15.2, suppress two false positive CVE 
errors (#2026)
    
    Our jackson is quite old, I want to upgrade it before release 3.8.2.
    
    Also we have a few false positive CVEs reported by OWASP:
    
    - CVE-2023-35116: according to jackson community, this is not a security 
issue,
      see 
https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098
    - CVE-2022-45688: the following CVE is not even jackson related, but a
      vulnerability in json-java which we don't use in ZooKeeper
    
    (cherry picked from commit f91a1fc08b61f00f3726d6595db45835b4cfea62)
---
 owaspSuppressions.xml | 12 ++++++++++++
 pom.xml               |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index 41ac23181..e12ac28e5 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -63,4 +63,16 @@
       <cve>CVE-2021-34429</cve>
    </suppress>
 
+   <suppress>
+      <!-- ZOOKEEPER-4716: jackson related false positives -->
+
+      <!-- according to jackson community, this is not a security issue,
+           see: 
https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098
 -->
+      <cve>CVE-2023-35116</cve>
+
+      <!-- the following CVE is not even jackson related, but a vulnerability
+           in json-java which we don't use in ZooKeeper -->
+      <cve>CVE-2022-45688</cve>
+   </suppress>
+
 </suppressions>
diff --git a/pom.xml b/pom.xml
index 54f5e58e0..742c3f9b7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -439,7 +439,7 @@
     <commons-cli.version>1.5.0</commons-cli.version>
     <netty.version>4.1.86.Final</netty.version>
     <jetty.version>9.4.49.v20220914</jetty.version>
-    <jackson.version>2.13.4.2</jackson.version>
+    <jackson.version>2.15.2</jackson.version>
     <jline.version>2.14.6</jline.version>
     <snappy.version>1.1.9.1</snappy.version>
     <kerby.version>2.0.0</kerby.version>

Reply via email to