Sorry to revive this old, thread, but it's related to an issue I'm finding now.
We are also in the situation of upgrading some dependencies on corporate legacy software, which, for runtime platform restrictions can only use jdk 6. We've found that jackson 2.9.9 solves all current vulnerabilities found but, when updating from 2.3.0 (yup, I know this was a long, long time ago) we are getting runtime errors on required runtime version for jackson-databind ObjectMapper: java.lang.UnsupportedClassVersionError: com/fasterxml/jackson/databind/ ObjectMapper : Unsupported major.minor version 51.0 I've looked at the pom <https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.pom> and, indeed, jackson-databind is compiled with java 7 as target, although it mentions java 6 compatibility: <properties> <!-- With Jackson 2.9 we will require JDK 7 (except for annotations/streaming), and new language features (diamond pattern) may be used. JDK classes are still loaded dynamically since there isn't much downside (small number of types); this allows use on JDK 6 platforms still (including Android) --> <javac.src.version>1.7</javac.src.version> <javac.target.version>1.7</javac.target.version> The last one with java 6 target is 2.7.9.5, but this one still carries 9 known CVEs <https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/version_id-271926/Fasterxml-Jackson-databind-2.7.9.5.html> ... Is there any workaround known/suggested? Thanks and greetings!!! On Friday, February 1, 2019 at 12:39:34 AM UTC+1, Tatu Saloranta wrote: > > On Thu, Jan 31, 2019 at 3:34 PM Penny Wells <[email protected] > <javascript:>> wrote: > > > > The Jackson component is embedded into an enterprise software of our > company that will not go beyond Java 7 for many years to come. > > Can we safely make the assumption that Jackson 2.9.8 will never require > Java version 7 ? We will not use any Java 8-specific features (Lambda > expressions, etc), but will that guarantee taht the Jackson 2.9.8 will > worked as they have been in the recent versions on Java 7 ? (Build and > Runtime).Is it possible to exclude any Java-8-specific support from Jackson > libraries version 2.9.8 ? > > Yes. Jackson 2.9.x in general does not use any Java 8 (or beyond > features) without additional modules (there are 3 that can be used to > add Java 8 features like Optional, and Java 8 date/time). Runtime > attempts to work on Java 6, with (small number of) Java 7 types being > dynamically loaded, but build requires JDK 7. > > It is our intention to keep the same baseline for 2.10 as well, and > barring any unforeseen major breakages, I don't see why 2.x major > version would ever require Java 8 to run. > > -+ Tatu +- > > ps. I am happy this question gets asked as often feedback on need for > support for older JVM/JDK versions is not nearly as loud as one for > forward-direction (when does Jackson fully support Java 11) -- there's > fine balance with things > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/bb14f34d-c934-4f71-bf1e-ac2af2b2caf2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
