Hello, Sorry if I wasn't clear, let me just enumerate some assumptions, if any of this is not true, please let me know and we can clarify if needed: * You know what NVD from NIST identifies the CVEs of public components; * You know that jackson-databind vulnerabilities are identified on NVD; * You know that vulnerability scan tools (such as Synopsys Blackduck or Snyk) rely on NVD as Source of Truth.
When I first contacted you, the vulnerabilities identified by NVD were not complete correct. There were a lot of CVEs that you already have fixed on jackson-databind:2.6.7.4. I also contacted NIST about this issue and they already update their database. Now, they only identify 4 CVEs check this link <https://nvd.nist.gov/vuln/search/results?adv_search=true&query=cpe%3A2.3%3Aa%3Afasterxml%3Ajackson-databind%3A2.6.7.4%3A*%3A*%3A*%3A*%3A*%3A*%3A*> . I think that right know, you just need to validate that the remaining CVEs are accurr, and if not, contact them too with further information. Why this is important? Companies rely on Vulnerability scan tools, and those tools rely on this NVD database. It's essential for your project that this information is up to date, in order to give the exact information for risk assessment analysis and, since the CVEs are wrongly reported, you want that info to be shared and show that your product is safe. Right now, there is a tool (Blackduck) that reports jackson-databind:2.6.7.4 to have 50+ CVEs, which is not true. I think that I don't have more information to give. Please use this as your will, if you have more doubts please let me know. Thanks On Friday, February 19, 2021 at 5:30:48 PM UTC [email protected] wrote: > On Fri, Feb 19, 2021 at 7:48 AM Mario Arzileiro <[email protected]> > wrote: > >> Hi, >> >> I was checking the information that we have available for >> jackson-databind:2.6.7.4 on NIST NVD and it is showing Vulnerabilities >> (CVEs) that are already fixed. >> >> Link for jackson-databind:2.6.7.4: >> https://nvd.nist.gov/products/cpe/detail/844569 >> Link for the vulnerabilities list "here >> <https://nvd.nist.gov/vuln/search/results?adv_search=true&query=cpe%3A2.3%3Aa%3Afasterxml%3Ajackson-databind%3A2.6.7.4%3A*%3A*%3A*%3A*%3A*%3A*%3A*> >> ". >> >> List of vulnerabilities fixed and the corresponding fixed version: >> >> CVE | Fixed version >> CVE-2018-11307 | 2.6.7.3 >> CVE-2019-16942 | 2.6.7.3 >> CVE-2020-9547 | 2.6.7.4 >> CVE-2019-20330 | 2.6.7.4 >> CVE-2020-8840 | 2.6.7.4 >> CVE-2020-9546 | 2.6.7.4 >> CVE-2020-9548 | 2.6.7.4 >> CVE-2019-16335 | 2.6.7.3 >> CVE-2017-15095 | 2.6.7.2 >> CVE-2019-14893 | 2.6.7.3 >> CVE-2019-17267 | 2.6.7.3 >> CVE-2019-14540 | 2.6.7.3 >> CVE-2020-11111 | 2.6.7.4 >> CVE-2020-11113 | 2.6.7.4 >> CVE-2020-10672 | 2.6.7.4 >> CVE-2020-10969 | 2.6.7.4 >> CVE-2020-10968 | 2.6.7.4 >> CVE-2020-10673 | 2.6.7.4 >> CVE-2020-11112 | 2.6.7.4 >> CVE-2020-14060 | 2.6.7.4 >> CVE-2020-11620 | 2.6.7.4 >> CVE-2020-24616 | 2.6.7.4 >> CVE-2020-14195 | 2.6.7.4 >> CVE-2020-11619 | 2.6.7.4 >> CVE-2020-24750 | 2.6.7.4 >> CVE-2020-14061 | 2.6.7.4 >> CVE-2020-14062 | 2.6.7.4 >> >> Please let me know if you are aware of it, and when are you expecting to >> have this fixed. >> >> > I am not quite sure what the question here is. > > What is not fixed, where? According to whom? Since most CVEs are against > jackson-databind, you can see issue tracker here: > > https://github.com/FasterXML/jackson-databind/issues/ > > and either search for "cve" (usually mentioned in the title), or label > "cve". > Release notes under > > > https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x > > contain updates too, although if you are interested in branch 2.6, you'll > have to check that branch (under 'release-notes/2.6). > Note, however, that branch 2.6 is not maintained and it is unlikely > anything would be fixed or released for that branch, beyond what has been > backported by community members (Amazon OSS folks have been helpful with > that). > > -+ Tatu +- > > >> Best regards, >> >> *The content of this email is confidential and intended for the recipient >> specified in message only. It is strictly prohibited to share any part of >> this message with any third party, without a written consent of the sender. >> If you received this message by mistake, please reply to this message and >> follow with its deletion, so that we can ensure such a mistake does not >> occur in the future.* >> >> -- >> You received this message because you are subscribed to the Google Groups >> "jackson-user" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jackson-user/2fb7c750-4f62-4154-a753-808e79c64a7an%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jackson-user/2fb7c750-4f62-4154-a753-808e79c64a7an%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- The content of this email is confidential and intended for the recipient specified in message only. It is strictly prohibited to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/8b7f72f1-f458-41ce-8602-14c5d6241a94n%40googlegroups.com.
