On Tue, Feb 23, 2021 at 3:22 AM Mario Arzileiro <[email protected]> wrote:
> Hello, > > Sorry if I wasn't clear, let me just enumerate some assumptions, if any of > this is not true, please let me know and we can clarify if needed: > * You know what NVD from NIST identifies the CVEs of public components; > * You know that jackson-databind vulnerabilities are identified on NVD; > * You know that vulnerability scan tools (such as Synopsys Blackduck or > Snyk) rely on NVD as Source of Truth. > > When I first contacted you, the vulnerabilities identified by NVD were not > complete correct. There were a lot of CVEs that you already have fixed on > jackson-databind:2.6.7.4. > I also contacted NIST about this issue and they already update their > database. Now, they only identify 4 CVEs check this link > <https://nvd.nist.gov/vuln/search/results?adv_search=true&query=cpe%3A2.3%3Aa%3Afasterxml%3Ajackson-databind%3A2.6.7.4%3A*%3A*%3A*%3A*%3A*%3A*%3A*> > . > > I think that right know, you just need to validate that the remaining CVEs > are accurr, and if not, contact them too with further information. > I think that at this point if you want this information, you will go and do that. I do not recall you paying my salary, or being a customer of any sort. > Why this is important? > Companies rely on Vulnerability scan tools, and those tools rely on this > NVD database. It's essential for your project that this information is up > to date, in order to give the exact information for risk assessment > analysis and, since the CVEs are wrongly reported, you want that info to be > shared and show that your product is safe. > Right now, there is a tool (Blackduck) that reports > jackson-databind:2.6.7.4 to have 50+ CVEs, which is not true. > > I think that I don't have more information to give. Please use this as > your will, if you have more doubts please let me know. > You are free to do whatever work you want, but it seems extremely arrogant to come here to demand I (or anyone else) do things you need. This is not far removed from "I got this homework for my CS class can you please write a solution for me", as I see it. I work with community members on things reported but this only works when everyone collaborates and contributes something. You are just posting a big laundry list of stuff that you are worried about asking for someone else doing something; others to spend their time. In fact I hate having spent time even responding, at this point. -+ Tatu +- > > Thanks > On Friday, February 19, 2021 at 5:30:48 PM UTC [email protected] wrote: > >> On Fri, Feb 19, 2021 at 7:48 AM Mario Arzileiro <[email protected]> >> wrote: >> >>> Hi, >>> >>> I was checking the information that we have available for >>> jackson-databind:2.6.7.4 on NIST NVD and it is showing Vulnerabilities >>> (CVEs) that are already fixed. >>> >>> Link for jackson-databind:2.6.7.4: >>> https://nvd.nist.gov/products/cpe/detail/844569 >>> Link for the vulnerabilities list "here >>> <https://nvd.nist.gov/vuln/search/results?adv_search=true&query=cpe%3A2.3%3Aa%3Afasterxml%3Ajackson-databind%3A2.6.7.4%3A*%3A*%3A*%3A*%3A*%3A*%3A*> >>> ". >>> >>> List of vulnerabilities fixed and the corresponding fixed version: >>> >>> CVE | Fixed version >>> CVE-2018-11307 | 2.6.7.3 >>> CVE-2019-16942 | 2.6.7.3 >>> CVE-2020-9547 | 2.6.7.4 >>> CVE-2019-20330 | 2.6.7.4 >>> CVE-2020-8840 | 2.6.7.4 >>> CVE-2020-9546 | 2.6.7.4 >>> CVE-2020-9548 | 2.6.7.4 >>> CVE-2019-16335 | 2.6.7.3 >>> CVE-2017-15095 | 2.6.7.2 >>> CVE-2019-14893 | 2.6.7.3 >>> CVE-2019-17267 | 2.6.7.3 >>> CVE-2019-14540 | 2.6.7.3 >>> CVE-2020-11111 | 2.6.7.4 >>> CVE-2020-11113 | 2.6.7.4 >>> CVE-2020-10672 | 2.6.7.4 >>> CVE-2020-10969 | 2.6.7.4 >>> CVE-2020-10968 | 2.6.7.4 >>> CVE-2020-10673 | 2.6.7.4 >>> CVE-2020-11112 | 2.6.7.4 >>> CVE-2020-14060 | 2.6.7.4 >>> CVE-2020-11620 | 2.6.7.4 >>> CVE-2020-24616 | 2.6.7.4 >>> CVE-2020-14195 | 2.6.7.4 >>> CVE-2020-11619 | 2.6.7.4 >>> CVE-2020-24750 | 2.6.7.4 >>> CVE-2020-14061 | 2.6.7.4 >>> CVE-2020-14062 | 2.6.7.4 >>> >>> Please let me know if you are aware of it, and when are you expecting to >>> have this fixed. >>> >>> >> I am not quite sure what the question here is. >> >> What is not fixed, where? According to whom? Since most CVEs are against >> jackson-databind, you can see issue tracker here: >> >> https://github.com/FasterXML/jackson-databind/issues/ >> >> and either search for "cve" (usually mentioned in the title), or label >> "cve". >> Release notes under >> >> >> https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x >> >> contain updates too, although if you are interested in branch 2.6, you'll >> have to check that branch (under 'release-notes/2.6). >> Note, however, that branch 2.6 is not maintained and it is unlikely >> anything would be fixed or released for that branch, beyond what has been >> backported by community members (Amazon OSS folks have been helpful with >> that). >> >> -+ Tatu +- >> >> >>> Best regards, >>> >>> *The content of this email is confidential and intended for the >>> recipient specified in message only. It is strictly prohibited to share any >>> part of this message with any third party, without a written consent of the >>> sender. If you received this message by mistake, please reply to this >>> message and follow with its deletion, so that we can ensure such a mistake >>> does not occur in the future.* >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "jackson-user" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jackson-user/2fb7c750-4f62-4154-a753-808e79c64a7an%40googlegroups.com >>> <https://groups.google.com/d/msgid/jackson-user/2fb7c750-4f62-4154-a753-808e79c64a7an%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> > *The content of this email is confidential and intended for the recipient > specified in message only. It is strictly prohibited to share any part of > this message with any third party, without a written consent of the sender. > If you received this message by mistake, please reply to this message and > follow with its deletion, so that we can ensure such a mistake does not > occur in the future.* > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/8b7f72f1-f458-41ce-8602-14c5d6241a94n%40googlegroups.com > <https://groups.google.com/d/msgid/jackson-user/8b7f72f1-f458-41ce-8602-14c5d6241a94n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAGrxA24QNtEowu-UCw4AOkk-6biJQxacA91EU-Eri5SdNKUCeQ%40mail.gmail.com.
