Hi All, You might have heard about deserialization vulnerabilities. If you use Jackson libraries and run a security scanner, you might have received quite a lot of alerts about deserialization vulnerabilities. Those finding are quite often false alerts because application often use Jackson in a safe way. But sometimes they don't, and deserialization attacks becomes a real threat. Now the real issues in applications can be detected with CodeQL. In case you don’t know, CodeQL is a code analysis engine. I recently updated the java/unsafe-deserialization query to cover Jackson as well
https://github.com/github/codeql/blob/3b676d432f4ccc02588147f8db21bae6d73136e9/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql The query checks the conditions for unsafe deserialization that Tatu described earlier https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 I also wrote a short blog post about the query https://blog.gypsyengineer.com/en/security/detecting-jackson-deserialization-vulnerabilities-with-codeql.html Artem -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/2e60fbb4-746b-42e1-8f68-c3f6de4067abn%40googlegroups.com.
