It’s not clear to me why you think this has something to do with the felix maven bundle plugin. Perhaps you could clarify your reasoning?
Since the name of the jar includes ’shaded’ I expect the jar is constructed with the aid of the maven shade plugin, and I wonder if you have investigated how this plugin works. Although I have never used it, my understanding is that, roughly speaking, it takes compiled classes and modifies them to be in a different package yet still work together. Since the jackson-databind pom is in the shaded jar, it’s certainly possible that the jackson-databind classes have been transformed in this way and are in fact present in the jar, but in an unexpected package. Possibly there is a pom in the jar with configuration for the shade plugin that would explain how the jar is built and what is in it. Of course the shade plugin may be used in an entirely different way here. David Jencks > On Nov 5, 2024, at 12:58 PM, Greg Hall <greg.h...@appliedsystems.com> wrote: > > Hello. > > My team uses Pentaho, an off the shelf, a box and arrow diagrammy flowcharty > tool. It has steps for stuff like reading CSV, use an SQL query to insert, > etc. > > Recently, our company decided to use Orca for vuln scans. Orca has been > driving me bat-shit crazy with reports of vuln jars in dirs. That don’t have > the vuln jar in question. > > I got access to the actual Orca scan results, and discovered the following > pattern that occurs in a few places in the product: > > It complains about com.fasterxml.jackson.core:jackson-databind 2.4.0, which > is a legit vuln > The path on disk is > plugins/pentaho-big-data-plugin/hadoop-configurations/cdh61/lib/pmr/hbase-protocol-shaded-2.1.0-cdh6.1.0.jar > The file hbase-protocol-shaded-2.1.0-cdh6.1.0.jar is obviously not > jackson-databind. It does not even contain jackson-databind compiled classes. > > What it does contain is the following files: > META-INF/maven/com.fasterxml.jackson.core/jackson-databind/ > META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.properties > META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml > Some of those files contain textual references to jackson databind 2.4.0. > > The only copy of Jackson databind is in the lib dir. > > Since I only know vaguely that OSGi is being used here, and have never heard > of this Apache Felix Bundle plugin before, I am not clear on how to address > the vuln. > > Can I just modify these text files and say the version is 2.4.0, given that > is what is actually now in the lib dir? > > Greg Hall (He/Him) | Sr Developer 1 > Applied Systems Canada > www.appliedsystems.ca > <https://www1.appliedsystems.com/en-ca/>|emailaddr...@appliedsystems.com > <mailto:emailaddr...@appliedsystems.com> > M: 902-329-0649 > 24/7 Customer Support: 800.617.4666 |supp...@appliedsystems.com > <mailto:supp...@appliedsystems.com> > > <https://interact.appliedsystems.com/40th-anniversary-en-ca/p/1?utm_campaign=&utm_medium=Signature&utm_source=&utm_content=&utm_term=> > This message is for the designated recipient only and may contain > confidential, proprietary, or > otherwise private information. If you have received this message in error, > please notify the sender > immediately and delete the original. Any other use or distribution of this > information is prohibited. >
