You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@zookeeper.apache.org by GitBox <gi...@apache.org> on 2019/07/11 03:44:17 UTC
[GitHub] [zookeeper] phunt opened a new pull request #1013: ZOOKEEPER-3441:
OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814
phunt opened a new pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814
URL: https://github.com/apache/zookeeper/pull/1013
The JIRA is resolved by updating jackson to version 2.9.9.1.
However in so doing I found that it was impossible to run the
dependency check as the CVE lists would always fail to download,
regardless ant or maven. In researching the issue 5.1.0 of the
dependency checker is now available. That fixes this issue (d/l).
However in so doing a couple new problems arise:
The ant dependency check now fails with a circular dependency issue in
one of the transient libraries
(org.sonatype.ossindex#ossindex-service-client;1.2.0). I was unable to
workaround this issue. As such the ant dependency checker is not able
to update to the new version. I believe we should just stop using it
in favor of the maven one as this seems to be Ivy related, as mvn
works just fine with the same change.
Another problem that arises with the dependency checker version
upgrade is that two new issues are identified:
https://www.cvedetails.com/cve/CVE-2008-7220/
which is resolved with the updated prototype.js
https://www.cvedetails.com/cve/CVE-2008-7220/
which seems like a false positive. Please check my work on this.
After these changes the mvn owasp check passes. The code compiles. I
tested the generated documentation and it seems unaffected by the
prototype.js change, although I could have missed this.
Change-Id: I12c9b3111641b066417fc85b155877af5edf9929
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services