You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@zookeeper.apache.org by GitBox <gi...@apache.org> on 2019/07/11 03:44:17 UTC

[GitHub] [zookeeper] phunt opened a new pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814

phunt opened a new pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814
URL: https://github.com/apache/zookeeper/pull/1013
 
 
   The JIRA is resolved by updating jackson to version 2.9.9.1.
   
   However in so doing I found that it was impossible to run the
   dependency check as the CVE lists would always fail to download,
   regardless ant or maven. In researching the issue 5.1.0 of the
   dependency checker is now available. That fixes this issue (d/l).
   
   However in so doing a couple new problems arise:
   
   The ant dependency check now fails with a circular dependency issue in
   one of the transient libraries
   (org.sonatype.ossindex#ossindex-service-client;1.2.0). I was unable to
   workaround this issue. As such the ant dependency checker is not able
   to update to the new version. I believe we should just stop using it
   in favor of the maven one as this seems to be Ivy related, as mvn
   works just fine with the same change.
   
   Another problem that arises with the dependency checker version
   upgrade is that two new issues are identified:
   
   https://www.cvedetails.com/cve/CVE-2008-7220/
   which is resolved with the updated prototype.js
   
   https://www.cvedetails.com/cve/CVE-2008-7220/
   which seems like a false positive. Please check my work on this.
   
   After these changes the mvn owasp check passes. The code compiles. I
   tested the generated documentation and it seems unaffected by the
   prototype.js change, although I could have missed this.
   
   Change-Id: I12c9b3111641b066417fc85b155877af5edf9929

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services