You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2022/10/18 15:19:39 UTC

[GitHub] [nifi] exceptionfactory opened a new pull request, #6547: NIFI-10662 Upgrade Jackson BOM from 2.13.4 to 2.13.4.20221013

exceptionfactory opened a new pull request, #6547:
URL: https://github.com/apache/nifi/pull/6547

   # Summary
   
   [NIFI-10662](https://issues.apache.org/jira/browse/NIFI-10662) Upgrades the Jackson Bill of Materials dependency from 2.13.4 to 2.13.4.20221013 in order to mitigate CVE-2022-42003. The upgrade moves Jackson dependencies to 2.13.4.2, which incorporates the resolution, also available in release candidate versions of Jackson 2.14.
   
   # Tracking
   
   Please complete the following tracking steps prior to pull request creation.
   
   ### Issue Tracking
   
   - [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created
   
   ### Pull Request Tracking
   
   - [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000`
   - [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000`
   
   ### Pull Request Formatting
   
   - [X] Pull Request based on current revision of the `main` branch
   - [X] Pull Request refers to a feature branch with one commit containing changes
   
   # Verification
   
   Please indicate the verification steps performed prior to pull request creation.
   
   ### Build
   
   - [ ] Build completed using `mvn clean install -P contrib-check`
     - [ ] JDK 8
     - [ ] JDK 11
     - [ ] JDK 17
   
   ### Licensing
   
   - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html)
   - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files
   
   ### Documentation
   
   - [ ] Documentation formatting appears as expected in rendered files
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] thenatog commented on pull request #6547: NIFI-10662 Upgrade Jackson BOM from 2.13.4 to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

thenatog commented on PR #6547:
URL: https://github.com/apache/nifi/pull/6547#issuecomment-1282570037

   Will review


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] thenatog closed pull request #6547: NIFI-10662 Upgrade Jackson BOM from 2.13.4 to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

thenatog closed pull request #6547: NIFI-10662 Upgrade Jackson BOM from 2.13.4 to 2.13.4.20221013
URL: https://github.com/apache/nifi/pull/6547


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] thenatog commented on pull request #6547: NIFI-10662 Upgrade Jackson BOM from 2.13.4 to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

thenatog commented on PR #6547:
URL: https://github.com/apache/nifi/pull/6547#issuecomment-1282608890

   Ah, understood. I was able to verify that the respect jackson versions look correct to mitigate the CVE. +1 will merge.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] thenatog commented on pull request #6547: NIFI-10662 Upgrade Jackson BOM from 2.13.4 to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

thenatog commented on PR #6547:
URL: https://github.com/apache/nifi/pull/6547#issuecomment-1282584429

   Do we know where this dependency actually gets used? I didn't see it mentioned when running mvn dependency:tree -Dincludes=com.fasterxml.jackson:jackson-bom. Wondering whether it's required or not.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #6547: NIFI-10662 Upgrade Jackson BOM from 2.13.4 to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

exceptionfactory commented on PR #6547:
URL: https://github.com/apache/nifi/pull/6547#issuecomment-1282586892

   @thenatog The `jackson-bom` dependency manages the version for all Jackson 2 libraries, such as `jackson-core` and `jackson-databind`, which multiple components use. The Bill of Materials dependency sets the version, which avoids having to define the version when referencing particular libraries.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org