Update vulnerable libraries#1756
Conversation
…ulnerabilities' into dev/dterry/update-vulnerabilities
…erabilities-SNAPSHOT
| javaSourceCompatibility = 8 | ||
| } | ||
| ext['logback.version'] = '1.2.13' | ||
| ext['json-path.version'] = '2.9.0' |
There was a problem hiding this comment.
json-path:2.9.0 possibly brings json-smart:2.5.0 which is an exploitable dependency as per the pop scan in detect-scripts as well as the detect-docker alpine image. This has been seen in upstream libraries.
So, we patched the upstream integration-common from json-path:2.9.0 to json-path:2.10.0 which is now bringing the safer json-smart:2.6.0.
But, as we are pinning this here, it might bring the json-smart:2.5.0 again which is exploitable.
Could you consider pinning json-path to 2.10.0 if that doesn't have any breaking change?
json-path:2.10.0 changelog for reference: https://github.com/json-path/JsonPath/releases/tag/json-path-2.10.0
There was a problem hiding this comment.
Thank you for the comment and details. Updated to pin to the version you suggested. Confirmed 2.10 of json-path comes and 2.6 of json-smart.
…0-update-vuln-libraries-SNAPSHOT
…5080-update-vuln-libraries' into dev/dterry/IDETECT-5080-update-vuln-libraries
…0-update-vuln-libraries-SNAPSHOT
2 participants
This locks json-path to a version without vulnerabilities when used by other things like Spring.
It also moves to newer jackson and blackduck-common library versions that have fixes we should bring into Detect.