Dependencycheck: More Jackson CVE-2016-7051 false-positives

Created on 8 Jul 2017 · 3Comments · Source: jeremylong/DependencyCheck

(This is a follow-up of #751. Opened a new issue because that ticket has been closed and the fix released.)

Reports about CVE-2016-7051 should also be suppressed for the following maven GAVs:

All modules with groupId com.fasterxml.jackson.datatype.
All modules with groupId com.fasterxml.jackson.module.
All modules with groupId com.fasterxml.jackson.dataformat, except the one with artifactId jackson-dataformat-xml.
Module com.fasterxml.jackson.dataformat:jackson-dataformat-xml with versions 2.7.x and 2.8.y for x >= 8 and y >= 4.

FP Report bug

Source

Stephan202

Most helpful comment

Working on a patch to the suppression file.

jeremylong on 13 Jul 2017

👍2

All 3 comments

Also ignore all modules with groupId com.fasterxml.jackson.jaxrs please.

jowiho on 10 Jul 2017

Working on a patch to the suppression file.

jeremylong on 13 Jul 2017

👍2

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] on 28 Sep 2018

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Unsupported Dependency-Check schema version detected

tediroca · 3Comments

org.owasp.dependencycheck.data.update.exception.UpdateException: The execution of the download was interrupted

gwsu2008 · 3Comments

False Positive on spring-boot-starter-reactor-netty-2.1.8.RELEASE.jar and reactor-netty-0.8.11.RELEASE.jar

chadlwilson · 3Comments

Add support for npm-shrinkwrap.json files

dwvisser · 4Comments

Support generation of a cyclonedx bom

amandel · 3Comments