Spring-security-oauth: Remove org.codehaus.jackson:jackson-mapper-asl from dependency

Created on 2 Oct 2017  路  3Comments  路  Source: spring-projects/spring-security-oauth

The very old dependency in https://github.com/spring-projects/spring-security-oauth/blob/2.0.14.RELEASE/spring-security-oauth2/pom.xml leads to security warning on OWASP Dependency Check. It seems like the dependency doesn't needed at all. It is safely to exclude it as a workaround?

duplicate

Most helpful comment

I'd like to see this bumped up to urgent.

The increasing popularity of container and application scanners has resulted in this (and other Jackson issues before 2.10) being identified as "Critical" or "High".

From a compliance perspective, it is not acceptable to simply pass this off as a "third party" issue and documenting that it appears to be unused is unnecessarily tedious.

If jackson-mapper-asl is not needed, why not remove it? If it is, why not use the most recent version from fasterxml?

It is hard to explain to the compliance team why a vulnerability identified in 2017 has still not been fixed!

All 3 comments

I'd like to see this bumped up to urgent.

The increasing popularity of container and application scanners has resulted in this (and other Jackson issues before 2.10) being identified as "Critical" or "High".

From a compliance perspective, it is not acceptable to simply pass this off as a "third party" issue and documenting that it appears to be unused is unnecessarily tedious.

If jackson-mapper-asl is not needed, why not remove it? If it is, why not use the most recent version from fasterxml?

It is hard to explain to the compliance team why a vulnerability identified in 2017 has still not been fixed!

This issue seems to be a duplicate of #996.

Thank you @pvorb. Closing this in favour of #996

Was this page helpful?
0 / 5 - 0 ratings