Skip to content

Commit

Permalink
Bump jackson-databind to 2.13.2.2 via switching to BOM
Browse files Browse the repository at this point in the history
Individual libs in Jackson don't necessarily all get released at the same time. The BOM is the right way to ensure versions are all on latest. In this case, to get a CVE patched within databind. See FasterXML/jackson-databind#3428 for more detail
  • Loading branch information
chadlwilson committed Mar 30, 2022
1 parent 5b6c9d6 commit 80d297b
Show file tree
Hide file tree
Showing 6 changed files with 17 additions and 16 deletions.
6 changes: 3 additions & 3 deletions agent/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -163,9 +163,9 @@ task verifyJar(type: VerifyJarTask) {
"httpmime-${project.versions.apacheHttpComponents}.jar",
"istack-commons-runtime-3.0.7.jar",
"j2objc-annotations-1.3.jar",
"jackson-annotations-${project.versions.jackson}.jar",
"jackson-core-${project.versions.jackson}.jar",
"jackson-databind-${project.versions.jackson}.jar",
"jackson-annotations-2.13.2.jar",
"jackson-core-2.13.2.jar",
"jackson-databind-2.13.2.2.jar",
"javax.activation-api-1.2.0.jar",
"javax.annotation-api-${project.versions.javaxAnnotation}.jar",
"javax.inject-1.jar",
Expand Down
4 changes: 4 additions & 0 deletions base/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ dependencies {
providedAtPackageTime project.deps.bouncyCastle
providedAtPackageTime project.deps.bouncyCastlePkix

// Use BOMs to control versions of dependencies for other projects, all of which consume 'base'.
// This is following https://docs.gradle.org/current/userguide/platforms.html#sub:bom_import
api enforcedPlatform(project.deps.jacksonBom)

api(project.deps.apacheAnt) {
transitive = false
}
Expand Down
4 changes: 0 additions & 4 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -634,15 +634,11 @@ subprojects {
configurations.all { configuration ->

def versionOverrides = [
"com.fasterxml.jackson.core:jackson-annotations": project.versions.jackson,
"com.fasterxml.jackson.core:jackson-core" : project.versions.jackson,
"com.fasterxml.jackson.core:jackson-databind" : project.versions.jackson,
"commons-beanutils:commons-beanutils" : project.versions.commonsBeanutils,
"org.apache.commons:commons-pool2" : project.versions.commonsPool,
"org.objenesis:objenesis" : project.versions.objenesis,
]


configuration.resolutionStrategy.eachDependency { DependencyResolveDetails details ->
def overrideVersion = versionOverrides[details.requested.group + ":" + details.requested.name]

Expand Down
10 changes: 5 additions & 5 deletions dependencies.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ final Map<String, String> libraries = [
hamcrest : 'org.hamcrest:hamcrest-core:2.2',
hibernate : 'org.hibernate:hibernate-ehcache:3.6.10.Final',
httpClientMock : 'com.github.paweladamski:HttpClientMock:1.10.0',
jackson : 'com.fasterxml.jackson.core:jackson-core:2.13.2',
jacksonBom : 'com.fasterxml.jackson:jackson-bom:2.13.2.20220328',
javaAssist : 'javassist:javassist:3.12.1.GA',
javaxAnnotation : 'javax.annotation:javax.annotation-api:1.3.2',
jaxb : 'javax.xml.bind:jaxb-api:2.3.1',
Expand Down Expand Up @@ -142,7 +142,6 @@ final Map<String, String> v = [
h2 : versionOf(libraries.h2),
hamcrest : versionOf(libraries.hamcrest),
hibernate : versionOf(libraries.hibernate),
jackson : versionOf(libraries.jackson),
javaAssist : versionOf(libraries.javaAssist),
javaxAnnotation : versionOf(libraries.javaxAnnotation),
jaxb : versionOf(libraries.jaxb),
Expand Down Expand Up @@ -189,14 +188,15 @@ final Map<String, String> v = [
]

// While Dependabot won't be able to parse these deps, these will get upgraded for free anyway since they share versions
// with dependencies declared above that are parseable by Dependabot. This is just a workaround to be DRY while still
// benefiting from Dependabot's automatic PR upgrades.
// with dependencies declared above that are parseable by Dependabot, or are managed by platforms.
// This is just a workaround to be DRY while still benefiting from Dependabot's automatic PR upgrades.
final Map<String, String> related = [
apacheHttpMime : "org.apache.httpcomponents:httpmime:${v.apacheHttpComponents}",
aspectjWeaver : "org.aspectj:aspectjweaver:${v.aspectj}",
bouncyCastlePkix : "org.bouncycastle:bcpkix-jdk15on:${v.bouncyCastle}",
hamcrestLibrary : "org.hamcrest:hamcrest-library:${v.hamcrest}",
jacksonDatabind : "com.fasterxml.jackson.core:jackson-databind:${v.jackson}",
jacksonCore : 'com.fasterxml.jackson.core:jackson-core',
jacksonDatabind : 'com.fasterxml.jackson.core:jackson-databind',
jaxbRuntime : "org.glassfish.jaxb:jaxb-runtime:${v.jaxb}",
jettyDeploy : "org.eclipse.jetty:jetty-deploy:${v.jetty}",
jettyJmx : "org.eclipse.jetty:jetty-jmx:${v.jetty}",
Expand Down
6 changes: 3 additions & 3 deletions server/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -863,9 +863,9 @@ task verifyWar(type: VerifyJarTask) {
"httpmime-${project.versions.apacheHttpComponents}.jar",
"istack-commons-runtime-3.0.7.jar",
"j2objc-annotations-1.3.jar",
"jackson-annotations-${project.versions.jackson}.jar",
"jackson-core-${project.versions.jackson}.jar",
"jackson-databind-${project.versions.jackson}.jar",
"jackson-annotations-2.13.2.jar",
"jackson-core-2.13.2.jar",
"jackson-databind-2.13.2.2.jar",
"jakarta.activation-2.0.1.jar",
"javassist-${project.versions.javaAssist}.jar",
"javax.activation-api-1.2.0.jar",
Expand Down
3 changes: 2 additions & 1 deletion spark/spark-base/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ dependencies {
api project(':common')
api project(':server')

implementation project.deps.jackson
implementation platform(project.deps.jacksonBom)
implementation project.deps.jacksonCore
implementation project.deps.jacksonDatabind
implementation project.deps.springWeb

Expand Down

0 comments on commit 80d297b

Please sign in to comment.