Upgrade Jackson and Google GSON to address CVEs (#15461)

Upgrade Jackson to version 2.12.7.1 to address CVE-2022-42003, CVE-2022-42004 which affects jackson-databind. Upgrade com.google.code.gson:gson from 2.2.4 to the latest version (2.10.1) since 2.2.4 is affected by CVE-2022-25647.
2025-02-16 23:15:16 +00:00 · 2023-11-30 15:31:26 +05:30 · 2023-11-30 15:31:26 +05:30 · 7467d2c00d
commit 7467d2c00d
parent 8ddb847658
3 changed files with 4 additions and 20 deletions
--- a/licenses.yaml
+++ b/licenses.yaml
@ -289,7 +289,7 @@ name: Jackson
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 2.12.7
+version: 2.12.7.1
 libraries:
  - com.fasterxml.jackson.core: jackson-databind
 notice: |
@ -2500,7 +2500,7 @@ name: Gson
 license_category: binary
 module: hadoop-client
 license_name: Apache License version 2.0
-version: 2.2.4
+version: 2.10.1
 libraries:
  - com.google.code.gson: gson

--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@ -71,22 +71,6 @@
    <cve>CVE-2022-45688</cve>
  </suppress>

-  <suppress>
-    <!--
-      the suppressions here aren't currently applicable, but can be resolved once we update the version
-      -->
-    <notes><![CDATA[
-   file name: jackson-databind-2.10.5.1.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-    <!-- CVE-2022-42003 and CVE-2022-42004 are related to UNWRAP_SINGLE_VALUE_ARRAYS which we do not use
-    https://nvd.nist.gov/vuln/detail/CVE-2022-42003
-    https://nvd.nist.gov/vuln/detail/CVE-2022-42004
-     -->
-    <cve>CVE-2022-42003</cve>
-    <cve>CVE-2022-42004</cve>
-  </suppress>
-
  <suppress>
    <!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet -->
    <!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less -->
--- a/pom.xml
+++ b/pom.xml
@ -78,7 +78,7 @@
        <apache.curator.version>5.5.0</apache.curator.version>
        <apache.kafka.version>3.6.0</apache.kafka.version>
        <apache.ranger.version>2.4.0</apache.ranger.version>
-        <apache.ranger.gson.version>2.2.4</apache.ranger.gson.version>
+        <apache.ranger.gson.version>2.10.1</apache.ranger.gson.version>
        <scala.library.version>2.13.11</scala.library.version>
        <avatica.version>1.23.0</avatica.version>
        <avro.version>1.11.3</avro.version>
@ -98,7 +98,7 @@
        <hamcrest.version>1.3</hamcrest.version>
        <jetty.version>9.4.53.v20231009</jetty.version>
        <jersey.version>1.19.4</jersey.version>
-        <jackson.version>2.12.7</jackson.version>
+        <jackson.version>2.12.7.20221012</jackson.version>
        <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
        <log4j.version>2.18.0</log4j.version>
        <mysql.version>5.1.49</mysql.version>