Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Liquibase-core 4.9.1 includes a shaded jackson-databind 2.9.10.8

See original GitHub issue

Environment

Liquibase Version: 4.9.1

Liquibase Integration & Version: spring boot

Liquibase Extension(s) & Version: none

Database Vendor & Version: not relevant

Operating System Type & Version: not relevant (Linux)

Description

We use liquibase-core as part of a Java spring boot application and it’s working fine functionally. We run Black Duck SCA scans to check for vulnerabilities in third party/open source software included in our application. This scan identified that liquibase-core jar includes a shaded copy of jackson-databind (possibly jackson 2.9.10.8). It seems to be inside `liquibase/pro/packaged" package.

The jackson-databind 2.9.10.8 is reported as vulnerable to CVE-2020-36518 CVSS 3.x 7.5 HIGH

The problem with shaded dependencies is that if a vulnerability is identified, we cannot force a newer version by explicitly declaring it in our pom.xml to mitigate the vulnerability. We operate in regulated environments and have mandates for fixing vulnerabilities very quickly. We don’t have the luxury of waiting for third party components to update dependencies.

I would like to request that a variant of liquibase-core be published that doesn’t include shaded jackson but simply declares the dependency in maven pom.

There are no references to jackson-databind in the source of https://github.com/liquibase/liquibase . So it is not clear which version you use or how it is bundled in the liquibase-core.

Steps To Reproduce

Run Synopsis Black Duck SCA analysis on latest liquibase-core-4.9.1.jar.

Actual Behavior

liquibase-core doesn’t contain shaded dependency. Dependencies are declared in maven pom. We do not use pro version so we should not have jackson-databind in our class path.

liquibase-core also bundles as obfuscated code this libraries:

  • commons-collections
  • commons-lang3
  • jackson It will be nice to share which versions you use.

Expected/Desired Behavior

liquibase-core contains shaded dependency jackson-databind

Screenshots (if appropriate)

image image

Additional Context

None.

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:24 (14 by maintainers)

github_iconTop GitHub Comments

1reaction
kataggartcommented, Jun 14, 2022

@kry00la that worked; I would still like to request that you build with ver4.12.0 once it out (it will be soon, we are finishing up one PR and then will start in on it) and share with me a.) your docker file for the image and b.) your scan results of the container. It should be resolved fully in that version. In the meantime, I will continue to dig and see why it’s not resolved here, because I believe it should be. Thanks.

1reaction
kry00lacommented, Jun 10, 2022

@kataggart sure here 😃

FROM liquibase/liquibase:4.10 ARG LIQUIBASE_CASSANDRA_VERSION_EXTENSION=4.10.0 ARG DATASTAX_SIMBA_VERSION_DRIVER=2.0.13.1014 USER root RUN apt-get update -y && apt-get upgrade -y USER liquibase RUN wget -O /liquibase/lib/liquibase-cassandra-${LIQUIBASE_CASSANDRA_VERSION_EXTENSION}.jar https://github.com/liquibase/liquibase-cassandra/releases/download/liquibase-cassandra-${LIQUIBASE_CASSANDRA_VERSION_EXTENSION}/liquibase-cassandra-${LIQUIBASE_CASSANDRA_VERSION_EXTENSION}.jar RUN wget -P /liquibase/lib https://downloads.datastax.com/jdbc/cql/${DATASTAX_SIMBA_VERSION_DRIVER}/SimbaCassandraJDBC42-${DATASTAX_SIMBA_VERSION_DRIVER}.zip
&& cd /liquibase/lib
&& unzip SimbaCassandraJDBC42-${DATASTAX_SIMBA_VERSION_DRIVER}.zip

Read more comments on GitHub >

github_iconTop Results From Across the Web

Liquibase-core 4.9.1 includes a shaded jackson-databind 2.9 ...
I would like to request that a variant of liquibase-core be published that doesn't include shaded jackson but simply declares the dependency in...
Read more >
com.fasterxml.jackson.core:jackson-databind@2.9.10.8
com.fasterxml.jackson.core:jackson-databind@2.9.10.8 vulnerabilities. General data-binding functionality for Jackson: works on core streaming API ...
Read more >
Conditioning++ - GitHub
Liquibase -core 4.9.1 includes a shaded jackson-databind 2.9.10.8 #2735 opened by gdimitrov7 dependencies. Pull requests that update a dependency file
Read more >
National Vulnerability Database - NVD - Results
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.
Read more >
Missing artifact com.fasterxml.jackson.core:jackson-databind ...
The solution was from generated dependencies <dependencies> <dependency> <groupId>com.fasterxml.jackson.core</groupId> ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

changelog is found twice in classpath

Next page

Migration from 3.10.3 to 4.* failed