Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SonaType Security Issue Due to jackson-core #4287

Closed
LarryBullock opened this issue Jan 20, 2023 · 5 comments
Closed

SonaType Security Issue Due to jackson-core #4287

LarryBullock opened this issue Jan 20, 2023 · 5 comments
Labels
status: declined Features that we don't intend to implement or Bug reports that are invalid or missing enough details type: task

Comments

@LarryBullock
Copy link

LarryBullock commented Jan 20, 2023
edited
Loading

Bug description
IQ Server is reporting a transitive dependency issue for Spring-Batch 4.3.7 due to a transitive dependency on jackson-core 2.14.1. Since 2.14.1 is the latest version of jackson-core, I'm sure that this would be for even the current Spring-Batch version.

Just want to get this on the backlog to update jackson-core when they release the correction.

Environment
We are currently using spring-batch 4.3.7 and deploying to Java 8.

Steps to reproduce
Build a project where the outputs are scanned by IQ Server.

Expected behavior
No transitive security finding for jackson-core.
@LarryBullock LarryBullock added status: waiting-for-triage Issues that we did not analyse yet type: bug labels Jan 20, 2023
fmbenhassine added a commit that referenced this issue Feb 13, 2023
@fmbenhassine
Upgrade Jackson dependency to version 2.14.2
5bdba93 
Related to #4287
@fmbenhassine
Copy link
Contributor

IQ Server is reporting a transitive dependency issue for Spring-Batch 4.3.7 due to a transitive dependency on jackson-core 2.14.1.

Are you sure Jackson 2.14.1 is coming as a transitive dependency from Spring Batch? Because Spring Batch 4.3.x depends on Jackson 2.11.4: https://github.com/spring-projects/spring-batch/blob/4.3.x/build.gradle#L79 .

Since 2.14.1 is the latest version of jackson-core, I'm sure that this would be for even the current Spring-Batch version.

For v5, Jackson is an optional dependency (see migration guide), and you can include the version you want when you import it in your project. But for our own build, I have updated the version to 2.14.2.

@fmbenhassine fmbenhassine added status: waiting-for-reporter Issues for which we are waiting for feedback from the reporter type: task and removed status: waiting-for-triage Issues that we did not analyse yet type: bug labels Feb 13, 2023
@LarryBullock
Copy link
Author

Attaching a screen shot from IQ server showing the dependency tree that we are working with. The issue is showing for 2.14.2,

dependencyTree

@fmbenhassine
Copy link
Contributor

I don't know which tool your IQ server is using the analyze dependencies, but maven's dependency plugin is giving another result. Here is a quick example:

pom.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>

	<groupId>com.example</groupId>
	<artifactId>gh4287</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>gh4287</name>

	<dependencies>
		<dependency>
			<groupId>org.springframework.batch</groupId>
			<artifactId>spring-batch-core</artifactId>
			<version>4.3.7</version>
		</dependency>
	</dependencies>

	<build>
		<plugins>
			<plugin>
				<groupId>org.apache.maven.plugins</groupId>
				<artifactId>maven-compiler-plugin</artifactId>
				<version>3.10.1</version>
				<configuration>
					<source>1.8</source>
					<target>1.8</target>
				</configuration>
			</plugin>
		</plugins>
	</build>

</project>

MyJobConfig.java file:

package com.example.demo;

import org.springframework.batch.core.Job;
import org.springframework.batch.core.JobParameters;
import org.springframework.batch.core.configuration.annotation.EnableBatchProcessing;
import org.springframework.batch.core.configuration.annotation.JobBuilderFactory;
import org.springframework.batch.core.configuration.annotation.StepBuilderFactory;
import org.springframework.batch.core.launch.JobLauncher;
import org.springframework.batch.repeat.RepeatStatus;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
@EnableBatchProcessing
public class MyJobConfig {

	@Bean
	public Job job(JobBuilderFactory jobs, StepBuilderFactory steps) {
		return jobs.get("job")
				.start(steps.get("step")
						.tasklet((contribution, chunkContext) -> {
							System.out.println("Hello World!");
							return RepeatStatus.FINISHED;
						})
						.build())
				.build();
	}

	public static void main(String[] args) throws Exception {
		ApplicationContext context = new AnnotationConfigApplicationContext(MyJobConfig.class);
		JobLauncher jobLauncher = context.getBean(JobLauncher.class);
		Job job = context.getBean(Job.class);
		jobLauncher.run(job, new JobParameters());
	}

}

Here is the output of the command:

$>mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------------< com.example:gh4287 >-------------------------
[INFO] Building gh4287 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ gh4287 ---
[INFO] com.example:gh4287:jar:0.0.1-SNAPSHOT
[INFO] \- org.springframework.batch:spring-batch-core:jar:4.3.7:compile
[INFO]    +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO]    |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.4:compile
[INFO]    |  \- com.fasterxml.jackson.core:jackson-core:jar:2.11.4:compile
[INFO]    +- io.micrometer:micrometer-core:jar:1.8.10:compile
[INFO]    |  +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile
[INFO]    |  \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime
[INFO]    +- javax.batch:javax.batch-api:jar:1.0:compile
[INFO]    +- org.springframework.batch:spring-batch-infrastructure:jar:4.3.7:compile
[INFO]    |  \- org.springframework.retry:spring-retry:jar:1.3.3:compile
[INFO]    +- org.springframework:spring-aop:jar:5.3.23:compile
[INFO]    +- org.springframework:spring-beans:jar:5.3.23:compile
[INFO]    +- org.springframework:spring-context:jar:5.3.23:compile
[INFO]    |  \- org.springframework:spring-expression:jar:5.3.23:compile
[INFO]    +- org.springframework:spring-core:jar:5.3.23:compile
[INFO]    |  \- org.springframework:spring-jcl:jar:5.3.23:compile
[INFO]    \- org.springframework:spring-tx:jar:5.3.23:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.721 s
[INFO] Finished at: 2023-02-14T21:47:58+01:00
[INFO] ------------------------------------------------------------------------

If you add the spring-batch-integration dependency as you seem to use based on your screenshot, the command prints:

$>mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------------< com.example:gh4287 >-------------------------
[INFO] Building gh4287 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ gh4287 ---
[INFO] com.example:gh4287:jar:0.0.1-SNAPSHOT
[INFO] \- org.springframework.batch:spring-batch-integration:jar:4.3.7:compile
[INFO]    +- org.springframework.batch:spring-batch-core:jar:4.3.7:compile
[INFO]    |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO]    |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.4:compile
[INFO]    |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.11.4:compile
[INFO]    |  +- io.micrometer:micrometer-core:jar:1.8.10:compile
[INFO]    |  |  +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile
[INFO]    |  |  \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime
[INFO]    |  +- javax.batch:javax.batch-api:jar:1.0:compile
[INFO]    |  +- org.springframework.batch:spring-batch-infrastructure:jar:4.3.7:compile
[INFO]    |  +- org.springframework:spring-beans:jar:5.3.23:compile
[INFO]    |  \- org.springframework:spring-core:jar:5.3.23:compile
[INFO]    |     \- org.springframework:spring-jcl:jar:5.3.23:compile
[INFO]    +- org.springframework.integration:spring-integration-core:jar:5.5.15:compile
[INFO]    |  \- io.projectreactor:reactor-core:jar:3.4.23:compile
[INFO]    |     \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
[INFO]    +- org.springframework.retry:spring-retry:jar:1.3.3:compile
[INFO]    +- org.springframework:spring-aop:jar:5.3.23:compile
[INFO]    +- org.springframework:spring-context:jar:5.3.23:compile
[INFO]    |  \- org.springframework:spring-expression:jar:5.3.23:compile
[INFO]    +- org.springframework:spring-messaging:jar:5.3.23:compile
[INFO]    \- org.springframework:spring-tx:jar:5.3.23:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.808 s
[INFO] Finished at: 2023-02-14T21:54:50+01:00
[INFO] ------------------------------------------------------------------------

There is no jackson 2.14.2 in the dependency tree above. Do you confirm?

@LarryBullock
Copy link
Author

I see what you are presenting, and I have no idea how IQ Server gathers the data. I was simply sharing the information that was shared via the Jackson-core post that they plan to fix it the finding in 2.15 (likely to be resolved next month). End result is that if IQ server is not reporting properly, we need to get it fixed so that Spring Batch is not reporting an issue or we will not be allowed to deploy code.

@fmbenhassine
Copy link
Contributor

End result is that if IQ server is not reporting properly, we need to get it fixed

Thank you for your feedback. Based on that, I will close this issue.

@fmbenhassine fmbenhassine closed this as not planned Won't fix, can't repro, duplicate, stale Feb 27, 2023
@fmbenhassine fmbenhassine added status: declined Features that we don't intend to implement or Bug reports that are invalid or missing enough details and removed status: waiting-for-reporter Issues for which we are waiting for feedback from the reporter labels Feb 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: declined Features that we don't intend to implement or Bug reports that are invalid or missing enough details type: task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fmbenhassine @LarryBullock