Upgrade jackson databind to address known issues

Question

Upgrade jackson databind to address known issues

eoliphan opened this issue 4 months ago · 1 comments

eoliphan commented 4 months ago

Upcoming End-of-Support

I acknowledge the upcoming end-of-support for AWS SDK for Java v1 was announced, and migration to AWS SDK for Java v2 is recommended.

Describe the bug

The current jackson version has some known issues that are addressed as of the latest releases

Expected Behavior

Transitive deps shouldn't have issues

Current Behavior

SCA scans flag some known issues.

Reproduction Steps

Perform an sca scan

Possible Solution

Upgrade jackson

Additional Information/Context

It may be useful to integrate GH actions, maven plugins, etc that automate sca scans

AWS Java SDK version used

1.12.741

JDK version used

openjdk version "1.8.0_402" OpenJDK Runtime Environment Corretto-8.402.06.1 (build 1.8.0_402-b06) OpenJDK 64-Bit Server VM Corretto-8.402.06.1 (build 25.402-b06, mixed mode)

Operating System and version

AWS linux 2

Answer 1 · 2024-06-13T18:50:39.000Z

@eoliphan do you have a report of the known issues? Is any issue security-related?

For context, Java SDK v1 cannot upgrade away from jackson databind 2.17.7.x, it can introduce some breaking changes.