3.x: Upgrade jackson to 2.18.1 (#9481)

* Update Jackson to 2.18.1 * Update dep check suppression for jackson and graalvm
helidon-io · Nov 8, 2024 · 9eb2e2e · 9eb2e2e
1 parent 4899076
commit 9eb2e2e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 14 deletions.
diff --git a/dependencies/pom.xml b/dependencies/pom.xml
@@ -70,7 +70,7 @@
         <version.lib.hibernate-validator>7.0.5.Final</version.lib.hibernate-validator>
         <version.lib.hikaricp>5.0.1</version.lib.hikaricp>
         <version.lib.hystrix>1.5.18</version.lib.hystrix>
-        <version.lib.jackson>2.15.2</version.lib.jackson>
+        <version.lib.jackson>2.18.1</version.lib.jackson>
         <version.lib.jakarta.activation-api>2.0.1</version.lib.jakarta.activation-api>
         <version.lib.jakarta.annotation-api>2.0.0</version.lib.jakarta.annotation-api>
         <version.lib.jakarta.cdi-api>3.0.0</version.lib.jakarta.cdi-api>

diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
@@ -166,23 +166,21 @@ https://github.com/jeremylong/DependencyCheck/issues/7019
    <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal-sdk@.*$</packageUrl>
    <vulnerabilityName>CVE-2024-21211</vulnerabilityName>
 </suppress>
-
-
-<!-- 
-    This CVE is being disputed by the Jackson project and the community seems in agreement that this
-    CVE should be rejected. We are suppressing this for now to reduce noise in our scan and will
-    continue to monitor progress.
-    https://nvd.nist.gov/vuln/detail/CVE-2023-35116
-    https://github.com/FasterXML/jackson-databind/issues/3972
-
--->
 <suppress>
    <notes><![CDATA[
-   file name: jackson-databind-2.15.2.jar
+   file name: graal-sdk-22.3.0.jar
    ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-   <cve>CVE-2023-35116</cve>
+   <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal-sdk@.*$</packageUrl>
+   <vulnerabilityName>CVE-2023-22045</vulnerabilityName>
 </suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: graal-sdk-22.3.0.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal-sdk@.*$</packageUrl>
+   <vulnerabilityName>CVE-2024-21094</vulnerabilityName>
+</suppress>
+
 
 <!--
     This CVE is is concerning proper use of Netty's hostname verification. Helidon enables hostname