I use DL4J in a micro-service war and our scans have dinged the shaded nd4j jackson jar. Specifically,
/app/app.war/jackson-1.0.0-M2.1.jar contains:
— jar critical org.yaml_snakeyaml version 1.26 has 7 vulnerabilities
— jar high com.fasterxml.jackson.core_jackson-databind version 2.13.3 has 2 vulnerabilities
— jar high com.fasterxml.jackson.core_jackson-core version 2.13.3 has 1 vulnerability
— jar moderate com.fasterxml.woodstox_woodstox-core version 5.1.0 has 1 vulnerability
I’m part of a larger project and attempting to reduce the number and severity of the vulnerabilities in my code areas.
Since the offending vulnerabilities are in a pure Java module, I’m thinking of how to build the jackson.jar. Building the entire tool seems a bit overwhelming as it requires C++/build tools/scripts etc which I’d rather avoid.
Does anyone see any likely issues with doing the following?
deeplearning4j/nd4j/nd4j-shade/jackson$ mvn package -Djackson.version=2.14.3 -Djackson.databind.version=2.14.3 -Dshaded.snakeyaml.version=1.33
Have there been plans for a M2.2 release or has anyone updated the jackson.jar previously?