Contributors
References
2018-10-03 AAI Meeting Notes
...
| Jira Legacy |
|---|
| server | System Jira |
|---|
| serverId | 4733707d-2057-3a0f-ae5e-4fd8aff50176 |
|---|
| key | AAI-628 |
|---|
|
| Jira Legacy |
|---|
| server | System Jira |
|---|
| serverId | 4733707d-2057-3a0f-ae5e-4fd8aff50176 |
|---|
| key | AAI-907 |
|---|
|
| Jira Legacy |
|---|
| server | System Jira |
|---|
| serverId | 4733707d-2057-3a0f-ae5e-4fd8aff50176 |
|---|
| key | AAI-908 |
|---|
|
| Jira Legacy |
|---|
| server | System Jira |
|---|
| serverId | 4733707d-2057-3a0f-ae5e-4fd8aff50176 |
|---|
| key | AAI-910 |
|---|
|
| Jira Legacy |
|---|
| server | System Jira |
|---|
| serverId | 4733707d-2057-3a0f-ae5e-4fd8aff50176 |
|---|
| key | AAI-928 |
|---|
|
| Jira Legacy |
|---|
| server | System Jira |
|---|
| serverId | 4733707d-2057-3a0f-ae5e-4fd8aff50176 |
|---|
| key | AAI-1218 |
|---|
|
Jackson Replacement
Security subcommittee has recommended teams move away from jackson, and will be presenting alternatives and asking for an assessment from each project. Our team will need to do an analysis - this would not be trivial, especially given how many of our repos are impacted. As of now, this would be a very high LOE for the team, we need to understand what the recommendation from the SECCOM is before we can provide better details on what the LOE would be.
Survey of Replacement Options
Articles with comparisons and benchmarks:
Articles above link to about 20 libraries as options to be explored, including:
Quick CVE comparison:
Code Analysis
Search on AAI source code shows:
...
| FasterXML Jackson version | Google gson version | Comments |
|---|
| Code Block |
|---|
mapper = new ObjectMapper(); |
| | Code Block |
|---|
JsonParser parser = new JsonParser(); |
|
|
| Code Block |
|---|
JsonNode rootNode = mapper.readTree(new File(authFilename));
JsonNode rolesNode = rootNode.path(AuthConstants.ROLES_NODE_PATH); |
| | Code Block |
|---|
JsonObject authObject = parser.parse(authFile).getAsJsonObject();
JsonArray roles = authObject.getAsJsonArray("roles"); |
| Jackson's JsonNode is a more abstract data structure, compared with Gson's more concrete data structures JsonObject and JsonArray. |
| Code Block |
|---|
String function = functionNode.path(AuthConstants.FUNCTION_NAME_PATH).asText(); |
| | Code Block |
|---|
String roleName = roleObject.get("name").getAsString(); |
| Code structure differs at this point (function name vs role name) but the general intent of the code is equivalent (get the element name as a string). |
| Code Block |
|---|
public synchronized void loadUsers(String authFilename) throws Exception
(no exception handling in this method) |
| | Code Block |
|---|
} catch (JsonProcessingException e) {
ErrorLogHelper.logError("AAI_4001", globalAuthFileName + ". Not valid JSON: " + e); |
| For some reason, this version still catches com.fasterxml.jackson.core.JsonProcessingException even though it uses Google gson for parsing. Not a good idea to defer exception handling to the caller since the caller has no idea why/how/when/where the parsing failed and might be left with an invalid data structure as well. |
| Code Block |
|---|
boolean hasMethods = handleMethodNode(methodsNode, role, function); |
| | Code Block |
|---|
usrs.forEach((key, value) -> {
...
}); |
| Method call vs Java lambda call is not really relevant to the Jackson replacement, but consistency of style could be an overall goal if the code is being re-factored anyway. |
Suggestions
...
...
links to benchmark in comments: https://github.com/fabienrenaud/java-json-benchmark
which links to about 20 libraries as options to be explored, including:
Quick CVE comparison:
...
POC: Replacing default Spring Boot Jackson dependencies with Gson - Tian Lee
...