...
Conclusion So Far
For AAI project:
- code already uses Google gson, so
- gson has already been scanned for vulnerabilities
- gson does not appear on Seccom lists for package upgrade or replacement
- currently no usage for the alternative Json libraries, so
- introducing the new libraries may also bring in new vulnerabilities and problems
- there is already at least one worked example for translating from Jackson usage to gson usage, facilitating further conversions to gson
- the POC shows that transitive dependencies on Jackson could also be eliminated in some cases
- there are nearly 30 AAI repositories and over 200 files that need to be updated
- fully eliminating Jackson may not be possible due to other tools, such as Cassandra