Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
RepositoryGroupImpact AnalysisAction
so/libscom.fasterxml.jackson.core

False positive

Jackson: can be an issue if we leave on default typing

    •  In SO we do not use default typing. We use strict parsing and validation of deserialized data.
    •  There is no unknown source data  from which SO reads the application data (xml/json).

No Action.

All of the existing jackson databind have vulnerabilities issues.





SOorg.eclipse.jetty

Pulled in by Springboot 1.5.13-RELEASE

Note: We don't use jetty, but it is impractical to exclude

Planning for a spring boot upgrade to 2.0 in Dublin.

com.fasterxml.jackson.core

False positive

Jackson: can be an issue if we leave on default typing

    •  In SO we do not use default typing. We use strict parsing and validation of deserialized data.
    •  There is no unknown source data  from which SO reads the application data (xml/json).

No Action

All of the existing jackson databind have vulnerabilities issues.


ch.qos.logbackPulled in by Springboot 1.5.13-RELEASEPlanning for a spring boot upgrade to 2.0 in Dublin.

org.slf4jPulled in by Springboot 1.5.13-RELEASE and also specified by SOPlanning for a spring boot upgrade to 2.0 in Dublin.

org.apache.tomcat.embed

Pulled in by Springboot 1.5.13-RELEASE

Note: Tomcat CORS is turned off in our application

Not really an issue since the feature is turned off.

No Action.

Planning for a spring boot upgrade to 2.0 in Dublin.


org.apache.commons

Pulled in by Camunda 7.8.0

We aren't using any email features in BPMN.

No Action for Casablanca.

File for exception in Casablanca, Upgrade Camunda to 1.9.0 in Dublin


org.slf4j-ext

pulled from org.springframework.boot:spring-boot-starter-logging:jar:1.5.13.RELEASE

not specified in SO code



jetty-httpno dependency found

logback-classic

pulled from org.springframework.boot:spring-boot-starter-web:jar:1.5.13.RELEASE

no direct dependency.



Jquery 1.10.2Pulled in by Springboot 1.5.13-RELEASEPlanning for a spring boot upgrade to 2.0 in Dublin.

org.springframework.dataPulled in by Springboot 1.5.13-RELEASEPlanning for a spring boot upgrade to 2.0 in Dublin.

org.springframeworkPulled in by Springboot 1.5.13-RELEASEPlanning for a spring boot upgrade to 2.0 in Dublin.

com.h2databaseThis is used for testing purpose only, no feature impact in production; no vulnerable free version yetNo Action for Casablanca

commons-fileuploadPulled in by Springboot 1.5.13-RELEASEPlanning for a spring boot upgrade to 2.0 in Dublin.

org.googlecode.libphonenumberWe don't use libphonenumber, but it is impractical to excludeNo Action for Casablanca

org.springframeworkPulled in by Springboot 1.5.13-RELEASEPlanning for a spring boot upgrade to 2.0 in Dublin.

javax.mailWe don't use javax.mail, but it is impractical to excludeNo Action for Casablanca