Using Google gson vs FasterXML Jackson
Contributors
References
Project Recommendations for Package Upgrades
AAI R3 Security/Vulnerability Threat Analysis
Faster XML Jackson usage in Portal Code and replacing it with Gson
- AAI-628Getting issue details... STATUS
- AAI-908Getting issue details... STATUS
- AAI-910Getting issue details... STATUS
- AAI-928Getting issue details... STATUS
- AAI-1218Getting issue details... STATUS
Seccom Recommendations
15th July 2019: "Out of Scope" as per Fixing Vulnerabilities in the ONAP Code Base
Jackson Replacement
Security subcommittee has recommended teams move away from jackson, and will be presenting alternatives and asking for an assessment from each project. Our team will need to do an analysis - this would not be trivial, especially given how many of our repos are impacted. As of now, this would be a very high LOE for the team, we need to understand what the recommendation from the SECCOM is before we can provide better details on what the LOE would be.
Three Areas of Concern
- Direct usage of Jackson by ONAP code
- Frameworks configured with Jackson like Spring Boot
- Usage of Jackson by third-party tools like Cassandra
Survey of Replacement Options
Articles with comparisons and benchmarks:
- https://blog.takipi.com/the-ultimate-json-library-json-simple-vs-gson-vs-jackson-vs-json/
- https://github.com/fabienrenaud/java-json-benchmark
Rationale for eliminating some options from the articles above (about 20 libraries in total):
- Related to or derived from Jackson code
- Requires change to compilers and compile-time processes
- Counter-productive to CII Badging criteria, see also https://github.com/coreinfrastructure/best-practices-badge
- Unmaintained in recent years
- Vulnerabilities not addressed
- "Bus factor" too low
- Number of contributors and reviewers too low
Short-list of libraries as reasonable options to be explored, including:
- https://github.com/alibaba/fastjson
- https://github.com/google/gson
- https://github.com/square/moshi
- https://github.com/owlike/genson
Quick CVE comparison:
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=fastjson+or+gson+or+moshi+or+genson
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=fasterxml+or+jackson
Code Analysis
Search on AAI source code shows:
- approx 611 hits in 227 files for "fasterxml", which includes pom.xml and Java imports
- approx 978 hits in 215 files for "gson", which includes pom.xml and Java imports and initialising Java object
- zero hits for "fastjson"
- zero hits for "moshi"
- zero hits for "genson"