Using Google gson vs FasterXML Jackson

Contributors

References

2018-10-03 AAI Meeting Notes

2018-09-26 AAI Meeting Notes

PTL 2018-11-05

Project Recommendations for Package Upgrades 

AAI R3 Security/Vulnerability Threat Analysis

Faster XML Jackson usage in Portal Code and replacing it with Gson

AAI-628 - Getting issue details... STATUS

AAI-908 - Getting issue details... STATUS

AAI-910 - Getting issue details... STATUS

AAI-928 - Getting issue details... STATUS

AAI-1218 - Getting issue details... STATUS

Seccom Recommendations

15th July 2019: "Out of Scope" as per Fixing Vulnerabilities in the ONAP Code Base

Jackson Replacement

Security subcommittee has recommended teams move away from jackson, and will be presenting alternatives and asking for an assessment from each project. Our team will need to do an analysis - this would not be trivial, especially given how many of our repos are impacted. As of now, this would be a very high LOE for the team, we need to understand what the recommendation from the SECCOM is before we can provide better details on what the LOE would be.

Vulnerable Packages per ONAP project

Three Areas of Concern

  1. Direct usage of Jackson by ONAP code
  2. Frameworks configured with Jackson like Spring Boot
  3. Usage of Jackson by third-party tools like Cassandra

Survey of Replacement Options

Articles with comparisons and benchmarks:

Rationale for eliminating some options from the articles above (about 20 libraries in total):

  • Related to or derived from Jackson code
  • Requires change to compilers and compile-time processes
  • Counter-productive to CII Badging criteria, see also https://github.com/coreinfrastructure/best-practices-badge
    • Unmaintained in recent years
    • Vulnerabilities not addressed
    • "Bus factor" too low
    • Number of contributors and reviewers too low

Short-list of libraries as reasonable options to be explored, including:

Quick CVE comparison:

Code Analysis

Search on AAI source code shows:

  • approx 611 hits in 227 files for "fasterxml", which includes pom.xml and Java imports
  • approx 978 hits in 215 files for "gson", which includes pom.xml and Java imports and initialising Java object
  • zero hits for "fastjson"
  • zero hits for "moshi"
  • zero hits for "genson"

  File Modified