Artyom Ganev
Reputation: 537
How to fix jackson-databind version in spring-boot-starter-json pom.xml
I want to fix vulnerability in my project created with spring-boot.
Vulnerable module: com.fasterxml.jackson.core:jackson-databind
Introduced through: org.springframework.boot:[email protected] and com.fasterxml.jackson.core:[email protected]
spring-boot-starter-json pom.xml doesn't contain version for jackson-databind artifact.
Can I add 2.9.8 and create PR to spring-boot 2.1.x branch?
Original POM:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starters</artifactId>
<version>${revision}</version>
</parent>
<artifactId>spring-boot-starter-json</artifactId>
<name>Spring Boot Json Starter</name>
<description>Starter for reading and writing json</description>
<properties>
<main.basedir>${basedir}/../../..</main.basedir>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-jdk8</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-jsr310</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.module</groupId>
<artifactId>jackson-module-parameter-names</artifactId>
</dependency>
</dependencies>
</project>
Upvotes: 1
Views: 6617
Answers (1)
benzhuhao
Reputation: 11
You need to exclude the jackson from your spring boot package. Then put jackson with new version separately in maven dependency. For instance:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-rest</artifactId>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.13.4</version>
</dependency>
Upvotes: 1
Related Questions
- Unable to start application after upgrading jackson-databind version
- jackson-databind vulerability fix
- spring boot change jackson dependancy version
- Jackson jar conflict with JBoss 7.2 module spring boot war deployment
- Jackson version with Maven in SpringBoot 2.3
- Jackson module not registered after update to Spring Boot 2
- Jackson databind dependency error on Spring Boot, AWS application
- Springboot throwing giving Jackson exceptions
- jackson-databind issue with spring-core
- Jackson version incompatibility?