-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Latest version has vulnerable dependency #54
Comments
PR: #55 Will try to figure out CLA stuff, but I'm happy if someone else just makes the modifications too. |
Dependencies still reported out of date via `sbt dependencyUpdates`: - com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8 Waiting for aliyun/aliyun-openapi-java-sdk#54 - com.github.pathikrit:better-files : 2.17.1 -> 3.6.0 Unstable API would probably require multiple changes - com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0) False positive due to version not being SemVer - com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0) False positive due to version not being SemVer - mysql:mysql-connector-java : 5.1.47 -> 8.0.12 See notes in Dependencies.scala on changes that would be required by users. - org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP Need more research to know what changed - org.liquibase:liquibase-core : 3.5.5 -> 3.6.2 Waiting for https://liquibase.jira.com/browse/CORE-3311 - org.webjars:swagger-ui : 3.2.2 -> 3.18.2 Unstable API would probably require multiple changes - software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1 Waiting for #3909
Dependencies still reported out of date via `sbt dependencyUpdates`: - com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8 Waiting for aliyun/aliyun-openapi-java-sdk#54 - com.github.pathikrit:better-files : 2.17.1 -> 3.6.0 Unstable API would probably require multiple changes - com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0) False positive due to version not being SemVer - com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0) False positive due to version not being SemVer - mysql:mysql-connector-java : 5.1.47 -> 8.0.12 See notes in Dependencies.scala on changes that would be required by users. - org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP Need more research to know what changed - org.liquibase:liquibase-core : 3.5.5 -> 3.6.2 Waiting for https://liquibase.jira.com/browse/CORE-3311 - org.webjars:swagger-ui : 3.2.2 -> 3.18.2 Unstable API would probably require multiple changes - software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1 Waiting for #3909
Bypass Mockito error "Cannot cast to primitive type" on classes also modified due to use of Refined. Dependencies still reported out of date via `sbt dependencyUpdates`: - com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8 Waiting for aliyun/aliyun-openapi-java-sdk#54 - com.github.pathikrit:better-files : 2.17.1 -> 3.6.0 Unstable API would probably require multiple changes - com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0) False positive due to version not being SemVer - com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0) False positive due to version not being SemVer - mysql:mysql-connector-java : 5.1.47 -> 8.0.12 See notes in Dependencies.scala on changes that would be required by users. - org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP Need more research to know what changed - org.liquibase:liquibase-core : 3.5.5 -> 3.6.2 Waiting for https://liquibase.jira.com/browse/CORE-3311 - org.webjars:swagger-ui : 3.2.2 -> 3.18.2 Unstable API would probably require multiple changes - software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1 Waiting for #3909
Bypass Mockito error "Cannot cast to primitive type" on classes also modified due to use of Refined. Dependencies still reported out of date via `sbt dependencyUpdates`: - com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8 Waiting for aliyun/aliyun-openapi-java-sdk#54 - com.github.pathikrit:better-files : 2.17.1 -> 3.6.0 Unstable API would probably require multiple changes - com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0) False positive due to version not being SemVer - com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0) False positive due to version not being SemVer - mysql:mysql-connector-java : 5.1.47 -> 8.0.12 See notes in Dependencies.scala on changes that would be required by users. - org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP Need more research to know what changed - org.liquibase:liquibase-core : 3.5.5 -> 3.6.2 Waiting for https://liquibase.jira.com/browse/CORE-3311 - org.webjars:swagger-ui : 3.2.2 -> 3.18.2 Unstable API would probably require multiple changes - software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1 Waiting for #3909
Bypass Mockito error "Cannot cast to primitive type" on classes also modified due to use of Refined. Dependencies still reported out of date via `sbt dependencyUpdates`: - com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8 Waiting for aliyun/aliyun-openapi-java-sdk#54 - com.github.pathikrit:better-files : 2.17.1 -> 3.6.0 Unstable API would probably require multiple changes - com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0) False positive due to version not being SemVer - com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0) False positive due to version not being SemVer - mysql:mysql-connector-java : 5.1.47 -> 8.0.12 See notes in Dependencies.scala on changes that would be required by users. - org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP Need more research to know what changed - org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP Need more research to know what changed - org.liquibase:liquibase-core : 3.5.5 -> 3.6.2 Waiting for https://liquibase.jira.com/browse/CORE-3311 - org.webjars:swagger-ui : 3.2.2 -> 3.18.2 Unstable API would probably require multiple changes - software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1 Waiting for #3909
Please show us why this issue is related to aliyun-openapi-java-sdk and re-open this issue. Thank you. |
Hi @Qingtang-SDK - as you can see in #55 |
Hi, @geoffjentry Thanks for your feedback, and thank you for your contribution to this SDK. I apologize for closing this issue without carefully checking. We tried your pull request, and unfortunately, some functional test cases were failed with it. Now we are trying to find a JSON library which is secure and compatible with our SDK. We will fix this issue as soon as possible, and keep you informed. Thank you, and we are sorry for your inconvenience. If you have any question, please let us know how to help. |
Hi, @kshakir @geoffjentry @davidbernick Thanks for your patient. We have changed our JSON library dependency from Thanks again for your great patient. Please take a look. If you have any question, please don't hesitate to let us know. |
This looks great! We have tests to run on our side I believe this particular issue can now be marked as closed. FYI for others that may come across this issue, there is still transitive dependency on the same vulnerable Jackson 1.x library over in the OSS Java SDK, but that one is easier to work around using dependency exclusions. |
Let's close this issue now. Thanks all. |
According to SourceClear, https://www.sourceclear.com/vulnerability-database/libraries/230, Jackson-databind is vulnerable. Can we use another library?
The text was updated successfully, but these errors were encountered: