Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jackson: upgrade for CVE-2020-36518 #8201

Merged
merged 1 commit into from Mar 30, 2022
Merged

Jackson: upgrade for CVE-2020-36518 #8201

merged 1 commit into from Mar 30, 2022

Conversation

dhalperi
Copy link
Member

Includes fixups:

  • new builder pattern
  • Jackson now correctly implements Include.NON_EMPTY for JsonValue,
    so things like IntegerSpace are not serialized instead of "".
    Fix a few deserializers as a result.

@dhalperi dhalperi requested a review from arifogel March 29, 2022 21:48
@batfish-bot
Copy link

This change is Reviewable

@codecov
Copy link

codecov bot commented Mar 29, 2022
edited

Codecov Report

Merging #8201 (ccd7f92) into master (baf8916) will decrease coverage by 0.00%.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##             master    #8201      +/-   ##
============================================
- Coverage     74.48%   74.47%   -0.01%     
- Complexity    43494    43496       +2     
============================================
  Files          3387     3387              
  Lines        168687   168718      +31     
  Branches      20168    20178      +10     
============================================
+ Hits         125653   125660       +7     
- Misses        33490    33510      +20     
- Partials       9544     9548       +4
Impacted Files Coverage Δ
...a/org/batfish/common/util/BatfishObjectMapper.java 72.72% <100.00%> (-1.19%) ⬇️
...src/main/java/org/batfish/datamodel/Interface.java 86.61% <100.00%> (ø)
...tamodel/routing_policy/expr/ExplicitPrefixSet.java 60.00% <100.00%> (-1.54%) ⬇️
...atfish/datamodel/vendor_family/cumulus/Bridge.java 88.88% <100.00%> (+3.17%) ⬆️
...src/main/java/org/batfish/coordinator/PoolMgr.java 54.76% <0.00%> (-4.77%) ⬇️
...fish/bddreachability/BDDLoopDetectionAnalysis.java 83.82% <0.00%> (-2.95%) ⬇️
...col/src/main/java/org/batfish/role/InferRoles.java 91.36% <0.00%> (-1.37%) ⬇️
...main/java/org/batfish/datamodel/acl/AclTracer.java 63.69% <0.00%> (-1.28%) ⬇️
...bddreachability/BDDReachabilityGraphOptimizer.java 82.82% <0.00%> (-1.02%) ⬇️
...ain/java/org/batfish/coordinator/WorkQueueMgr.java 70.93% <0.00%> (-0.59%) ⬇️
... and 8 more

dhalperi
dhalperi commented Mar 29, 2022
View reviewed changes
Copy link
Member Author

@dhalperi dhalperi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 0 of 18 files reviewed, all discussions resolved (waiting on @arifogel)

projects/coordinator/BUILD, line 15 at r1 (raw file):

    runtime_deps = [
        "//projects/question",
        "@maven//:javax_activation_activation",

FYI this is not needed because it's already a direct dependency of existing libs.

arifogel
arifogel reviewed Mar 29, 2022
View reviewed changes
Copy link
Member

@arifogel arifogel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 18 of 18 files at r1, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @dhalperi)

projects/pom.xml, line 74 at r1 (raw file):

        <jackson.version>2.13.2.20220328</jackson.version>
        <jakarta-activation.version>1.2.2</jakarta-activation.version>
        <javax-activation.version>1.1</javax-activation.version>

Do we need explicit javax-activation version or dep in maven anymore?

projects/batfish-common-protocol/src/main/java/org/batfish/common/util/BatfishObjectMapper.java, line 166 at r1 (raw file):

  }

  /** Configures all the default options for a Batfish {@link ObjectMapper}. */

Is javadoc still accurate?

dhalperi
dhalperi commented Mar 29, 2022
View reviewed changes
Copy link
Member Author

@dhalperi dhalperi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @dhalperi)

projects/batfish-common-protocol/src/main/java/org/batfish/common/util/BatfishObjectMapper.java, line 166 at r1 (raw file):

Previously, arifogel (Ari Fogel) wrote…

Is javadoc still accurate?

I think it's fine. Did you want a specific change?

arifogel
arifogel reviewed Mar 29, 2022
View reviewed changes
Copy link
Member

@arifogel arifogel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @dhalperi)

projects/batfish-common-protocol/src/main/java/org/batfish/common/util/BatfishObjectMapper.java, line 166 at r1 (raw file):

Previously, dhalperi (Dan Halperin) wrote…

I think it's fine. Did you want a specific change?

Just making sure ObjectMapper is still accurate. I guess so, given the lack of other changes.

@dhalperi
Jackson: upgrade for useless CVE-2020-36518
ccd7f92 
Includes fixups:
- new builder pattern
- Jackson now correctly implements Include.NON_EMPTY for JsonValue,
  so things like IntegerSpace are not serialized instead of "".
  Fix a few deserializers as a result.
- switch to jakarta activation API - it's the new thing.
dhalperi
dhalperi commented Mar 29, 2022
View reviewed changes
Copy link
Member Author

@dhalperi dhalperi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 15 of 18 files at r1, 6 of 6 files at r2, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @dhalperi)

arifogel
arifogel reviewed Mar 30, 2022
View reviewed changes
Copy link
Member

@arifogel arifogel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 6 of 6 files at r2, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @dhalperi)

@dhalperi dhalperi merged commit 60e31b8 into batfish:master Mar 30, 2022
@dhalperi dhalperi deleted the bazel-up branch March 30, 2022 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arifogel arifogel arifogel left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dhalperi @batfish-bot @arifogel