Upgrade jackson databind to version 12.3.0 or above #4138

radusecrieru · 2022-03-15T10:27:26Z

Snyk (security analysis tool) has found recent vulnerabilities affecting com.fasterxml.jackson.core:jackson-databind package, versions [,2.13.0): SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244.

We are using the gradle package 'io.swagger.core.v3:swagger-jaxrs2', and the latest version has a dependency on jackson-databind version 2.12.1.
When trying to upgrade the jackson-databind version to 2.13.0 or above, a NullPointerException appears when using the jackson types:

java.lang.NullPointerException at com.fasterxml.jackson.databind.introspect.AnnotatedCreatorCollector.collect(AnnotatedCreatorCollector.java:79) at com.fasterxml.jackson.databind.introspect.AnnotatedCreatorCollector.collectCreators(AnnotatedCreatorCollector.java:61) at com.fasterxml.jackson.databind.introspect.AnnotatedClass._creators(AnnotatedClass.java:403) at com.fasterxml.jackson.databind.introspect.AnnotatedClass.getFactoryMethods(AnnotatedClass.java:315) at com.fasterxml.jackson.databind.introspect.BasicBeanDescription.getFactoryMethods(BasicBeanDescription.java:572) at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._addExplicitFactoryCreators(BasicDeserializerFactory.java:646) at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._constructDefaultValueInstantiator(BasicDeserializerFactory.java:279) at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findValueInstantiator(BasicDeserializerFactory.java:223) at com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.buildBeanDeserializer(BeanDeserializerFactory.java:261) at com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.createBeanDeserializer(BeanDeserializerFactory.java:150) at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer2(DeserializerCache.java:415) at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer(DeserializerCache.java:350) at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:264) at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:244) at com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:142) at com.fasterxml.jackson.databind.DeserializationContext.findNonContextualValueDeserializer(DeserializationContext.java:632) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.resolve(BeanDeserializerBase.java:539) at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:294) at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:244) at com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:142) at com.fasterxml.jackson.databind.DeserializationContext.findRootValueDeserializer(DeserializationContext.java:642) at com.fasterxml.jackson.databind.ObjectMapper._findRootDeserializer(ObjectMapper.java:4806) at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4387) at com.fasterxml.jackson.databind.ObjectMapper.convertValue(ObjectMapper.java:4325) at io.swagger.v3.core.util.ModelDeserializer.deserializeObjectSchema(ModelDeserializer.java:108) at io.swagger.v3.core.util.ModelDeserializer.deserialize(ModelDeserializer.java:74) at io.swagger.v3.core.util.ModelDeserializer.deserialize(ModelDeserializer.java:27) at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:322) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4675) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3630) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3598) at io.swagger.v3.core.filter.SpecFilter.filterComponentsSchema(SpecFilter.java:281) at io.swagger.v3.core.filter.SpecFilter.filter(SpecFilter.java:123)

Are there any plans to upgrade jackson-databind to a non-vulnerable version - i.e. 2.13.0 or above?
Or is there any fix that we could apply to get rid of the NPE?
Thanks!

The text was updated successfully, but these errors were encountered:

radusecrieru · 2022-03-20T16:40:02Z

Hey, just wanted to give un update - the error above is related to a change in functionality in the jackson-databind library related to the way annotations and mixins are implemented, and we were disabling annotations for some tests, by doing Json.mapper().disable(MapperFeature.USE_ANNOTATIONS);, thus generating the NPE that I've pasted above; since then, we've investigated quite a bit, and found that we needed to replace the annotation introspector (Json.mapper().setAnnotationIntrospector(AnnotationIntrospector.nopInstance()););

In any case, sorry for the confusion, nothing is needed in swagger for the jackson error, but the fact that versions below 2.13.0 are vulnerable still remains.

frantuma · 2022-03-22T10:10:48Z

thanks for reporting this. Updated jackson to 2.13.2 in #4144

frantuma self-assigned this Mar 16, 2022

frantuma added a commit that referenced this issue Mar 22, 2022

refs #4138 - update jackson to 2.13.2

f549bfc

frantuma added a commit that referenced this issue Mar 22, 2022

refs #4138 - update jackson to 2.13.2

67e3a3f

frantuma closed this as completed Mar 22, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade jackson databind to version 12.3.0 or above #4138

Upgrade jackson databind to version 12.3.0 or above #4138

radusecrieru commented Mar 15, 2022

radusecrieru commented Mar 20, 2022

frantuma commented Mar 22, 2022

Upgrade jackson databind to version 12.3.0 or above #4138

Upgrade jackson databind to version 12.3.0 or above #4138

Comments

radusecrieru commented Mar 15, 2022

radusecrieru commented Mar 20, 2022

frantuma commented Mar 22, 2022