[FP]: jackson-databind for CVE-2017-7525
githubuserVenkat opened this issue · comments
githubuserVenkat commented
Package URl
pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13
CPE
cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:::::::*
CVE
ODC Integration
None
ODC Version
9.0.9
Description
Actual vulnerable component is jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9
github-actions commented
Maven Coordinates
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<version>1.9.13</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6476
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-mapper-asl@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson-mapper-asl</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7956434408
Hans Aikema commented
https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl
jackson-mapper-asl was moved to jackson-databind