sonatype-nexus-community / nexus-repository-apt

A Nexus Repository 3 plugin that allows usage of apt repositories

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[DepShield] (CVSS 9.8) Vulnerability due to usage of com.fasterxml.jackson.core:jackson-databind:2.9.2

sonatype-depshield opened this issue · comments

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.2 results in the following vulnerability(s):


Occurrences

com.fasterxml.jackson.core:jackson-databind:2.9.2 is a transitive dependency introduced by the following direct dependency(s):

org.sonatype.nexus:nexus-plugin-api:3.14.0-04
        └─ com.fasterxml.jackson.core:jackson-databind:2.9.2
        └─ org.sonatype.nexus:nexus-blobstore-api:3.14.0-04
              └─ com.fasterxml.jackson.core:jackson-databind:2.9.2

org.sonatype.nexus:nexus-repository:3.14.0-04
        └─ org.sonatype.nexus:nexus-orient:3.14.0-04
              └─ com.orientechnologies:orientdb-server:2.2.36
                    └─ com.orientechnologies:orientdb-tools:2.2.36
                          └─ com.fasterxml.jackson.core:jackson-databind:2.9.2
              └─ com.fasterxml.jackson.datatype:jackson-datatype-joda:2.9.2
                    └─ com.fasterxml.jackson.core:jackson-databind:2.9.2
        └─ com.fasterxml.jackson.core:jackson-databind:2.9.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

@DarthHater - looks like we get this dep via inheritance from core, think this issue should probably be closed since there's not much this repo can do about it?

Not technically, we can update to Nexus Repo 3.15 (which just went live). That's likely the course of action on these if it's something we get from the parent.