Hi,
As per NVD, the json-smart 2.2 version present in readonlyrest-1.34.0_es7.10.0.zip is vulnerable.
Vulnerability Links are as follows:
Please look into this.
Hi,
As per NVD, the json-smart 2.2 version present in readonlyrest-1.34.0_es7.10.0.zip is vulnerable.
Vulnerability Links are as follows:
Please look into this.
Thanks for the report. We will check it immediately
Can you please let me know which version of json smart you upgraded in ROR 1.35.1?
it’s net.minidev:json-smart:2.4.7
There is a json-smart in ror-shadowed-libs-all.jar. Could you please let me which version of json smart you are using there?
the one I’ve mentioned above:
> ./gradlew clean ror-shadowed-libs:dependencies
> Task :ror-shadowed-libs:dependencies
------------------------------------------------------------
Project :ror-shadowed-libs
------------------------------------------------------------
annotationProcessor - Annotation processors and their dependencies for source set 'main'.
No dependencies
apiElements - API elements for main. (n)
No dependencies
archives - Configuration for archive artifacts.
No dependencies
compile - Dependencies for source set 'main' (deprecated, use 'implementation' instead).
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
compileClasspath - Compile classpath for source set 'main'.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
compileOnly - Compile only dependencies for source set 'main'.
No dependencies
default - Configuration for default artifacts.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
implementation - Implementation only dependencies for source set 'main'. (n)
No dependencies
runtime - Runtime dependencies for source set 'main' (deprecated, use 'runtimeOnly' instead).
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
runtimeClasspath - Runtime classpath of source set 'main'.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
runtimeElements - Elements of runtime for main. (n)
No dependencies
runtimeOnly - Runtime only dependencies for source set 'main'. (n)
No dependencies
shadow
No dependencies
shadowCompile
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
testAnnotationProcessor - Annotation processors and their dependencies for source set 'test'.
No dependencies
testCompile - Dependencies for source set 'test' (deprecated, use 'testImplementation' instead).
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
testCompileClasspath - Compile classpath for source set 'test'.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
testCompileOnly - Compile only dependencies for source set 'test'.
No dependencies
testImplementation - Implementation only dependencies for source set 'test'. (n)
No dependencies
testRuntime - Runtime dependencies for source set 'test' (deprecated, use 'testRuntimeOnly' instead).
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
testRuntimeClasspath - Runtime classpath of source set 'test'.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
| +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
| | \--- com.fasterxml.jackson.core:jackson-core:2.12.4
| +--- org.yaml:snakeyaml:1.27 -> 1.29
| \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
+--- net.minidev:json-smart:2.4.7
| \--- net.minidev:accessors-smart:2.4.7
| \--- org.ow2.asm:asm:9.1
\--- org.slf4j:slf4j-api:1.7.30
testRuntimeOnly - Runtime only dependencies for source set 'test'. (n)
No dependencies
(*) - dependencies omitted (listed previously)
A web-based, searchable dependency report is available by adding the --scan option.
Deprecated Gradle features were used in this build, making it incompatible with Gradle 5.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/4.10.2/userguide/command_line_interface.html#sec:command_line_warnings