Skip to end of metadata
Go to start of metadata
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
RepositoryGroupImpact AnalysisAction
holmes-commoncom.fasterxml.jackson.core

False Positive

Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

holmes-common does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by msb-java-sdk. Also, the MSB team has declared this to be a false positive.


holmes-dsacom.fasterxml.jackson.core

False Positive

Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

holmes-dsa does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by msb-java-sdk. Also, the MSB team has declared this to be a false positive.


holmes-engine-managementcom.fasterxml.jackson.core

Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

holmes-engine-management does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by dropwizard-core.

To solve the problem, we have to replace the framework of Holmes or wait for updates from Dropwizard.

From Homles perspective, we don't use Jackson for JSON data processing. So this is not a big deal for Holmes.

Need to update Dropwizard to check whether its new version has solved this problem. Otherwise, we have to switch to another framework.
holmes-rule-managementcom.fasterxml.jackson.core

Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

holmes-rule-management does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by dropwizard-core.

To solve the problem, we have to replace the framework of Holmes or wait for updates from Dropwizard.

From Homles perspective, we don't use Jackson for JSON data processing. So this is not a big deal for Holmes.

Need to update Dropwizard to check whether its new version has solved this problem. Otherwise, we have to switch to another framework.