This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.


RepositoryGroupImpact AnalysisAction
so/libscom.fasterxml.jackson.core

False positive

Jackson: can be an issue if we leave on default typing

    •  In SO we do not use default typing. We use strict parsing and validation of deserialized data.
    •  There is no unknown source data  from which SO reads the application data (xml/json).

No Action.

All of the existing jackson databind have vulnerabilities issues.

SOorg.eclipse.jetty

Pulled in by Springboot 1.5.13-RELEASE

Note: We don't use jetty, but it is impractical to exclude

Planning for a spring boot upgrade to 2.0 in Dublin.

com.fasterxml.jackson.core

False positive

Jackson: can be an issue if we leave on default typing

    •  In SO we do not use default typing. We use strict parsing and validation of deserialized data.
    •  There is no unknown source data  from which SO reads the application data (xml/json).

No Action

All of the existing jackson databind have vulnerabilities issues.


ch.qos.logbackPulled in by Springboot 1.5.13-RELEASEPlanning for a spring boot upgrade to 2.0 in Dublin.

org.slf4jPulled in by Springboot 1.5.13-RELEASE and also specified by SOPlanning for a spring boot upgrade to 2.0 in Dublin.

org.apache.tomcat.embed

Pulled in by Springboot 1.5.13-RELEASE

Note: Tomcat CORS is turned off in our application

Not really an issue since the feature is turned off.

No Action.

Planning for a spring boot upgrade to 2.0 in Dublin.


org.apache.commons

Pulled in by Camunda 7.8.0

We aren't using any email features in BPMN.

No Action for Casablanca.

File for exception in Casablanca, Upgrade Camunda to 1.9.0 in Dublin