Skip to content

Upgrade Jackson Dependency to address security vulnerabilities #349

Description

@newcron

Hi There,

I understand that it's not possible to upgrade to Jackson 3 due to compatibility issues with older Gradle versions.

However, the current used Version (2.14.2) of Jackson has a few pretty urgent security violations.

I understand, that this does not directly affect the security of applications that use the plugins, however there are two aspects worth considering:

  • Many applications are built on public CI runners such as "Github-hosted runners" for Github Actions. There it's not clear, what else is on these machines and how hardened they are. So security at build time does actually matter.
  • Gradle offers the Dependency Submission Github action that reports all dependencies to github's dependabot. This plugin also reports build time dependencies.
    In an enterprise context, these security findings are often monitored and mitigation is mandatory (such is my case).

Therefore, I would really appreciate to upgrade at least to the latest patched version of Jackson 2.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions