jackson-dataformat-xml 2.4.5 NOT detected

[eoftedal]

From #517 I see there have been some problems where other jackson libraries are detected as vulnerable to CVE-2016-3720 which appears to only affect jackson-dataformat-xml.

Currently I'm experiencing the opposite problem. I'm using dependency check version 1.4.3, and I've tried clearing the depcheck data folder to ensure I have a fresh vulnerability database. When I scan a folder containing jackson-dataformat-xml-2.4.5.jar

Some info about the .jar:
SHA1 535f27c7e322abc54c9758b50df1594f31ee6524
Can be downloaded here (click "Download (BUNDLE)"): https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/2.4.5

I unzipped it and from the META-INF/maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/pom.xml I find:

<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
<version>2.4.5</version>

[eoftedal]

This was wrong, it was related to how dependencies are listed at the top of the report. It is related to how files are listed at the top of the report contra in the details. If it (wrongly) detects jackson-dataformat-xml in say jackson-jaxrs-base and you also have jackson-dataformat-xml with the same version as jackson-jaxrs-base, it will only list jackson-jaxrs-base at the top. You can still find jackson-dataformat-xml in the "Related dependencies" under that lib lower down in the report.

[eoftedal]

Ok, I've been able to dig a bit deeper into this, and this is related to the regex in #517:

 <gav regex="true">com\.fasterxml\.jackson\.dataformat:jackson(?!\-dataformat\-xml).*</gav>

Because dataformat-xml is grouped under the dataformat-cbor gav for some reason, it is excluded by this regex, and thus not found, even though it is present.

[eoftedal]

Ok, so I've been able to narrow it down further to something quite simple:

1. Put jackson-dataformat-xml-2.4.5.jar and jackson-jaxrs-base-2.4.5.jar in the same folder
2. Use a suppression file with:

<suppress>
    <gav regex="true">com\.fasterxml\.jackson\.jaxrs:jackson.*</gav>
    <cve>CVE-2016-3720</cve>
</suppress>

The regex is supposed to suppress something with .jaxrs in it, but for some reason also suppresses the dataformat-xml file...

[eoftedal]

So the end result is that this seems to be somehow related to the grouping of related dependencies.

[jeremylong]

The fix for this has been implemented in 1.4.5-SNAPSHOT and will be included in the next release.

[eoftedal]

Awesome! Thanks!

[eoftedal]

@jeremylong I have verified that this fix works as expected

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.