[#AAA-143] Severe security and license analysis issuess in jackson-databind and jackson-dataformat-xml on Nexus IQ server CLM Job

[AAA-143] Severe security and license analysis issuess in jackson-databind and jackson-dataformat-xml on Nexus IQ server CLM Job Created: 15/Aug/17 Updated: 21/Mar/19 Resolved: 22/May/18
Status:	Resolved
Project:	aaa
Component/s:	General
Affects Version/s:	None
Fix Version/s:	Fluorine

Type:

Bug

Priority:

Highest

Reporter:

Michael Vorburger

Assignee:

Ryan Goulding

Resolution:

Done

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

Operating System: All
Platform: All

External issue ID:

8992

Description

Several projects (originally raised in private email among committers of genius, then seen by me on infrautils, now raised by An Ho on https://lists.opendaylight.org/pipermail/release/2017-August/011985.html for daexim) have hit a Severe License analysis issues in jackson-dataformat-xml on Nexus IQ server CLM Job, seen e.g. here: https://clm.opendaylight.org/assets/index.html#/reports/daexim/d3d1cd100d6a4443a997ad713f474c35, due to what it thinks is a "Apache-2.0, LGPL-2.1, No Source License" on component com.fasterxml.jackson.dataformat : jackson-dataformat-xml : 2.3.2.

Stephen Kitt (skitt) in private email dixit, quote: "Likewise, there’s a security issue with Jackson (again, I haven’t checked in detail), and we pull that in via AAA and/or odlparent, so it’s not Genius’s concern either."

Let's track looking into what going on there in this bug.

I'm not sure which project needs to do something about this - let's start with AAA? (Folks from AAA, of course, please move this bug to another project appropriately, if jackson-dataformat-xml isn't inherited by all this other projects from you?)

Comments

Comment by Michael Vorburger [ 15/Aug/17 ]

Further to the license issue (above), there is also a Security High alert on jackson-databinding, and a Medium on com.fasterxml.jackson.dataformat (same one as license), which we should also aim to resolve under this issue.

Comment by Ryan Goulding [ 07/Feb/18 ]

Will target fixing this in Oxygen-SR1 with complete removal of jackson. Not going to attempt to fix this until we are done releasing Oxygen.

Comment by OpenDaylight Release [ 03/May/18 ]

Since the bug is unassigned I'm currently assigning it to you.

Please assign to the relevant person.

Comment by Michael Vorburger [ 03/May/18 ]

Hello opendaylight.release who (human) are you?

Comment by Ryan Goulding [ 22/May/18 ]

https://git.opendaylight.org/gerrit/#/c/70055/

Generated at Wed Feb 07 19:08:45 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.

[AAA-143] Severe security and license analysis issuess in jackson-databind and jackson-dataformat-xml on Nexus IQ server CLM Job Created: 15/Aug/17 Updated: 21/Mar/19 Resolved: 22/May/18