https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/AAA-143 aaa <p>Several projects (originally raised in private email among committers of genius, then seen by me on infrautils, now raised by An Ho on <a href="https://lists.opendaylight.org/pipermail/release/2017-August/011985.html" class="external-link" target="_blank" rel="nofollow noopener">https://lists.opendaylight.org/pipermail/release/2017-August/011985.html</a> for daexim) have hit a Severe License analysis issues in jackson-dataformat-xml on Nexus IQ server CLM Job, seen e.g. here: <a href="https://clm.opendaylight.org/assets/index.html#/reports/daexim/d3d1cd100d6a4443a997ad713f474c35" class="external-link" target="_blank" rel="nofollow noopener">https://clm.opendaylight.org/assets/index.html#/reports/daexim/d3d1cd100d6a4443a997ad713f474c35</a>, due to what it thinks is a "Apache-2.0, LGPL-2.1, No Source License" on component com.fasterxml.jackson.dataformat : jackson-dataformat-xml : 2.3.2.</p> <p>Stephen Kitt (skitt) in private email dixit, quote: "Likewise, there’s a security issue with Jackson (again, I haven’t checked in detail), and we pull that in via AAA and/or odlparent, so it’s not Genius’s concern either."</p> <p>Let's track looking into what going on there in this bug.</p> <p>I'm not sure which project needs to do something about this - let's start with AAA? (Folks from AAA, of course, please move this bug to another project appropriately, if jackson-dataformat-xml isn't inherited by all this other projects from you?)</p> <p>Operating System: All<br/> Platform: All</p> AAA-143

Severe security and license analysis issuess in jackson-databind and jackson-dataformat-xml on Nexus IQ server CLM Job

Bug Highest Resolved Done Ryan Goulding Michael Vorburger Tue, 15 Aug 2017 09:52:58 +0000 Thu, 21 Mar 2019 11:56:49 +0000 Tue, 22 May 2018 13:15:08 +0000 Fluorine General 0 4 <p>Further to the license issue (above), there is also a Security High alert on jackson-databinding, and a Medium on com.fasterxml.jackson.dataformat (same one as license), which we should also aim to resolve under this issue.</p> <p>Will target fixing this in Oxygen-SR1 with complete removal of jackson.  Not going to attempt to fix this until we are done releasing Oxygen.</p> <p>Since the bug is unassigned I'm currently assigning it to you.</p> <p>Please assign to the relevant person. </p> <p>Hello <a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=opendaylight.release" class="user-hover" rel="opendaylight.release">opendaylight.release</a> who (human) are you?</p> <p><a href="https://git.opendaylight.org/gerrit/#/c/70055/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/70055/</a></p> Development External issue ID 8992 External issue URL Rank 0|i024d3: