Suppress jackson-databind CVE-2018-1000873, won't fix in 2.8.x series

Upstream is not fixing this issue in 2.8.x we need to upgrade to at least >= 2.9.8. Ref FasterXML/jackson-modules-java8#90 (comment) RDM-3796
hmcts · Jan 29, 2019 · b10abb8 · b10abb8
1 parent e307cdd
commit b10abb8
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
@@ -124,8 +124,11 @@
         <cve>CVE-2018-19362</cve>
     </suppress>
     <suppress>
-        <notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
-        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
+        <notes>jackson-databind 2.8.x will not get a fix for this CVE.  We need
+            to upgrade to 2.9.x. See
+            https://github.com/FasterXML/jackson-modules-java8/issues/90#issuecomment-450544881
+            and RDM-3796</notes>
+        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
         <cve>CVE-2018-1000873</cve>
     </suppress>
     <suppress>