Skip to content

Commit e7a5623

Browse files
authored
chore: suppress jackson-databind (#133)
1 parent 45569f9 commit e7a5623

File tree

2 files changed

+13
-0
lines changed

2 files changed

+13
-0
lines changed

build.gradle.kts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ configure<nebula.plugin.release.git.base.ReleasePluginExtension> {
4242

4343
dependencyCheck {
4444
analyzers.assemblyEnabled = false
45+
suppressionFile = "suppressions.xml"
4546
failBuildOnCVSS = 9.0F
4647
}
4748

suppressions.xml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
3+
<suppress until="2022-11-17Z">
4+
<notes><![CDATA[
5+
file name: jackson-databind-2.13.4.jar
6+
sev:HIGH
7+
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
8+
]]></notes>
9+
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\[email protected].*$</packageUrl>
10+
<cve>CVE-2022-42003</cve>
11+
</suppress>
12+
</suppressions>

0 commit comments

Comments
 (0)