Comments (8)
Hi, @geoffjentry Thanks for your feedback, and thank you for your contribution to this SDK. I apologize for closing this issue without carefully checking. We tried your pull request, and unfortunately, some functional test cases were failed with it. Now we are trying to find a JSON library which is secure and compatible with our SDK.
We will fix this issue as soon as possible, and keep you informed. Thank you, and we are sorry for your inconvenience. If you have any question, please let us know how to help.
from aliyun-openapi-java-sdk.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485 too
from aliyun-openapi-java-sdk.
PR: #55
Will try to figure out CLA stuff, but I'm happy if someone else just makes the modifications too.
from aliyun-openapi-java-sdk.
Please show us why this issue is related to aliyun-openapi-java-sdk and re-open this issue. Thank you.
from aliyun-openapi-java-sdk.
Hi @Qingtang-SDK - as you can see in #55 aliyun-openapi-java-sdk
embeds the vulnerable version of Jackson. The PR #55 resolves that by upgrading Jackson to a version which does not have the security vulnerability.
from aliyun-openapi-java-sdk.
Hi, @kshakir @geoffjentry @davidbernick Thanks for your patient. We have changed our JSON library dependency from jackson-mapper-dsl 1.9.13
to jackson-databind 2.9.7
, in the newest repo of master branch, and aliyun-java-sdk-batchcompute 6.0.0
on maven. All tests have been passed.
Thanks again for your great patient. Please take a look. If you have any question, please don't hesitate to let us know.
from aliyun-openapi-java-sdk.
This looks great! We have tests to run on our side I believe this particular issue can now be marked as closed.
FYI for others that may come across this issue, there is still transitive dependency on the same vulnerable Jackson 1.x library over in the OSS Java SDK, but that one is easier to work around using dependency exclusions.
from aliyun-openapi-java-sdk.
Let's close this issue now. Thanks all.
from aliyun-openapi-java-sdk.
Related Issues (20)
- Provide a Maven bill of materials (bom) HOT 2
- [RFC] Closing pull requests while a new build is starting causes failures
- sas - DescribePropertySoftwareDetail bug HOT 1
- alicloud-android-push
- aliyun-java-sdk-elasticsearch ListSearchLogResponse取不到值 HOT 3
- 多久把官方文档示例代码更新下
- 是否支持android呢 HOT 1
- CreateRepositoryRequest 需要必填InstanceId,公共服务没有这个参数 HOT 1
- 是否考虑支持万网(www.net.cn)的虚拟主机? HOT 1
- How to write Unit Test for these APIs like KMS HOT 1
- Async support HOT 1
- aliyun-java-sdk-cas maven仓库未发布最新版 HOT 1
- Wrong decoding of json "\u"
- aliyun-java-sdk-core 4.4.3版本启动报错 HOT 2
- gson 2.8.5 not has JsonParser.parseString method
- Parse Error for SAS's Plan Price HOT 1
- Test Smell: testing private methods is not a good test practice
- 在内部网络调用cdn的api,提示连接超时, HOT 1
- Maven doesn't download jar files, package missing when compiling the project
- springboot项目引入日志冲突问题 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aliyun-openapi-java-sdk.