Git Product home page Git Product logo

Comments (8)

Qingtang-SDK avatar Qingtang-SDK commented on May 18, 2024 2

Hi, @geoffjentry Thanks for your feedback, and thank you for your contribution to this SDK. I apologize for closing this issue without carefully checking. We tried your pull request, and unfortunately, some functional test cases were failed with it. Now we are trying to find a JSON library which is secure and compatible with our SDK.

We will fix this issue as soon as possible, and keep you informed. Thank you, and we are sorry for your inconvenience. If you have any question, please let us know how to help.

from aliyun-openapi-java-sdk.

davidbernick avatar davidbernick commented on May 18, 2024

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485 too

from aliyun-openapi-java-sdk.

kshakir avatar kshakir commented on May 18, 2024

PR: #55

Will try to figure out CLA stuff, but I'm happy if someone else just makes the modifications too.

from aliyun-openapi-java-sdk.

Qingtang-SDK avatar Qingtang-SDK commented on May 18, 2024

Please show us why this issue is related to aliyun-openapi-java-sdk and re-open this issue. Thank you.

from aliyun-openapi-java-sdk.

geoffjentry avatar geoffjentry commented on May 18, 2024

Hi @Qingtang-SDK - as you can see in #55 aliyun-openapi-java-sdk embeds the vulnerable version of Jackson. The PR #55 resolves that by upgrading Jackson to a version which does not have the security vulnerability.

from aliyun-openapi-java-sdk.

Qingtang-SDK avatar Qingtang-SDK commented on May 18, 2024

Hi, @kshakir @geoffjentry @davidbernick Thanks for your patient. We have changed our JSON library dependency from jackson-mapper-dsl 1.9.13 to jackson-databind 2.9.7, in the newest repo of master branch, and aliyun-java-sdk-batchcompute 6.0.0 on maven. All tests have been passed.

Thanks again for your great patient. Please take a look. If you have any question, please don't hesitate to let us know.

from aliyun-openapi-java-sdk.

kshakir avatar kshakir commented on May 18, 2024

This looks great! We have tests to run on our side I believe this particular issue can now be marked as closed.

FYI for others that may come across this issue, there is still transitive dependency on the same vulnerable Jackson 1.x library over in the OSS Java SDK, but that one is easier to work around using dependency exclusions.

from aliyun-openapi-java-sdk.

JacksonTian avatar JacksonTian commented on May 18, 2024

Let's close this issue now. Thanks all.

from aliyun-openapi-java-sdk.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.