Vulnerable transitive dependency

[TWiStErRob]

Description of the problem: There are vulnerabilities in transitive dependencies because they're not using the latest versions.

Browser and version: N/A

Operating system: N/A

WebDriverManager version: 5.3.0

This report is by Sonatype lift:

All (except 1) vulnerabilities will be fixed by bumping to latest minor for these.

Please watch (Subscribe button in sidebar) on docker-java/docker-java#1974 and bump whenever they release.

[wszczepaniak]

version 5.3.2 is still reported to have a transitive vulnerability from jackson-databind:2.10.3 :(

[TWiStErRob]

@wszczepaniak barking up the wrong tree, see the link in OP.

[wszczepaniak]

1. I've seen the link in OP.
2. Seen no activity in there
3. Commented here, as depending on something is a decision, that can be changed
4. I don't see any "barking" in my comment, and I've found your answer as not very polite. To be honest, I thought open-source threads are not like those on facebook, but I might be wrong.

[TWiStErRob]

4 is up to you how you read it, it's just an expression, I meant @bonigarcia can't do much here until it's fixed upstream.

I haven't considered 3 as a solution, but that's a fair point.
It might be a quite fundamental change though, because it's part of the public API.

[bonigarcia]

I believe the latest version of docker-java has bumped bcprov and commons-io. But the docker-java team refuses to bump jackson (see docker-java/docker-java#2037).

[TWiStErRob]

Let's see what's the explanation, but regardless, that's some progress with the other two 👏.

[masoodmd0786]

Hi, Do we have any Update on this ?

[bonigarcia]

@masoodmd0786 As you have seen in docker-java/docker-java#1974, no news yet

[derolk]

Sad but happy to see you're working on fixing the issue. Thanks

[christianhujer]

I just wanted to report the same, but then found that there already is such an issue open.

In case it helps, here's a list of vulnerabilities from transitive dependencies found in 5.7.0.
As far as I can tell, they're all coming through com.fasterxml.jackson.core:jackson-databind:2.10.3

• CVE-2022-42003 7.5 Deserialization of Untrusted Data vulnerability with High severity found
  Cxced0c06c-935c 5.9 Uncontrolled Resource Consumption vulnerability with Medium severity found
• CVE-2022-42004 7.5 Deserialization of Untrusted Data vulnerability with High severity found
• CVE-2021-46877 7.5 Uncontrolled Resource Consumption vulnerability with High severity found
• CVE-2020-25649 7.5 Improper Restriction of XML External Entity Reference vulnerability with High severity found
• CVE-2020-36518 7.5 Out-of-bounds Write vulnerability with High severity found
• CVE-2021-20190 8.1 Deserialization of Untrusted Data vulnerability with High severity found

The criticality is probably low.

The easiest way to suppress the issue is by adding this to my dependencies in Gradle:

    testImplementation("com.fasterxml.jackson.core:jackson-databind:2.16.0")

If folks want to play it safe, they can also do this:

    testImplementation("io.github.bonigarcia:webdrivermanager:5.7.0") {
        exclude(group = "com.fasterxml.jackson.core", module = "jackson-databind")
    }

Hope this helps someone.

[TurboCoder13]

Thank you @christianhujer 🙇

Curious if you know whether excluding this dependency will affect how the package functions? 🤔

[sivaprakashspg]

Thank you @christianhujer 🙇

Curious if you know whether excluding this dependency will affect how the package functions? 🤔

Was wondering the same! They just won't upgrade #2328

Not sure if this would work, but can we <exclude'> Jackson from java-docker and add the latest Jackson dependency in WebDriverManager pom.xml?

[bonigarcia]

Not sure if this would work, but can we <exclude'> Jackson from java-docker and add the latest Jackson dependency in WebDriverManager pom.xml?

I have just released WebDriverManager 5.9.0, which excludes org.bouncycastle:bcpkix-jdk18on and forces to use jackson-databind 2.17.1. So I believe this issue should be fixed now.

[bonigarcia]

Sorry but forcing to use latest jackson-databind release does not work. The Docker support in WebDriverManager 5.9.0 seems broken now. See errors Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.NoClassDefFoundError: com/fasterxml/jackson/core/util/JacksonFeature in:

https://github.com/bonigarcia/selenium-jupiter/actions/runs/9647381928/job/26606009989

I am going to release WebDriverManager 5.9.1 without forcing the use of jackson-databind 2.17.1.