Anybody know if there's a way and/or how to remove...
# cfml-generalj
Jason Ryan
09/02/2022, 6:18 PMAnybody know if there's a way and/or how to remove
com.fasterxml.jackson.core:jackson-databind/opt/lucee/server/lucee-server/bundleroot/.CommandBox/engine/cfml/cli/lucee-server/bundles/org.lucee.ehcache-2.10.3.jarb
bdw429s
09/02/2022, 9:38 PM@Jason Ryan If you're on the latest version of CommandBox, can you please enter a ticket into the Lucee bug tracker with the list of vulnerabilities and hopefully they will update it in the next version
bdw429s
09/02/2022, 9:38 PMThere's not really a way to override a core Lucee OSGI bundle
bdw429s
09/02/2022, 9:38 PMEven if you delete it from disk, it will re-extract it from the lucee.jar
bdw429s
09/02/2022, 9:38 PMAnd even if you remove it from the Lucee jar, it will download it
bdw429s
09/02/2022, 9:39 PMAnd even if you disable downloading, it will blow up because the Lucee core presumable requires that exact specific version
j
Jason Ryan
09/02/2022, 9:40 PMIt's already in the tracker: https://luceeserver.atlassian.net/browse/LDEV-3982
Jason Ryan
09/02/2022, 9:40 PMGotcha. Thanks for the info.
b
bdw429s
09/02/2022, 9:41 PM👍 There's nothing you can really do then other than create some noise on the ticket. cc/ @zackster
bdw429s
09/02/2022, 9:42 PMThat ticket should probably get some priority since it's going to prevent people from being able to use Lucee who are subject to any sort of security scanning process
s
seancorfield
09/03/2022, 6:31 PM
Jackson is awful for CVEs -- we had to work really hard at work to migrate off older versions (2.8.x to 2.9.0 was a breaking change in Jackson) and it required changes to our frontend code as well as our backend code 😞 We try to make sure to use non-Jackson JSON libraries as much as possible these days.
seancorfield
09/03/2022, 6:31 PM
(and everything depends on a version of Jackson in the Java world -- it is ubiquitous)
2 Views