[
https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17178117#comment-17178117
]
Tatu Saloranta commented on BEAM-7881:
--------------------------------------
[~romain.manni-bucau] no. I corrected you, but you did not understand it so you
just repeated the false claim.
Mere existence of the jars does not expose the issue. If you are not interested
in understanding issues to be resolved maybe you should refrain from making
such claims in the first place.
> Get rid of jackson to avoid the continuous flow of CVEs in Jackson
> ------------------------------------------------------------------
>
> Key: BEAM-7881
> URL: https://issues.apache.org/jira/browse/BEAM-7881
> Project: Beam
> Issue Type: Task
> Components: sdk-java-core
> Affects Versions: 2.14.0
> Reporter: Romain Manni-Bucau
> Priority: P3
> Fix For: 3.0.0
>
>
> Jackson keeps having CVE on all releases of databind and transitively beam
> sdk java core has CVE on all its releases (for the record, when writing this
> issue you must use at least jackson-databind 2.9.9.2 but last week it was
> 2.9.9.1 and 2.14 didn't get the fix).
> Can be neat to get rid of jackson which does not fix this issue for a very
> long time now and just use JSON-B or another JSON impl to ensure the CVE is
> not usable because beam is there.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
