Details
-
Question
-
Status: Closed
-
Normal
-
Resolution: Done
-
13.4.2
-
None
-
None
Description
Our organization (Florida Blue) blocks dependencies with HIGH findings, so we are unable to build the project currently:
[ERROR] Failed to execute goal on project brxm-essentials: Could not resolve dependencies for project com.bcbsfl.brxm:brxm-essentials:war:0.1.0-SNAPSHOT: The following artifacts could not be resolved: com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.3, com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.9, com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.9, com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.9, io.swagger.core.v3:swagger-annotations:jar:2.0.6, io.swagger.core.v3:swagger-jaxrs2:jar:2.0.6, org.javassist:javassist:jar:3.22.0-GA, io.swagger.core.v3:swagger-models:jar:2.0.6, io.swagger.core.v3:swagger-integration:jar:2.0.6, io.swagger.core.v3:swagger-core:jar:2.0.6, javax.xml.bind:jaxb-api:jar:2.3.0, com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.9.5, org.yaml:snakeyaml:jar:1.18: Could not transfer artifact com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.3 from/to central (https://artifactory.bcbsfl.com/artifactory/onehippo-virtual/): Access denied to https://artifactory.bcbsfl.com/artifactory/onehippo-virtual/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar. Error code 401, Unauthorized -> [Help 1]
When will you support databind version 2.10.3 (this is the latest version with no vulnerabilities)?
- Vulnerability published March 2 2020:
- https://snyk.io/vuln/maven:com.fasterxml.jackson.core%3Ajackson-databind
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106
- Looks like Onehippo repo only supports 2.9.9.3
- https://artifactory.bcbsfl.com/artifactory/onehippo-virtual/com/fasterxml/jackson/core/jackson-databind/