Replies: 6 comments 8 replies
-
Which part from the contents of shared link shows the triggered alert? |
Beta Was this translation helpful? Give feedback.
-
|
@JooHyukKim No more detail from xray(in ide), it's low, it's "susceptible" 🤔 Dns record problem? On classical springboot project (3.2.x), only this packages triggers an low alert :
|
Beta Was this translation helpful? Give feedback.
-
|
If someone wants to give us the results, we will look at them. This is a genuine issue but with a lot of companies overselling it to earn a buck. I'm not in the mind to provide my email address to oversecured to get their list. The top 20 list on their blog contains at least one incorrect entry - fs2.co appears to redirect to fs2.io which I think is fine. http://fasterxml.com/ works. If any company is concerned, maybe they should offer to pay for the domain names. Would quickly sort out some of the issues. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, this is an entirely theoretical concern: no one will be able to take over Jackson Maven publishing, even without DNS registration. Release process is gated by Sonatype admins who know what they are doing wrt verifications. |
Beta Was this translation helpful? Give feedback.
-
|
there's a real concern that someone could grab a domain and register with a non-central maven repo (like jitpack). then, users of central + that non-central repo could get served malicious artifacts. however i don't see how this is an issue with jackson since fasterxml.com is registered. |
Beta Was this translation helpful? Give feedback.
-
|
Right, fasterxml.com is indeed registered to make that point moot (not sure why it'd be considered available or something). I did not think Jackson was listed in vulnerable projects in the original article so was bit surprised by claim here. But I am not sure how non-MC repo approach would work wrt syncing. I assume there may be some cases where this could indeed be problematic, with new versions being pushed and MC allows syncing from elsewhere even if it was the originator for previous versions (which I supposed would make sense if projects legitimately moved to use different Maven repo as their publishing target). |
Beta Was this translation helpful? Give feedback.
-
|
FWTW I double-checked my registration of "fasterxml.com" domain: it expires on Dec 29, 2026 but has been registered for more than a decade (and I intend to pay for it, and "jackson.tools") for however long necessary. I am somewhat annoyed by seemingly Yet Another Security Tool Fail. Why is it always up to projects to "prove they are not guilty" as opposed to security researchers perhaps providing some actual support evidence for an issue? |
Beta Was this translation helpful? Give feedback.
-
|
Reminds me of Express.js spam PR incidents. |
Beta Was this translation helpful? Give feedback.
-
|
for informations, in this file vulnerable.txt i found |
Beta Was this translation helpful? Give feedback.
-
|
Jackson does not use that URL as a groupId. These companies are exaggerating to sell you software. Please stop spamming us about it. |
Beta Was this translation helpful? Give feedback.
-
|
Also, whatever "jackson-bean-validation.org" is used by, it's not a component maintained by Jackson project (nor under |
Beta Was this translation helpful? Give feedback.
-
|
Hi, this is Jonathan from the Xray team in JFrog. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @yonisa3 for looking into this. |
Beta Was this translation helpful? Give feedback.
-
|
Nice !! |
Beta Was this translation helpful? Give feedback.
-
Xray triggers an alert on jackson-databind,jackson-core and jackson-annotations:
https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications
https://www.sonatype.com/sonatypes-ongoing-commitment-to-maven-central
Beta Was this translation helpful? Give feedback.
All reactions