Skip to content

Bump jackson-bom to 2.21.4 to fix CVEs#1412

Merged
vastin merged 1 commit into
mainfrom
fix/jackson-bom-2.21.4-cve
Jun 26, 2026
Merged

Bump jackson-bom to 2.21.4 to fix CVEs#1412
vastin merged 1 commit into
mainfrom
fix/jackson-bom-2.21.4-cve

Conversation

@vastin

@vastin vastin commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Test plan

  • PR build Trivy image scan passes
  • If Trivy still flags CVE-2026-54514 or CVE-2026-54517 (stale Trivy DB), add suppressions for those as well

@vastin
Bump jackson-bom to 2.21.4 to fix CVE-2026-54512/54513/54514/54516/54…
a6a2a3c 
…517/54518

jackson-databind 2.21.4 fixes 6 CVEs detected by the Trivy image scan.
CVE-2026-54515 is suppressed as no fix exists in the 2.21.x line yet
(Trivy DB references 2.21.5 which has not been released).

Also removes expired Netty CVE suppressions (already fixed by the
4.1.135.Final bump in #1389).
@vastin vastin requested a review from a team as a code owner June 26, 2026 18:57
@vastin vastin added the skip changelog doesn't need a CHANGELOG entry label Jun 26, 2026
@github-actions

github-actions Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @vastin's task in 1m 24s —— View job

Claude PR Review

  • Check prior review comments to dedupe (none found)
  • Read the PR diff
  • Verify Jackson 2.21.4 bump
  • Verify CVE-2026-54515 suppression rationale
  • Verify Netty CVE suppressions are stale/fixed
  • Post findings

LGTM — small, focused, well-justified change. No blocking issues.

Verified:

  • dependencyManagement/build.gradle.kts:38 bumps jackson-bom 2.21.1 → 2.21.4. Netty BOM at line 43 is already 4.1.135.Final (≥ the 4.1.133.Final fix referenced in the old suppressions), so removing those Netty entries is correct cleanup — they had also already passed expired_at: 2026-05-22.
  • The remaining CVE-2026-54515 suppression is short-lived (expired_at: 2026-07-31, ~5 weeks from today 2026-06-26), which is appropriate for a "waiting on upstream" carve-out.
  • Both daily-scan and pr-build trivyignore files are kept in sync.

Minor observations (non-blocking):

  1. The PR body explicitly calls out that the Trivy DB may still flag CVE-2026-54514 / CVE-2026-54517 against 2.21.4 due to DB staleness. If the PR-build scan does flag them, prefer adding time-boxed suppressions (similar short expired_at to -54515) rather than long-lived ones — Jackson 2.21.x is on an active patch cadence and these should drop off once the Trivy DB catches up.

  2. The two trivyignore files are now identical in content. Not worth changing in this PR, but if drift between daily-scan and pr-build becomes a recurring maintenance burden, a follow-up to share a common file (or generate one from the other) would reduce the chance of one getting updated without the other.

  3. Consider noting in the suppression statement which Jackson release is expected to carry the fix (if known from the FasterXML tracker), so the next person reviewing the suppression doesn't have to re-discover that context. Not required.
    · Branch

@vastin vastin enabled auto-merge (squash) June 26, 2026 20:16
@vastin vastin merged commit 0234159 into main Jun 26, 2026
18 of 21 checks passed
@vastin vastin deleted the fix/jackson-bom-2.21.4-cve branch June 26, 2026 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mxiamxia mxiamxia mxiamxia approved these changes

Assignees

No one assigned

Labels

skip changelog doesn't need a CHANGELOG entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vastin @mxiamxia