Selaa lähdekoodia

Update java-jwt

Armin Schrenk 4 vuotta sitten
vanhempi
commit
f989b8627c
2 muutettua tiedostoa jossa 1 lisäystä ja 12 poistoa
  1. 1 7
      main/pom.xml
  2. 0 5
      main/suppression.xml

+ 1 - 7
main/pom.xml

@@ -37,7 +37,7 @@
 		<!-- 3rd party dependencies -->
 		<javafx.version>15</javafx.version>
 		<commons-lang3.version>3.11</commons-lang3.version>
-		<jwt.version>3.12.0</jwt.version>
+		<jwt.version>3.13.0</jwt.version>
 		<easybind.version>2.1.0</easybind.version>
 		<guava.version>30.0-jre</guava.version>
 		<dagger.version>2.32</dagger.version>
@@ -218,12 +218,6 @@
 				<scope>test</scope>
 			</dependency>
 
-			<!-- TODO: temporary fix for XXE attack, can be removed once java-jwt is updated -->
-			<dependency>
-				<groupId>com.fasterxml.jackson.core</groupId>
-				<artifactId>jackson-databind</artifactId>
-				<version>2.10.5.1</version>
-			</dependency>
 		</dependencies>
 	</dependencyManagement>
 

+ 0 - 5
main/suppression.xml

@@ -1,11 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
-	<suppress>
-		<notes><![CDATA[ Upstream fix backported from 2.11.0 to 2.10.5.1, see https://github.com/FasterXML/jackson-databind/issues/2589#issuecomment-714833837. ]]></notes>
-		<gav>com.fasterxml.jackson.core:jackson-databind:2.10.5.1</gav>
-		<cve>CVE-2020-25649</cve>
-	</suppress>
 	<suppress>
 		<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for fuse-nio-adapter. For more info, see suppression.xml of https://github.com/cryptomator/fuse-nio-adapter ]]></notes>
 		<gav regex="true">^org\.cryptomator:fuse-nio-adapter:.*$</gav>