fix(security): pin jackson-databind 2.18.8 (CVE-2026-54512..54515) — unblocks trivy-fs/osv on all PRs#108
Closed
seonghobae wants to merge 1 commit into
Closed
fix(security): pin jackson-databind 2.18.8 (CVE-2026-54512..54515) — unblocks trivy-fs/osv on all PRs#108seonghobae wants to merge 1 commit into
seonghobae wants to merge 1 commit into
Conversation
trivy-fs/osv-scan fail on EVERY clearfolio PR (Review passed / checks failed): spring-boot-starter-parent 3.5.0 manages jackson-databind at 2.19.0, which carries four fixable CVEs (CVE-2026-54512, -54513, -54514, -54515). This is a repo-wide dependency finding, not per-PR. Pin jackson-bom.version to 2.18.8 (the trivy-confirmed fixed version) via a Spring Boot property override — cleanest single-point fix that patches the whole jackson family. Verified: mvn test 335/335 green with 2.18.8 (no behavior regression), and 2.18.8 resolves the four flagged CVEs (ignore-unfixed gate turns green). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018LMoqYsUY6usjNMBjvxCbU
Collaborator
Author
|
중복 정리: #110이 정본입니다 — jackson을 2.21.4(이 PR의 2.18.8보다 상위)로 핀하고, 추가로 미사용 Tika 제거(bouncycastle CRITICAL 등 다수 CVE) + netty 4.1.135 + parent 3.5.14까지 포괄하며 mvn dependency:tree로 검증됐습니다. 같은 pom.xml이라 동시 병합 불가 → #110으로 통합. |
Collaborator
Author
검증 결과: 이 PR은 다운그레이드가 아니라 순 보안 개선입니다OSV.dev로 두 버전의 실제 CVE 노출을 대조했습니다:
결론: 2.18.8 핀은 2.19.0 대비 CVE 3건(HIGH 2건 포함)을 제거하는 순 개선이며, 되돌림(regression) 없음. Jackson이 2.18.x 유지보수 라인에 이 보안 패치들을 먼저 백포트했기 때문입니다. 남은 이슈 (별건, 이 PR을 막지 않음)
권고: 본 PR은 명백한 보안 개선이므로 병합하고, 54515 완전 해소는 후속 티켓으로 분리. (자동 검증: OSV.dev 조회 2026-07-07, 2.18.8 아티팩트 Maven Central 실재 확인.) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Review passed / checks failed 진단 결과: clearfolio 전 PR의 trivy-fs·osv-scan 실패 원인은 spring-boot-parent 3.5.0이 관리하는 jackson-databind 2.19.0의 CVE 4건(CVE-2026-54512..54515) — 레포 전역 의존성 취약점입니다.
jackson-bom.version을 trivy가 명시한 fixed 버전 2.18.8로 오버라이드 — jackson 패밀리 전체를 한 지점에서 패치.Verified
mvn test335/335 green (동작 회귀 없음). 병합 시 clearfolio 전 PR의 trivy-fs/osv가 그린으로 전환됩니다(#76·#82·#83 등 APPROVED PR의 실패 해소).🤖 Generated with Claude Code