From 31d5cadcb000e4608acab998706233dcb576897c Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Tue, 7 Jul 2026 21:31:02 +0900 Subject: [PATCH] fix(security): pin jackson-databind to 2.18.8 (CVE-2026-54512..54515) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit trivy-fs/osv-scan fail on EVERY clearfolio PR (Review passed / checks failed): spring-boot-starter-parent 3.5.0 manages jackson-databind at 2.19.0, which carries four fixable CVEs (CVE-2026-54512, -54513, -54514, -54515). This is a repo-wide dependency finding, not per-PR. Pin jackson-bom.version to 2.18.8 (the trivy-confirmed fixed version) via a Spring Boot property override — cleanest single-point fix that patches the whole jackson family. Verified: mvn test 335/335 green with 2.18.8 (no behavior regression), and 2.18.8 resolves the four flagged CVEs (ignore-unfixed gate turns green). Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_018LMoqYsUY6usjNMBjvxCbU --- pom.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pom.xml b/pom.xml index 6b7e40d..f267247 100644 --- a/pom.xml +++ b/pom.xml @@ -18,6 +18,9 @@ 사내 통합 문서 뷰어 MVP + + 2.18.8 21 ${java.version} UTF-8