jackson-databind
presentation-cve-is-dead
| jackson-databind | presentation-cve-is-dead | |
|---|---|---|
| 11 | 3 | |
| 3,455 | 10 | |
| 0.4% | - | |
| 9.7 | 10.0 | |
| 5 days ago | over 4 years ago | |
| Java | ||
| Apache License 2.0 | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
jackson-databind
-
The Bogus CVE Problem
Jackson had this problem a few months back, where someone reported a critical CVE against the project and broke builds all around the planet https://github.com/FasterXML/jackson-databind/issues/3972
Basically the programmer (not the attacker) had to write code where an object contained itself
HashMap map=new HashMap<>();
map.put("recursive",map);
After this, Jackson would indeed stack overflow if you asked it to wrap the object to JSON. Then again, half the build-in Java functions (e.g. getting an object hashcode for the map object) also fail for a recursive structure.
The issue remains open 3 months later, Mitre still thinks it's hella serious, and people have yet again learned to just ignore their CI warning about CVEs
-
Now it's PostgreSQL's turn to have a bogus CVE
jackson-databind maintainer responds to a similar occurrence few weeks ago: https://github.com/FasterXML/jackson-databind/issues/3972#is...
- Disputed Jackson-databind CVE Causing Disruption
-
Serverless Speed: Rust vs. Go, Java, and Python in AWS Lambda Functions
As to Jackson itself see https://github.com/FasterXML/jackson-databind/issues/1970 for example on startup issues. There are others.
-
"Shaping JSON" in Jackson without creating an object
after reading https://github.com/FasterXML/jackson-databind/issues/2239 but setting JsonCreator and adding the JsonFormat didn't work.
-
Deserializing /Serializing immutable fields and the fields within the fields which are immutable and not changeable with Jackson
Jackson should support records out of the box https://github.com/FasterXML/jackson-databind/issues/2709
-
`int('1' * 4301)` will raise ValueError starting with Python 3.10.7
Its not like this vulnerability is something new. Similar issues have been public knowledge for at least four years and discussed widely. The fact that str to int and int to str conversions are slow for huge ints is hardly news.
- Ômicron preocupa por ter respaldo de um modelo Bayesiano para prever o final do ano
-
How to write reflection for C++
In C#, Newtonsoft Json has similar functionality, and in Java — Jackson2 ObjectMapper.
- Método put com problema em campo DATE
presentation-cve-is-dead
-
The Bogus CVE Problem
Greg Kroah-Hartman (the kernel developer/maintainer) in 2019 gave a presentation about some of the issues with CVEs.
https://www.youtube.com/watch?v=HeeoTE9jLjM
https://github.com/gregkh/presentation-cve-is-dead
- New details on commercial spyware vendor Variston
-
Debugging a Linux network stack crash via a single register value
That said, using this to track how many bugs are introduced each year is problematic. It's often the case that commit A introduces a bug, commit B aims to fix it and says "Fixes: A" but turns out to only be a partial fix, and then commit C completes the fix and says "Fixes: B". Naively, based on the se annotations it would make sense to say "B introduced a bug", but that isn't always the case.
Greg KH discusses this in his talk "CVEs are dead" (video: https://www.youtube.com/watch?v=HeeoTE9jLjM slides: https://github.com/gregkh/presentation-cve-is-dead/blob/mast... ).
What are some alternatives?
MapStruct - An annotation processor for generating type-safe bean mappers
packj-github-action - Packj audits pull requests for malicious/risky open-source deps
simdjson - Parsing gigabytes of JSON per second : used by Facebook/Meta Velox, the Node.js runtime, ClickHouse, WatermelonDB, Apache Doris, Milvus, StarRocks
fastjson2 - 🚄 FASTJSON2 is a Java JSON library with excellent performance.
Hibernate - Hibernate's core Object/Relational Mapping functionality
record-builder - Record builder generator for Java records
infobip-spring-data-querydsl - Infobip Spring Data Querydsl provides new functionality that enables the user to leverage the full power of Querydsl API on top of Spring Data repository infrastructure.
boost - My personal boost mirror to be submoduled by my projects
jackson-dataformat-csv - Uber-project for (some) standard Jackson textual format backends: csv, properties, yaml (xml to be added in future)
jpa-spec
Jackson JSON Processor - Main Portal page for the Jackson project
serde - Serialization framework for Rust