Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade json-smart version to 2.5.2 in response to CVE-2024-57699 #24631

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

ShahimSharafudeen
Copy link
Contributor

@ShahimSharafudeen ShahimSharafudeen commented Feb 26, 2025

Description

Upgrade the json-smart dependency to version 2.5.2 to address CVE-2024-57699. The json-smart dependency is a transitive dependency of com.jayway.jsonpath:json-path:2.9.0, which uses an older version that contains this vulnerability. Therefore, upgrading the json-smart dependency to 2.5.2 resolves the issue.

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes

* Upgrade json-smart version to 2.5.2 in response to `CVE-2024-57699 <https://nvd.nist.gov/vuln/detail/CVE-2024-57699>`_. 

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Feb 26, 2025
@ShahimSharafudeen ShahimSharafudeen force-pushed the CVE-2024-57699_json-smart_fix branch from efd971d to 815a53e Compare February 26, 2025 11:06
@ShahimSharafudeen ShahimSharafudeen force-pushed the CVE-2024-57699_json-smart_fix branch from 815a53e to 4c63e80 Compare February 26, 2025 18:11
@ShahimSharafudeen ShahimSharafudeen marked this pull request as ready for review February 27, 2025 04:12
@ShahimSharafudeen ShahimSharafudeen requested a review from a team as a code owner February 27, 2025 04:12
@prestodb-ci prestodb-ci requested review from a team, nishithakbhaskaran and jp-sivaprasad and removed request for a team February 27, 2025 04:12
Copy link
Contributor

@nishithakbhaskaran nishithakbhaskaran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

Copy link
Contributor

@ZacBlanco ZacBlanco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that this PR is necessary. I could not find a usage of json-smart with version other than 2.5.0 in the dependency tree when running ./mvnw dependency:tree. This PR doesn't effectively do anything other than pinning the version to 2.5.0 - which all of our modules already use. We should avoid pinning a transitive dependency unless it is pulling up a version for a specific module.

@ShahimSharafudeen
Copy link
Contributor Author

I don't think that this PR is necessary. I could not find a usage of json-smart with version other than 2.5.0 in the dependency tree when running ./mvnw dependency:tree. This PR doesn't effectively do anything other than pinning the version to 2.5.0 - which all of our modules already use. We should avoid pinning a transitive dependency unless it is pulling up a version for a specific module.

@ZacBlanco – The json-smart:2.5.0 is a transitive dependency of com.jayway.jsonpath:json-path:2.9.0, and json-path:2.9.0 is the latest release version in the Maven repository, which contains this(CVE-2024-57699) vulnerability. json-smart:2.5.2 addresses this high-severity vulnerability.

Copy link
Contributor

@ZacBlanco ZacBlanco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry when I was reviewing earlier I must have had the wrong branch checked out. I looked again and see that 2.5.2 replaces 2.5.0 everywhere. This should be good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
from:IBM PR from IBM
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants