Exclude jackson-databind

Jackson databind has security issues, sometimes its easier to
just exclude it if possible.

This repo doesn't use it directly, the swagger dependency pulls
it in. It doesn't look like our usage of swagger dependency would
require the jackson-databind as we only use the annotation:
@ApiModelProperty

NOTE: Swagger also pulls in jackson-annotations, which seems to
be used by a few modules for JSON annotations. eg. those modules
are using jackson-annotations indirectly via the swagger
dependency pulling in that dependency. Not a big deal.

Compilation of policy/api repo works with this exclusion.

Issue-ID: POLICY-1507
Change-Id: Ic8501df5ad4f4fc8f6cd93e739d7ff2e52d98785
Signed-off-by: Pamela Dragosh <pdragosh@research.att.com>

diff --git a/models-tosca/pom.xml b/models-tosca/pom.xml
index 18b1e1e..ea12057 100644 (file)
--- a/models-tosca/pom.xml
+++ b/models-tosca/pom.xml
@@ -68,11 +68,15 @@
             <artifactId>h2</artifactId>
             <scope>test</scope>
         </dependency>
-
         <dependency>
             <groupId>io.swagger</groupId>
             <artifactId>swagger-jersey2-jaxrs</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-databind</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
-
     </dependencies>
 </project>