From 98794615f346c753a94fa5f63f7cbc67792af4c1 Mon Sep 17 00:00:00 2001
From: Amichai Hemli <amichai.hemli@intl.att.com>
Date: Mon, 16 Sep 2019 10:53:47 +0300
Subject: [PATCH] Upgrade FasterXML/Jackson to version 2.9.9.3

FasterXML jackson-databind versions 2.x through 2.9.9.1 are vulnerable.
we will use 2.9.9.3 for jackson-databind only
Issue-ID: VID-640

Signed-off-by: Amichai Hemli <amichai.hemli@intl.att.com>
Change-Id: I537cb83ad787522b75fdee59ffabb51def747096
---
 epsdk-app-onap/pom.xml             | 3 ++-
 vid-app-common/pom.xml             | 3 ++-
 vid-automation/pom.xml             | 3 ++-
 vid-ext-services-simulator/pom.xml | 5 +++--
 vid-webpack-master/pom.xml         | 1 -
 5 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/epsdk-app-onap/pom.xml b/epsdk-app-onap/pom.xml
index 5cab377c8..f9b55f0e6 100755
--- a/epsdk-app-onap/pom.xml
+++ b/epsdk-app-onap/pom.xml
@@ -26,6 +26,7 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <epsdk.version>2.5.0</epsdk.version>
         <jackson.version>2.9.9</jackson.version>
+        <jackson.databind.version>2.9.9.3</jackson.databind.version>
         <springframework.version>5.1.9.RELEASE</springframework.version>
         <!-- epsdk-core is importing this class, which is only on spring-orm 4 but not in orm 5:
          org.springframework.orm.hibernate4.HibernateTransactionManager
@@ -337,7 +338,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${jackson.version}</version>
+            <version>${jackson.databind.version}</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.module</groupId>
diff --git a/vid-app-common/pom.xml b/vid-app-common/pom.xml
index d78bb2e33..6dbaa98b4 100755
--- a/vid-app-common/pom.xml
+++ b/vid-app-common/pom.xml
@@ -33,6 +33,7 @@
          so following orm.version lets epsdk-core find it -->
         <hibernate.version>4.3.11.Final</hibernate.version>
         <jackson.version>2.9.9</jackson.version>
+        <jackson.databind.version>2.9.9.3</jackson.databind.version>
         <jersey.version>2.29</jersey.version>
         <surefire.version>2.22.1</surefire.version>
         <selenium.version>3.141.59</selenium.version>
@@ -617,7 +618,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${jackson.version}</version>
+            <version>${jackson.databind.version}</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.module</groupId>
diff --git a/vid-automation/pom.xml b/vid-automation/pom.xml
index 81ec4a6d8..6f2ae22c2 100644
--- a/vid-automation/pom.xml
+++ b/vid-automation/pom.xml
@@ -9,6 +9,7 @@
         <springframework.version>5.1.9.RELEASE</springframework.version>
         <jersey.version>2.29</jersey.version>
         <jackson.version>2.9.9</jackson.version>
+        <jackson.databind.version>2.9.9.3</jackson.databind.version>
         <aspectj.version>1.8.10</aspectj.version>
         <selenium.version>3.6.0</selenium.version>
         <log4j.version>2.12.0</log4j.version>
@@ -161,7 +162,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${jackson.version}</version>
+            <version>${jackson.databind.version}</version>
         </dependency>
         <dependency>
             <groupId>commons-beanutils</groupId>
diff --git a/vid-ext-services-simulator/pom.xml b/vid-ext-services-simulator/pom.xml
index 8cb3c37b8..b3179cf5e 100644
--- a/vid-ext-services-simulator/pom.xml
+++ b/vid-ext-services-simulator/pom.xml
@@ -14,7 +14,8 @@
         <encoding>UTF-8</encoding>
         <springframework.version>5.1.9.RELEASE</springframework.version>
         <hibernate.version>5.3.4.Final</hibernate.version>
-        <jackson.version>2.9.8</jackson.version>
+        <jackson.version>2.9.9</jackson.version>
+        <jackson.databind.version>2.9.9.3</jackson.databind.version>
         <!-- Skip assembling the zip by default -->
         <skipassembly>true</skipassembly>
         <!-- Tests usually require some setup that maven cannot do, so skip. -->
@@ -142,7 +143,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${jackson.version}</version>
+            <version>${jackson.databind.version}</version>
         </dependency>
         <dependency>
             <groupId>javax.xml.bind</groupId>
diff --git a/vid-webpack-master/pom.xml b/vid-webpack-master/pom.xml
index f54142854..9e7dd0da6 100644
--- a/vid-webpack-master/pom.xml
+++ b/vid-webpack-master/pom.xml
@@ -18,7 +18,6 @@
     <encoding>UTF-8</encoding>
     <!--<springframework.version>5.1.6.RELEASE</springframework.version>-->
     <!--<hibernate.version>4.3.11.Final</hibernate.version>-->
-    <!--<jackson.version>2.6.3</jackson.version>-->
     <!-- Skip assembling the zip by default -->
     <skipassembly>true</skipassembly>
     <!-- Tests usually require some setup that maven cannot do, so skip. -->
-- 
2.16.6