[FOLIO-3638] spring-module-core EntityJsonSchemaGenerator mbknor Created: 09/Nov/22  Updated: 15/Oct/23

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: Jeremy Huff
Resolution: Unresolved Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: Other dev
RCA Group: Related dependency upgrade

 Description   

https://github.com/folio-org/spring-module-core/blob/v1.1.1/domain/src/main/java/org/folio/spring/domain/generator/EntityJsonSchemaGenerator.java

is not used as a runtime dependency but used at build time only:
https://github.com/search?q=EntityJsonSchemaGenerator&type=code

Therefore it should be in a separate artifact and not included into spring-domain runtime artifact.

EntityJsonSchemaGenerator uses com.kjetland:mbknor-jackson-jsonschema_2.12 that bloats the runtime:

[INFO] +- com.kjetland:mbknor-jackson-jsonschema_2.12:jar:1.0.39:compile
[INFO] |  +- org.scala-lang:scala-library:jar:2.12.10:compile
[INFO] |  +- org.jetbrains.kotlin:kotlin-scripting-compiler-embeddable:jar:1.3.50:compile
[INFO] |  |  +- org.jetbrains.kotlin:kotlin-scripting-compiler-impl-embeddable:jar:1.3.50:runtime
[INFO] |  |  |  +- org.jetbrains.kotlin:kotlin-scripting-common:jar:1.6.21:runtime
[INFO] |  |  |  +- org.jetbrains.kotlin:kotlin-scripting-jvm:jar:1.6.21:runtime
[INFO] |  |  |  |  \- org.jetbrains.kotlin:kotlin-script-runtime:jar:1.6.21:runtime
[INFO] |  |  |  \- org.jetbrains.kotlinx:kotlinx-coroutines-core:jar:1.6.4:runtime
[INFO] |  |  \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.21:runtime
[INFO] |  |     +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.6.21:runtime
[INFO] |  |     \- org.jetbrains:annotations:jar:13.0:runtime
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.4.2:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.4:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile
[INFO] |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] |  \- io.github.classgraph:classgraph:jar:4.8.21:compile

com.kjetland:mbknor-jackson-jsonschema_2.12 is no longer maintained and out of support:
https://github.com/mbknor/mbknor-jackson-jsonSchema/graphs/contributors

kotlin-stdlib:1.6.21 has an Improper Locking and an Information Exposure vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2022-24329
https://nvd.nist.gov/vuln/detail/CVE-2020-29582



 Comments   
Comment by William Welling [ 09/Nov/22 ]

Thanks for the issue reporting.

Comment by Ann-Marie Breaux (Inactive) [ 10/Nov/22 ]

Hi Julian Ladisch and William Welling Which dev team should this bug belong to?

Comment by William Welling [ 21/Nov/22 ]

Hi Ann-Marie Breaux, developers at A&M can handle this issue. Likely able to use maven profiles to accomplish this or possible scope of dependency.

Comment by Ann-Marie Breaux (Inactive) [ 21/Nov/22 ]

Yay! I made it "other dev" and it drops out of my filter!

Comment by Julian Ladisch [ 06/Apr/23 ]

William Welling, Jeremy Huff: When will this issue been addressed?

Generated at Thu Feb 08 23:29:35 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.