我们使用Anchor Engine在我们的sbt项目中进行了漏洞检查。
大多数错误都与Jackson数据绑定有关。我们甚至没有使用它,因为我们正在使用spray进行序列化。经过搜索,我发现它是由sbt内部使用的。所以我不能升级它的版本。因此,我尝试将sbt版本从1.2.6升级到1.4.0,以解决这个问题,但它不起作用。
object Versions {
val guice = "4.2.1"
val slick = "3.3.2"
val hikariCP = "3.3.0"
val postgres = "42.2.5"
val rabbitMQClient = "5.5.1"
val logbackClassic = "1.2.3"
val sprayJson = "1.3.5"
val akkaHttp = "10.1.5"
val akkaActor = "2.5.19"
val akkaStream = "2.5.19"
val scalaTest = "3.0.1"
val h2 = "1.4.197"
val rabbitmqMock = "1.0.8"
val mockito = "1.9.5"
}
object CompileDeps {
val guice = "com.google.inject" % "guice" % Versions.guice
val scalaGuice = "net.codingwell" %% "scala-guice" % Versions.guice
val postgresql = "org.postgresql" % "postgresql" % Versions.postgres
val slick = "com.typesafe.slick" %% "slick" % Versions.slick
val hikariCP = "com.typesafe.slick" %% "slick-hikaricp" % Versions.hikariCP
val rabbitMQClient= "com.rabbitmq" % "amqp-client" % Versions.rabbitMQClient exclude("com.fasterxml.jackson.core", "jackson-databind")
val logbackClassic = "ch.qos.logback" % "logback-classic" % Versions.logbackClassic
val sprayJson = "io.spray" %% "spray-json" % Versions.sprayJson
val akkaHttp = "com.typesafe.akka" %% "akka-http" % Versions.akkaHttp
val akkaActor = "com.typesafe.akka" %% "akka-actor" % Versions.akkaActor
val akkaStream = "com.typesafe.akka" %% "akka-stream" % Versions.akkaStream
val akkaHttpSprayJson = "com.typesafe.akka" %% "akka-http-spray-json" % Versions.akkaHttp
}
DependencyBrowseGraph
那么,谁能指导我如何解决这些安全检查?
谢谢
发布于 2020-10-22 12:27:37
您正在通过RabbitMQ依赖项获取Jackson。请参见在Maven repository上编译您的RabbitMQ版本的依赖项。
此依赖项被标记为可选,因此您可能可以使用exclude("com.fasterxml.jackson.core", "jackson-databind")
安全地删除它。测试它!如果不起作用,则显式添加依赖项以跳转到更新、更安全的版本,或者找到抑制警告的方法。
将来:使用sbt-dependency-graph生成可视化依赖图(dependencyBrowseGraph
),然后您将能够看到哪些库获取和驱逐您的依赖项。
https://stackoverflow.com/questions/64461807
复制