Update Jettison, adjust scope, and fix test configuration - Jersey 2.x #6035
Conversation
This avoids bundling Jettison in the artifact, eliminating direct dependency and preventing known CVEs from being included in the package
- Add Jettison with <scope>test</scope> in e2e-entity to restore test compilation - Fix typo in root Surefire config: <classpathDependencyExcludes> → <classpathDependencyExclude> This will ensure all Jettison-specific tests continue to run and validate behavior Signed-off-by: stecurran-est-tech <[email protected]>
|
this breaks test for all JDKs that are used for the Jersey CI validation. |
Those are Jettison e2e-entity tests. They say for instance:
|
|
JSON test data has been updated for e2e-entity tests to reflect change in serialisation behaviour when using Jettison 1.5.2. Failure on JaxbTest.generateTests()[96][1] » InvocationTarget has not been resolved. Refer to discussion: #6005 |
Jettison upgrade 1.3.7 to 1.5.2 alters JSON serialisation - integers are no longer output as Strings. Updates to test data correspond to change in behaviour. Signed-off-by: stecurran-est-tech <[email protected]>
stecurran-est-tech
force-pushed
the
fix/jettison_2x
branch
from
0ce5230 to
7cff542
Compare
3 participants
This PR updates Jettison usage and related build configuration to address security issues. Includes fix to resolve Jettison import issue after change of scope. Jersey 2.x branch.
Changes
uplift org.codehaus.jettison:jettison from 1.3.7 → 1.5.2 to resolve the following CVEs:
CVE-2022-40149
CVE-2022-40150
CVE-2022-45685
CVE-2022-45693
CVE-2023-1436
Set Jettison to provided scope to avoid bundling it into artifacts and prevent inclusion of vulnerable versions.
Add Jettison with test scope in e2e-entity to fix test compilation.
Correct pre-existing Surefire config typo:
<classpathDependencyExcludes> → <classpathDependencyExclude>.