mercateo / jsonhoist Goto Github PK

The project could not be analyzed because of maven build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

It should be possible to handle minor versions without breaking existing code.
The contract for minor versions is, that changes are guaranteed to be downward-compatible.

Facilitating this knowledge, a conversion like this should be possible:

Prereq:

• There is a Transformation registered from 3.1 to 4.0

Scenario a)

Input: message in version 3.2
Requested version: 4.0

• As there is a 3.1->4.0 and a 3.2 can be treated as a 3.1, the transformation should be used.
  The downcast from existing 3.2 to 3.1 will be implicit (without any actual transformation)

Scenario b)

Input: message in version 3.0
Requested version: 4.0

• The upcast from 3.0 to 3.1 will be implicit (without any actual transformation)

Scenario c)

Input: message in version 3.0
Requested version: 5.0

• Transformation needs to fail, as there is no way to get from 4.0 to 5.0, and as it is a major update, it is not guaranteed to be a compatible one.

In General

• If there are more than one possible path through the transformers, the shortest path wins.
• If there are still more than one of equal length, the one that transforms a larger distance earlier, wins - where distance is Decimal of VersionTo - Decimal of VersionFrom (for example 3.2 -> 4.0 = 0.8 distance)

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.9 results in the following vulnerability(s):

• (CVSS 5.9) [CVE-2019-12814] Information Exposure

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.9.9 is a transitive dependency introduced by the following direct dependency(s):

• com.fasterxml.jackson.core:jackson-databind:2.9.9

• com.fasterxml.jackson.core:jackson-databind:2.9.9

• com.fasterxml.jackson.core:jackson-databind:2.9.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file^* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

_{* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum}

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.10.0 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2020-25649] A flaw was found in FasterXML Jackson Databind, where it did not have entity exp...

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.10.0 is a transitive dependency introduced by the following direct dependency(s):

• com.fasterxml.jackson.core:jackson-databind:2.10.0

• com.fasterxml.jackson.core:jackson-databind:2.10.0

• com.fasterxml.jackson.core:jackson-databind:2.10.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Depshield will be deprecated on Monday December 12th

Please install our new product, Sonatype Lift with advanced features

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.8 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2019-12086] Information Exposure

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.9.8 is a transitive dependency introduced by the following direct dependency(s):

• com.fasterxml.jackson.core:jackson-databind:2.9.8

• com.fasterxml.jackson.core:jackson-databind:2.9.8

• com.fasterxml.jackson.core:jackson-databind:2.9.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}