0

I have written a SpringBoot application using IntellIJ as IDE.

My Security team flagged com.fasterxml.jackson.core as a vulnerability since some of its classes (BeanDeserializerFactory.class,SubTypeValidator.class) are vulnerable to attacks.

I have to check whether my code uses these classes.

I was asked to grep my code and see if this class was used anywhere? Can any of you tell me how to do this? Or is there any other way to check if these classes are used?

Thanks in advance.

Deepboy
  • 523
  • 3
  • 16
  • 28
  • Grep is an Unix tool. Plenty of docs out there. Than you can analyze hierarchy in intellij or eclipse to find transitive usages. Third option is to start jvm with custom agent, which prints all loaded classes. And there also must be a jvm switch to achieve the same. Next, you can remove the class from the jar. Or use proguard. – ygor Feb 06 '19 at 17:54
  • Thanks ygor. I know its a Unix tool, which is why I am confused about why I was asked to use grep. Is there any plugin in IntellIJ that allows me to use Unix commands and how do I use it to search for a Class? – Deepboy Feb 06 '19 at 17:55
  • I think, that for starters you should delete those classes from the fat jar and test, whether your app works – ygor Feb 06 '19 at 18:08
  • (Honestly I'd push back on the team that's flagged this. Would upgrading to a newer version help? What "attacks" is it vulnerable to, and has the app actually proven vulnerable to them? Jackson is used in a *lot* of places in Spring, and just saying "It's bad, rip it out" without much in the way of remedy is asking for more work than it's worth.) – Makoto Feb 06 '19 at 21:23
  • @user1478392 did you try https://www.jetbrains.com/help/idea/dependency-viewer.html ? – CrazyCoder Feb 06 '19 at 22:52

0 Answers0