Checkmarx OSA found: com.fasterxml.jackson.core:jackson-databind Your version is outdated However when I scan dependency I can't find as we have any jackson libraries in project. Do you know what problem could be?
Asked
Active
Viewed 167 times
1
-
did you check if the file exists in the file system? it may not be part of the project but it may be in the same folder as the project – securecodeninja May 05 '21 at 00:03
-
yes, checked. For example it found com.speedment.common:collection which we don't have 100% in our project – Sergey Buzin May 06 '21 at 01:48
1 Answers
1
This is likely due to a library including this outdated version. To see a full list of dependencies run ./gradlew app:dependencies, which will return something similar to:
| +--- androidx.preference:preference:1.1.0
| | +--- androidx.appcompat:appcompat:1.1.0 (*)
| | +--- androidx.core:core:1.1.0 (*)
| | +--- androidx.fragment:fragment:1.1.0 (*)
| | +--- androidx.recyclerview:recyclerview:1.0.0 (*)
| | +--- androidx.annotation:annotation:1.1.0
| | \--- androidx.collection:collection:1.0.0 -> 1.1.0 (*)
| +--- androidx.lifecycle:lifecycle-extensions:2.1.0
| | +--- androidx.lifecycle:lifecycle-runtime:2.1.0 (*)
| | +--- androidx.arch.core:core-common:2.1.0 (*)
| | +--- androidx.arch.core:core-runtime:2.1.0 (*)
| | +--- androidx.fragment:fragment:1.0.0 -> 1.1.0 (*)
You can then see which library is using an outdated version of jackson-databind.
Jake Lee
- 7,549
- 8
- 45
- 86
-
I scan dependency I can't find as we have any jackson libraries in project – Sergey Buzin May 12 '21 at 04:33