How to remove com.jackson.databind packages from the ehcache-2.10.6.jar

Question

We have ehcache-2.10.6.jar jar in our dependecies. It contains com.jackson.databind package that has marked as vulnerable by Trivy. No ehcache versions have non-vulnerable com.jackson.databind.

How we can shade or repackage the jar to make it missing com.jackson.databind package?

Shading or exclusion doesn't help:

shadowJar {
    zip64 true
    dependencies {
        exclude(dependency("com.fasterxml.jackson.core:jackson-databind:2.9.6"))
    }

    relocate 'com.fasterxml.jackson', 'shadow.com.fasterxml.jackson'
}

score 1 · Accepted Answer · edited Jun 10 '23 at 10:00

1

Instead of excluding that package, use the line below to resolve the vulnerability-

group: 'net.sf.ehcache.internal', name: 'ehcache-core', version: '2.10.6'

Repository url - https://repo.terracotta.org/maven2/

edited Jun 10 '23 at 10:00

flyingfishcattle

1,817
3
14
25

answered Jun 09 '23 at 10:16

Jitendra Nalwaya

26
4

I am using hibernate-ehcache.5.6.9.Final jar . ehcache-2.10.6 is it's dependency. How can I remove the this jackson-databind vulnerability from it? – Dipak Jadhav Jul 01 '23 at 10:47

How to remove com.jackson.databind packages from the ehcache-2.10.6.jar

1 Answers1