SpringBoot Consider downgrading Jackson to 2.6

As of 2.7, Jackson requires Java7. We also have report that it breaks with embedded elasticsearch (see #6508)

Comment From: wilkinsona

I think 2.6.x would be a step too far. There's a security vulnerability in the XML mapper that is only fixed in 2.7.4 and later. While we don't use the XML mapper, I think it's preferable to not provide a vulnerable version by default rather than working with Java 6 by default. We already have some other dependencies that require Java 7 by default : Hikari, Jetty, and the Postgres JDBC driver, IIRC.

I could be persuaded that using 2.7.x in 1.4 and moving to 2.8 (or later) in 1.5 is a reasonable compromise. However, there's no guarantee that we won't face the same problem again. Elasticsearch has an upgrade to 2.8 planned but only for 3.0 (https://github.com/elastic/elasticsearch/pull/18939) and we're using 2.3.x at the moment.

Comment From: snicoll

I agree this isn't ideal but what annoys me a lot is that start.spring.io can generates broken projects because of this. We would need for sure to update the documentation and maybe reference it when Java6 is selected?

Comment From: rajadileepkolli

Totally out of context but but next elasticsearch version will be 5.0.0 not 3.

Comment From: agebhar1

I extend the test case for #6508 at /agebhar1/spring-boot-6508-jackson-elasticsearch by profile with Jackson version 2.7.6 - all test's passed.

A short check with japicmp only on Jackson's core library, where the critical change for #6508 occurred, got:

java -jar japicmp-0.8.1-jar-with-dependencies.jar -o ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.6/jackson-core-2.6.6.jar -n ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.7.6/jackson-core-2.7.6.jar --only-modified --only-incompatible:

Comparing /home/agebhar1/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.6/jackson-core-2.6.6.jar with /home/agebhar1/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.7.6/jackson-core-2.7.6.jar:
***! MODIFIED CLASS: PUBLIC ABSTRACT com.fasterxml.jackson.core.base.GeneratorBase  (not serializable)
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_NULL
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_BOOLEAN
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_RAW
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_BINARY
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_NUMBER
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_STRING
***! MODIFIED CLASS: PUBLIC FINAL com.fasterxml.jackson.core.Base64Variant  (compatible)
    ***! MODIFIED FIELD: PACKAGE_PROTECTED (<- PROTECTED) FINAL java.lang.String _name
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL char _paddingChar
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL boolean _usesPadding
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL int _maxLineLength
===  UNCHANGED CLASS: PUBLIC com.fasterxml.jackson.core.io.SerializedString  (serialVersionUID removed but not matches new default serialVersionUID)
***! MODIFIED CLASS: PUBLIC FINAL com.fasterxml.jackson.core.json.JsonReadContext  (not serializable)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.json.JsonReadContext createRootContext(int, int)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.json.JsonReadContext createRootContext()
***! MODIFIED ENUM: PUBLIC FINAL com.fasterxml.jackson.core.JsonEncoding  (compatible)
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL boolean _bigEndian
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL java.lang.String _javaName
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL int _bits
***! MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.JsonFactory  (field removed)
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer _rootByteSymbols
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.JsonGenerator createJsonGenerator(java.io.File, com.fasterxml.jackson.core.JsonEncoding)
        ---  REMOVED EXCEPTION: java.io.IOException
***  MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.JsonParseException  (serialVersionUID modified)
---! REMOVED CLASS: PUBLIC(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer  (not serializable)
    ---  REMOVED SUPERCLASS: java.lang.Object
    ---! REMOVED FIELD: PROTECTED(-) com.fasterxml.jackson.core.sym.Name[] _mainNames
    ---! REMOVED FIELD: PROTECTED(-) int[] _hash
    ---! REMOVED FIELD: PROTECTED(-) int _hashMask
    ---! REMOVED FIELD: PROTECTED(-) boolean _intern
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) boolean _failOnDoS
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer _parent
    ---! REMOVED FIELD: PROTECTED(-) int _count
    ---! REMOVED FIELD: PROTECTED(-) java.util.BitSet _overflows
    ---! REMOVED FIELD: PROTECTED(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer$Bucket[] _collList
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) java.util.concurrent.atomic.AtomicReference _tableInfo
    ---! REMOVED FIELD: PROTECTED(-) int _collCount
    ---! REMOVED FIELD: PROTECTED(-) int _collEnd
    ---! REMOVED FIELD: PROTECTED(-) int _longestCollisionList
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name addName(java.lang.String, int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name addName(java.lang.String, int[], int)
    ---! REMOVED METHOD: PUBLIC(-) int bucketCount()
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int, int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int, int, int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int[], int)
    ---! REMOVED METHOD: PROTECTED(-) STATIC(-) int[] calcQuads(byte[])
    ---! REMOVED METHOD: PUBLIC(-) int collisionCount()
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer createRoot()
    ---! REMOVED METHOD: PROTECTED(-) STATIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer createRoot(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int, int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int[], int)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.sym.Name getEmptyName()
    ---! REMOVED METHOD: PUBLIC(-) int hashSeed()
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer makeChild(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer makeChild(boolean, boolean)
    ---! REMOVED METHOD: PUBLIC(-) int maxCollisionLength()
    ---! REMOVED METHOD: PUBLIC(-) boolean maybeDirty()
    ---! REMOVED METHOD: PUBLIC(-) void release()
    ---! REMOVED METHOD: PROTECTED(-) void reportTooManyCollisions(int)
    ---! REMOVED METHOD: PUBLIC(-) int size()
---! REMOVED CLASS: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter  (class removed)
    ---  REMOVED SUPERCLASS: com.fasterxml.jackson.core.util.DefaultIndenter
    ---! REMOVED FIELD: PUBLIC(-) STATIC(-) FINAL(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter instance
    ---! REMOVED CONSTRUCTOR: PUBLIC(-) DefaultPrettyPrinter$Lf2SpacesIndenter(java.lang.String)
    ---! REMOVED CONSTRUCTOR: PUBLIC(-) DefaultPrettyPrinter$Lf2SpacesIndenter()
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter withLinefeed(java.lang.String)
===  UNCHANGED CLASS: PUBLIC FINAL com.fasterxml.jackson.core.util.InternCache  (serialVersionUID removed but not matches new default serialVersionUID)

and java -jar japicmp-0.8.1-jar-with-dependencies.jar -o ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.6/jackson-core-2.6.6.jar -n ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.1/jackson-core-2.8.1.jar --only-modified --only-incompatible:

Comparing /home/agebhar1/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.6/jackson-core-2.6.6.jar with /home/agebhar1/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.1/jackson-core-2.8.1.jar:
***! MODIFIED CLASS: PUBLIC ABSTRACT com.fasterxml.jackson.core.base.GeneratorBase  (not serializable)
    ***! MODIFIED METHOD: PUBLIC NON_FINAL (<- FINAL) com.fasterxml.jackson.core.JsonStreamContext (<-com.fasterxml.jackson.core.json.JsonWriteContext) getOutputContext()
***! MODIFIED CLASS: PUBLIC FINAL com.fasterxml.jackson.core.json.JsonReadContext  (not serializable)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.json.JsonReadContext createRootContext(int, int)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.json.JsonReadContext createRootContext()
***! MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.JsonFactory  (field removed)
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer _rootByteSymbols
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.JsonGenerator createJsonGenerator(java.io.File, com.fasterxml.jackson.core.JsonEncoding)
        ---  REMOVED EXCEPTION: java.io.IOException
***  MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.JsonParseException  (serialVersionUID modified)
***! MODIFIED CLASS: PUBLIC ABSTRACT com.fasterxml.jackson.core.ObjectCodec  (not serializable)
    ***! MODIFIED METHOD: PUBLIC ABSTRACT (<- NON_ABSTRACT) com.fasterxml.jackson.core.Version version()
---! REMOVED CLASS: PUBLIC(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer  (not serializable)
    ---  REMOVED SUPERCLASS: java.lang.Object
    ---! REMOVED FIELD: PROTECTED(-) com.fasterxml.jackson.core.sym.Name[] _mainNames
    ---! REMOVED FIELD: PROTECTED(-) int[] _hash
    ---! REMOVED FIELD: PROTECTED(-) int _hashMask
    ---! REMOVED FIELD: PROTECTED(-) boolean _intern
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) boolean _failOnDoS
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer _parent
    ---! REMOVED FIELD: PROTECTED(-) int _count
    ---! REMOVED FIELD: PROTECTED(-) java.util.BitSet _overflows
    ---! REMOVED FIELD: PROTECTED(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer$Bucket[] _collList
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) java.util.concurrent.atomic.AtomicReference _tableInfo
    ---! REMOVED FIELD: PROTECTED(-) int _collCount
    ---! REMOVED FIELD: PROTECTED(-) int _collEnd
    ---! REMOVED FIELD: PROTECTED(-) int _longestCollisionList
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name addName(java.lang.String, int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name addName(java.lang.String, int[], int)
    ---! REMOVED METHOD: PUBLIC(-) int bucketCount()
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int, int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int, int, int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int[], int)
    ---! REMOVED METHOD: PROTECTED(-) STATIC(-) int[] calcQuads(byte[])
    ---! REMOVED METHOD: PUBLIC(-) int collisionCount()
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer createRoot()
    ---! REMOVED METHOD: PROTECTED(-) STATIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer createRoot(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int, int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int[], int)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.sym.Name getEmptyName()
    ---! REMOVED METHOD: PUBLIC(-) int hashSeed()
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer makeChild(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer makeChild(boolean, boolean)
    ---! REMOVED METHOD: PUBLIC(-) int maxCollisionLength()
    ---! REMOVED METHOD: PUBLIC(-) boolean maybeDirty()
    ---! REMOVED METHOD: PUBLIC(-) void release()
    ---! REMOVED METHOD: PROTECTED(-) void reportTooManyCollisions(int)
    ---! REMOVED METHOD: PUBLIC(-) int size()
---! REMOVED CLASS: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter  (class removed)
    ---  REMOVED SUPERCLASS: com.fasterxml.jackson.core.util.DefaultIndenter
    ---! REMOVED FIELD: PUBLIC(-) STATIC(-) FINAL(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter instance
    ---! REMOVED CONSTRUCTOR: PUBLIC(-) DefaultPrettyPrinter$Lf2SpacesIndenter(java.lang.String)
    ---! REMOVED CONSTRUCTOR: PUBLIC(-) DefaultPrettyPrinter$Lf2SpacesIndenter()
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter withLinefeed(java.lang.String)
***! MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.util.JsonParserSequence  (not serializable)
    ---! REMOVED FIELD: PROTECTED(-) int _nextParser

Is there a chance to get the fix of the security vulnerability in the XML mapper backported to version 2.6.x?

To take only #6508 into account Jackson 2.7.6 would be fine.

Comment From: philwebb

@agebhar1

Is there a chance to get the fix of the security vulnerability in the XML mapper backported to version 2.6.x?

That's a question for the Jackson team. You'll need to raise an issue with them.

Comment From: agebhar1

I could raise an issue but in #6508 it seems that downgrade is not an option. So a backport of the XML issue fix would be needless. What did you think @philwebb?

Comment From: wilkinsona

@agebhar1

I could raise an issue but in #6508 it seems that downgrade is not an option

We haven't made that decision yet (hence this issue still being open). We'll discuss the downgrade later today. FWIW, I'm currently in favour of downgrading to 2.7.x.

Comment From: agebhar1

@wilkinsona

We haven't made that decision yet (hence this issue still being open).

Okay. I will raise an issue on the Jackson team/project, at least Elasticsearch's current version 2.3.5 still uses Jackson 2.6.6 which is affected on the security vulnerability in the XML mapper you mentioned above.

Comment From: philwebb

We'll deal with this in #6508 most likely by downgrading to Jackson 2.7

Comment From: snicoll

We've decided to downgrade to 2.7, see #6508 for updates.

Comment From: jloisel

Elasticsearch 2.4 depends on Jackson 2.8.1. You should consider cancelling the downgrade. We are running Elasticsearch 2.4 with spring boot 1.4.0.RELEASE and Jackson 2.8.2 with no issue so far.

Comment From: snicoll

@jloisel please create a separate issue for this. Thanks.